I have several Trongate apps that have a similar set up and their own separate database.
I want to use one central app for my members module that allows users to login to each one of these other apps. This would be a similar to using Auth0 to login to several websites.
I don't want to use Google Auth as some users might not have a Google account.
What would you recommend as a way to handle this?
one login for all apps
3 years ago
3 years ago
#1
3 years ago
#2
Hello,
If they are separate apps, then you would have to pass a code, cookie, and check for that when the user opens the app
Dan
If they are separate apps, then you would have to pass a code, cookie, and check for that when the user opens the app
Dan
3 years ago
#3
Preface: Haven’t actually done this before, so I’m guessing.
I think the Easiest is probably to use subdomains for your apps and issue a lax cookie for your TLD.
Otherwise you may look at Matrix Auth between your apps and JWT to your clients (browsers)
I think the Easiest is probably to use subdomains for your apps and issue a lax cookie for your TLD.
Otherwise you may look at Matrix Auth between your apps and JWT to your clients (browsers)
3 years ago
#4
Hey Dan, yes, that makes sense. I believe the best method for that would be the Matrix Auth module as sasin91 has mentioned and set the token.
I will runs some tests over the next few days and report back.
Thanks to both of you for sharing your thoughts! :)
I will runs some tests over the next few days and report back.
Thanks to both of you for sharing your thoughts! :)
3 years ago
#5
Although this will probably work, I don't think it's the right approach since I would need to authorize on every page load by checking for the existence of a token in the main database using Matrix auth.
3 years ago
#6
You could look into public/private key exchange, like JWT.
That way, the only overhead is signing and enc/decrypting ?
That way, the only overhead is signing and enc/decrypting ?
3 years ago
#7
Thanks for your input sasin91!
Our Canadian government recommends Zero Trust Architecture (ZTA) for every resource request. They are fairly strict here (see Canada's anti-spam legislation) so it wouldn't surprise me if they try to regulate that in the future.
I'm far from being a security expert, so my understanding is that it requires verification on every protected page load, which Trongate already does when checking for a matching token in the database. Having one login is a "nice to have" feature, not a requirement, so the existing function will work for me.
As an aside, after reviewing the code in Trongate_tokens.php, I realized that we can pass multiple user levels when checking for tokens (line 344)! I don't think this is mentioned in the docs and it's a critical feature for me. Thanks DC!
Our Canadian government recommends Zero Trust Architecture (ZTA) for every resource request. They are fairly strict here (see Canada's anti-spam legislation) so it wouldn't surprise me if they try to regulate that in the future.
I'm far from being a security expert, so my understanding is that it requires verification on every protected page load, which Trongate already does when checking for a matching token in the database. Having one login is a "nice to have" feature, not a requirement, so the existing function will work for me.
As an aside, after reviewing the code in Trongate_tokens.php, I realized that we can pass multiple user levels when checking for tokens (line 344)! I don't think this is mentioned in the docs and it's a critical feature for me. Thanks DC!
3 years ago
#8
Yes, Trongate has great features.
Always helps to look at the code and see how it works.
Dan
Always helps to look at the code and see how it works.
Dan