I am looking to find a way how to enable Sulu (Admin?) API accessible outside admin area.
To be more specified, to be accessible without account (session).
For example route "/admin/api/snippets"
This url works when you are logged in as admin, but I need it to work even if guest is visiting it, without account.
You can configure the symfony firewall the way you want it currently all behind is /admin is behind a login but you can change the access control the way you like it. Be aware that the API is build for admin users and you maybe better to create your own API endpoint to not leak any unwanted informations.
Related
I would like to program a Rest API to be used by a wordpress plugin. The Rest API should only work if the wordpress user also has certain rights. I would like to know how I can protect the Rest API so that it is not used without permission and only works when a Wordpress user is logged in with permission. What is the best way to implement this conceptually? Do you have any ideas?
Thanks.
I don't know what are Wordpress plugin capabilities from an authentication perspective but usually REST APIs do respect HTTP standards so the same authentication schemes (Basic, OAuth, ApiKey, etc...). It also depends on where would the REST API run such as remote server...
I'm using Centrify as my IdP with SAML SSO wordpress plugin to authenticate users on my intranet. This works fine.
However, I would now like to make an POST api call from the intranet back to Centrify to pull some data to display on my wordpress site.
Is it possible to configure Centrify so that it passes something like a .ASPAUTH cookie to the wordpress site so that I can it to make api calls?
If Wordpress is passing the user to Centrify to login (SAML), when the user comes back to Wordpress the .ASPXAUTH token is already set as a cookie in the browser. You cant access it in code, but if you make browser (CORS) calls to Centrify API's, the browser will automatically pass the cookie to Centrify with out you needing to manage it or pass it manually. These calls would need to be made in the browser (javascript), not from the server (php).
You will need to go into your Centrify admin portal, navigate to settings > Authentication > Security Settings > Specify trusted DNS domains for API calls and add the domain of the site that will be calling the Centrify API's. This is to trust the domain for CORS.
An easy test is to add a small amount of code to the browser code that does a simple post to https://tenant.my.centrify.com/security/whoami. No JSON needs to be passed to this call. This will simply respond telling you if we see the user as authenticated.
Please let me know if you have any other questions and do not hesitate to reach out to devsupport#centrify.com.
Thank you,
Nick Gamb
Sr. Manager, Developer Relations and Product Management
Centrify Corporation
I'm looking to completely decouple user management, login, permissions, and user data from my application. The main reason for this, is the application will consist of a WordPress site, native app, and a custom PHP API that all need to allow a user to login.
I don't want to use WP as the user login as I don't want to tie all our user data to WP in case we want to migrate to something else in the future. I've looked at things like Auth0, but it seems like it fairly heavy and costly.
What I'd like to do instead is build a separate service that can be used to store user fields, meta data, permissions, and act as a login service.
Based on those credentials, I can give access to certain sections of WP, unlock content on the Native App, and authenticate for certain access level for our API. Has anyone had any experience with decoupling their user management with a similar scenario?
if you really want to decouple the user-management from your app, you can use specifications like oAuth2.0 or OpenID - they are two different specs, and you should have a look and see what fits you the best.
If you write your code in Java, you can use (for free) Spring Security together with authentication-flows - that will cover all security issues as well as all user management flows like registration, forgot password, change password etc.
although I didn't gone to such length as implementing an Auth0, I created a separate user management (wp users) by leveraging on wordpress rest api and its native js client(backbone js). It's by no means completed, but the functionality is there.
Below is the screenshot:
I've trying to find the answer but after reading a bunch of documentation I think it's not possible, but I would be a nice feature. The problem is I want anyone to access the cached repositories but I don't want them to access the web user interface.
The only way I have figured out is tweaking the nginx configuration to allow access only to certain endpoints like raw repository view. Anyway it has some problems which I've not totally resolved.
You could set up a SAML SSO redirect that forces a user to login, and if they fail they are not redirected back to the Artifactory instance. That's the only way I know of that won't let users even look at the front page of Artifactory.
They would get caught on step 3 after an automatic redirect: SAML SSO Login Process
The obvious downside with this is that you need to have a SAML SSO setup in the first place.
I am new to wordpress. And I am designing a webvsite that needs the social login buttons.
I have found some plugins, and also used the developers.facebook.com login button, but it is not working with my localhost server. I have also used the Like button from the same site. and
it is working properly.
Same problem is happening with google+. Am I missing something?
Please reply soon..
Thank you!
You can't implement social login w/o appID in it's services, it's public but not transparent.
To enable social login you will need a valid callback URL, so app will know where to redirect user after successful auth. This part is pain in the ass, because you don't have domains at development stage. Plus you will need to configure cookies / sessions to handle authentication at valid domain scope.
If you want to properly configure oAuth or other auth service - do it on isolated production server.