• Usage
  • Securing Endpoints
    • SSOfy Guard
    • SSOfy User Provider
  • Middleware
  • Kernel.php Config

#Usage

#Securing Endpoints

The SSOfy Laravel package provides middleware for protecting your endpoints. You must first add SSOfy's guard and, if required, the user provider to your config/auth.php file.

#SSOfy Guard

This guarantees that SSOfy-generated authentication tokens will be used by the protected endpoints.

...
    'guards' => [
        'web' => [
            'driver' => 'ssofy',
            'provider' => 'users',
        ],
        'api' => [
            'driver' => 'ssofy',
            'provider' => 'users',
        ],
    ],
...

Once the Guards have been set up, you can secure your endpoints by using the standard Laravel auth:web and auth:api middleware.

#SSOfy User Provider

If you want to access user data through SSOfy rather than Laravel's built-in user provider (SSOfy as the user provider microservice), you should enable the SSOfy package's user provider.

...
    'providers' => [
        'ssofy' => [
            'driver' => 'ssofy',
            'cache' => true,
        ],
    ],
...

If you wish your guard(s) to use the SSOfy User Provider, make the following changes to the guards:

...
    'guards' => [
        'web' => [
            'driver' => 'ssofy',
            'provider' => 'ssofy',
        ],
        'api' => [
            'driver' => 'ssofy',
            'provider' => 'ssofy',
        ],
    ],
...

#Middleware

In addition to Laravel's standard auth middleware, the SSOfy Laravel package includes ssofy middleware, which provides several extra benefits.

The middleware supports different attributes:

• ssofy
• ssofy:redirect
• ssofy:passive

The default behavior (ssofy middleware with no attributes set) prohibits access to the resource and results in a 401 error message.

ssofy:passive essentially disregards the authentication and moves on to the next handler if the token is invalid. This is useful if you're approaching Authorized and Unauthorized endpoints in separate ways and don't want an error message to be thrown if the token is invalid. For instance, the username is displayed only when the user is login. Yet, the page still functions even if the user is not log in. You might utilize Laravel's auth()->check() method to decide how to render your page.

ssofy:redirect would forward the user to the login page if an authentication (or authorization) is required. Note that it does not redirect if the endpoint just serves API (JSON). As long as the OAuth2 Client Configurations are properly configured, the ssofy:redirect can be used for Web/Html endpoints.

#Kernel.php Config

You may wish to add a global passive middleware to the entire application to ensure that the latest state is recovered with each page open.

src/app/Http/Kernel.php

...
    protected $middlewareGroups = [
        'web' => [
            ...
            'ssofy:passive',
            ...
        ],
    ];
...