Yii2 and Single Sign On

iceblock · August 18, 2017, 5:16am

Has anyone successfully implemented SSO with Yii2?

I’m looking for a way to properly implement SSO with Yii2. The only resource I could find is for Yii V1 not V2 (http://www.yiiframework.com/wiki/135/single-sign-on-across-multiple-subdomains/) and my code change based on this document is not working.

The authenticating library I have is PHP wrapper class. Is it better to use AuthClient or extend yii\web\User?

Can anyone provide examples or point me towards the right direction?

samdark · August 20, 2017, 6:37pm

I did. In order to do that you need to implement OAuth2 server that is more about reading and understanding OAuth2 specification rather than doing actual coding.

iceblock · August 20, 2017, 11:40pm

I haven’t thought using any of the Oauth(x) classes because the authenticating method is done via a specific cookie data and all those classes seems to submit via url and the function classes I have is already wrapped in a PHP class. Can you provide a more specific direction how can this be done?

Update: I tried to dig further by looking at examples how it’s done with Twitter and Facebook. Those examples also shows a login page and adding AuthAction in SiteControllers. My application doesn’t have login form - login is done via another subdomain. My application is supposed to determine if user is logged in by checking the cookie. Where is the best place to put AuthAction (or is it required?) and where is the best place to check cookie and then login or logout accordingly?

samdark · August 22, 2017, 7:58am

Well, cookie is another story. If the third party website set domain of a cookie properly, it won’t be accessible to you at all so you won’t be able to check it. That’s why OAuth.

If you’re still able to check cookie, check it early. For example, create a base controller you extend all your controllers from and in its beforeAction() check for cookie and log user in if cookie is present.

iceblock · August 28, 2017, 3:33am

After some further investigation and testing, I think OAuth is not required, as the authentication is done via cookie and cookie is accessible by my application.

This is what I attempted, and please correct me if it’s not the right way to go.

I extended yii\web\User, and extended renewAuthStatus() and login() functions (and of course update user component in frontend/config/main.php to use this class)




protected function renewAuthStatus() {    

    sso(); // check sso cookie and do anything required after the cookie is authenticated here

    parent::renewAuthStatus();

    // and do any other post auth stuffs here if required

}


// note - changed the default $duration 0 to any number to force login by cookie authentication

public function login(yii\web\IdentityInterface$identity, $duration = 3600) {

    parent::login($identity, $duration);

}

samdark · August 28, 2017, 1:58pm

Looks OK.

iceblock · August 29, 2017, 12:04am

Thank you! Always feels great to get core team’s approval