Social login with Laravel 11 + Socialite for Multi-Tenant Application

I'm building a multi-tenant application with Laravel 11. I wish to offer Social login using Google and LinkedIn. Using Laravel Socialite, it's easy to implement it for the main domain.

I need help figuring out implementing it for hosted subdomains. Here's my overall approach so far:

public function redirect(Request $request, $provider)
    {
        $request->validate([
            'provider' => 'in:google,linkedin-openid'
        ]);

        return Socialite::driver($provider)->with([
            'state' => 'request_domain=' . request()->getHttpHost()
        ])->redirect();
    }

Handling callback is where things get tricky. The main domain is example.com and the subdomain is subdomain.example.com

public function callback(Request $request, $provider)
    {
        $user = Socialite::driver($provider)->stateless()->user();

        $first_name = $user->user['given_name'] ?? null;
        $email = $user->getEmail();

        // Check for the state variable in the incoming callback
        $state = $request->input('state');
        parse_str($state, $domain_data);

        $request_domain = $domain_data['request_domain'];

        $user = Subdomain::where('domain', $request_domain)->where('email', $email)->firstOrFail();

        // Now Auth::login($user); does not work here and the user gets logged-out once I redirect them to the $request_domain.

    }

Can someone help me figure out how to go about this? My wildest attempt so far was to set:

config([
         'app.url' => 'https://'. $request_domain,
         'session.domain' => $request_domain
            ]);

...but that didn't help either.

Would really appreciate if you could show me the way.

dualklip

2 years ago

Level 2

i @thebigk

Have you checked the Subdomain Routing documentation?

Route::domain('{account}.example.com')->group(function () {
    Route::get('user/{id}', function (string $account, string $id) {
        // ...
    });
});

Then you can change your app/Providers/RouteServiceProvider.php to load different route files for each subdomain

Route::domain('subdomain.' . env('APP_URL'))
                ->middleware('web')
                ->namespace($this->namespace)
                ->group(base_path('routes/subdomain.php'));

Remember that you need to setup all your callbacks in the social platform. So if you are using Google you need to fill all the URI authorized callbacks. I don't know about LinkedIn, but Google doesn't allow wildcard URIs, so you can't add something like https://*.mydomain.com/callback

If you are worried about how to give Socialite a different URL for each callback depending on your subdomain, you can use the setConfig($config) option when you do the redirect

$clientId = "secret";
$clientSecret = "secret";
$subdomain = Route::getCurrentRoute()->subdomain;
$redirectUrl = "http://".$subdomain.".yourdomain.com/api/redirect";
$additionalProviderConfig = ['site' => 'meta.stackoverflow.com'];
$config = new \SocialiteProviders\Manager\Config($clientId, $clientSecret, $redirectUrl, $additionalProviderConfig);
return Socialite::driver('google')->setConfig($config)->redirect();

1 like

thebigk

2 years ago

Level 13

@dualklip - Thank you for your response.

I'm aware of subdomain routing. I've however decided to go without it; because the approach does not work once the customer has mapped their own subdomain to ours through CNAME i.e. subdomain.customer.com pointing to subdomain.myapp.com

My approach is to check the request host request()->getHttpHost() and then load the appropriate routes.

I don't know about LinkedIn, but Google doesn't allow wildcard URIs, so you can't add something like https://*.mydomain.com/callback

This is correct; and logical because otherwise Google would not know where to redirect. Here's a summary of my approach so far -

User initiates login request from subdomain.myapp.com
They are directed to the social provider with the domain=subdomain.myapp.com information.
Google sends back the user to myapp.com (the main domain) where the callback is handled.
In the callback, I check for the existence of domain=subdomain.myapp.com parameter.
If it exists, I redirect the user to subdomain.myapp.com.

I am wondering if there's a way to handle the login inside myapp.com and then send the authenticated user to subdomain.myapp.com.

Alternatively, I am thinking about using a temporary URL with user's email parameter that will automatically login the user on the subdomain. This looks like a insecure way.

If you are worried about how to give Socialite a different URL for each callback depending on your subdomain, you can use the setConfig($config) option when you do the redirect

This approach will work only when I have a known number of subdomains. In my case, it's a mult-tenant application that can allow any number of tenants and it'd be impossible to register large number of redirect URLs with Google's developer console.

Please or to participate in this conversation.