Published 1 year ago by jkahgee
I have an API and an Accounts server implemented with the new Passport for OAuth. I have multiple applications where users will be directed to the accounts server to log in and then redirect back to the app (the normal authentication_code grant for OAuth2). Since these are first-party apps we automatically grant permission for the user on our accounts server. My question is: I will still have logic that needs to be guarded throughout these other apps and would like to use existing laravel code as much as possible. ie: Auth::guard. But I would like to NOT store the users' information in the first-party apps DB if possible; Since I don't want to worry about redundant data in multiple applications. Our accounts server will be the source of all data for that user. Is it possible for the Auth code to be extended so it can check the existence of a token or some other logic to verify if the user is logged in? Or is there a better way to handle this?
Sounds like you are trying to build your own SSO+AuthZ solution, similar to Auth0 (https://en.wikipedia.org/wiki/Auth0) -- there are literally 100's of offerings out there like it, some free and some not. You might take a look at how some of the other open source solutions accomplish what you are trying to do.