I am looking for a way for my users to be able to login to both of my Joomla sites (one running 1.5 and the other 1.6) using the same credentials. For example, if a user registers to my Joomla1.5 portal, when they use that same info for my Joomla1.6, they get logged in without having to re-register and vice versa.
I guess an authentication plugin would be the best solution in combination with a XML-RPC service? Joomla1.5 site's plugin is triggered which "communicates" with the Joomla1.6 site where the user is already registered, if the credentials check out, a new user is created and the user automatically gets logged in.
Thanks in advance for any ideas/help.
You are trying to do two very different things that will require two very different plugins. First, you need a bridge to handle user table synchronization. You not only have to create a user for each site, you have to sync everything about both accounts each time anything changes. This would include changing email address, password, or even user name plus any other related data such as the use groups that the user belongs to. A good place to start would be jFusion, which is designed to bridge Joomla with other software packages but can certainly be modified to bridge Joomla sites. JFusion also has the added advantage of creating user sessions for each connected software package for a single unified login, which would be the second piece of the puzzle you would need to solve once you get the users sorted out.
http://www.jfusion.org/
Related
I want to use Shopify for our commerce solution but to build out a custom admin/user settings system. The key hurdle I'm dealing with is users and authentication. Let's assume my site is a.com and my admin system is my.a.com on a different host. I want the user to be able to log in to both the Shopify site and their custom admin/user page using the same username and password (effectively SSO but without a third-party service).
Constraints:
I don't want to build a custom application as I foresee us ultimately going fully custom at some point down the road
Just in case someone asks, yes the admin/user settings page is complex/unique enough that it warrants a custom solution to provide a good user experience.
Possible Solution 1
Have accounts created on the custom admin site and use the Create Customer API to keep the two databases in sync.
Questions:
How do I handle the email validation coming from Shopify (the customer should be oblivious to Shopify as it's an implementation detail)
Possible Solution 2
Have all accounts created via Shopify and the admin site and create an associated on on the admin site.
Questions:
How do I handle authentication for a specific user across origins. The only OAuth scenarios I seem to be able to track down are at the app level not per user.
I greatly appreciate any insights you all may have. Thank you.
Maybe I am missing something here, or this is a flaw in Auth0? I'll give an example of my issue:
Let's say I have my Default App (client), hooked up to that I have Username-Password-Authentication (database connection) and google-oauth2 (social connection).
A user comes to my site, signs up via google-oauth2 (social connection) using joe#gmail.com. Once complete, he gets added to my users in Auth0, all great.
A few months later, Joe comes back to my site, and being a busy guy, he forgets he signed up to my site before. This time, he decides to sign up using my custom Email and Password form, that will add the user to the Username-Password-Authentication (database connection). so he signs up there using joe#gmail.com again, and everything goes well, he is now listed in my user's section in my Auth0 dashboard.
This is the problem, I now have two joe#gmail.com accounts, one with google-outh2 and one with Username-Password-Authentication. I really can't have this, I need a unique email address, regardless of the ID Auth0 supplies.
Does anyone know how I can make email address in my user section 100% unique? I'd think a rule would do this, but it appears rules only apply AFTER a user has been registered, so I can't run a rule before adding?
the only way I can see doing this right now is make my own checks and delete via the management API, but that is a really long and messy way to do it I feel.
Any help will be appreciated here!
Thanks!
Auth0's default behavior is to create a new account in the database for every unique entry. Since the user created using Google has a unique id (based on google-oauth2), and the user created using the sign-up form has a unique id - they will technically be considered two separate accounts. In order to resolve this disparity, you can establish a means with which the account data can be merged. In the documentation linked provided above, there are examples of three possible ways of doing this:
Automatic Linking - which involves creating a specific rule to merge users based on matching emails
User-Initiated Linking - which involves providing a UI for users to opt into merging users with matching emails
Suggested Account Linking - which involves setting up a rule that is linked into the UI
One important thing to consider is that the data returned from different social identity providers may not be normalized the way that data is normalized onto the Username-Password-Database. For example, while auth0's default for emails is to lowercase the information, google-oauth2 may return emails as Uppercased - creating the potential for non-matching emails when checks are made using strict equality
The option you are looking for is called account linking.
You can find more info at https://auth0.com/docs/link-accounts
I'm trying to create a website to authenticate users through the use of a throwaway password where the assumption is that the user might not use the website again (basically a one time access).
I have done my research on OTP and various solutions to authentication but these don't seem to fit my requirements, most of them seem to rely on users having login credentials to the website whereas my system would allow them access without the need for registering.
The implementation of passwordless authentication by Auth0 seems to fit what you're describing. Even if you were not considering a third-party provider it may be useful to go through the documentation.
Basically, a user can login to a site without any need for a sign-up process. They can do so just by requesting that a one time code is delivered to them, for example, either by email or SMS.
This way, they can get quick access without having to setup a user and in the event that they do come back your application can recognize this because they will most likely be using the same mechanism, that is, you can use the email or mobile phone as the unique identifier.
Disclosure: I'm an Auth0 engineer.
If you do not require your users to register, why do you need authentication at all?
Why not just set a cookie with an unique identifier on the first visit? You can store data at the server side associated with that identifier. Keep track of when you last saw the user, and if they do not return within a certain period, you can delete any data you stored for that user.
I don't want to store passwords on my server and I don't want to force my end users to create yet another account, that's why I'd like to use single sign-on. I'm looking for a widely accepted solution for the authentication, I think about OpenID and OpenID Connect, the former seems to be more widespread but obsoleted and no longer used by Google, the latter seems to be faster (thanks to JSON?), safer but less widely adopted.
I'd like to share some documents on Internet. I want to control who can view them. I have looked at OwnCloud but it seems to be too much for my needs.
My website contains some photos and some articles, I want to show some of them to everybody, I want to show some of them only to my family and my best friends but not my colleagues, I want to show some of them to all logged users but not everybody and finally, I want to show some of them to … nobody.
I use Apache HTTP Server, I want to be able to manage file access rights for my end users with their own means of authentication. I have looked at mod_auth_oid and mod_auth_oid_file, it handles the authentication with OpenID 2.0, it allows to define a mapping between OpenID and local user ids. Does it mean that I still have to store a password for each local user anywhere on my server?
A graceful server restart is required in order to load new mapping definitions
It's a bit annoying as I don't want to restart the server each time I edit the mapping. It's unclear to me whether it is still true when using mod_auth_oid_ldap. I really need an open source software that I can install on my server and adapt to my needs. I plan to use openid-selector with the Apache modules I mentioned earlier and some JavaScript code to handle gracefully the display of the forbidden content. Am I missing a more obvious solution? I'm not a big fan of Facebook but is this bridge working?
I am using Zend Framework 2 with ApiGility.
I have the following scenario:
A website where users login and manage their accounts: www.website.com
Apps hosted separately: app.website.com (that users want to use)
The sub-domain is not necessarily hosted on the same environment or even in the same datacenter.
Now, if a user accesses an app directly, I need to check if they are logged into the main website so that I can grab user related information needed by the apps.
I am not 100% sure of the best way to go about this.
For the App to work I need the following:
A 32 bit code (a unique identifier that the app uses in place of private information)
Account balance (to make payments for app services)
To get the 32 Bit code, I was thinking of setting up the following:
www.website.com/api/is/logged/in
Which would return the 32 bit code I need, if the user was logged in.
To get the account balance I would then use the code:
www.website.com/api[:/code]/get/account/balance
If the user was not logged in then the app would provide a form for the user to login which would be sent to: www.website.com/api/logg/user/in
If the users account balance needed to be topped up, then I would likely open an iframe to a payment page on the www.website.com for the user to make a secure payment.
This is kind of new territory to me so not 100% sure of the direction I should be taking or best practices...
Any advice appreciated.
thanks!
It sounds like you're looking to implement Single Sign-On (SSO) between a number of completely distinct applications. I would check out SimpleSAMLphp...it will do everything you need:
https://simplesamlphp.org/
https://github.com/simplesamlphp/simplesamlphp