Fetch user from database after authentication with OneloginSamlBundle - symfony

My Symfony (4.4) app uses the OneloginSamlBundle bundle to authenticate users against a SAML identity provider. This works fine. I receive the SAML response and the User Provider instantiates my User class correctly. However, I want that once I get the authentication SAML response, the corresponding user is instead fetched from my database. How could I do this ?
I guess I need to create a custom user provider which would use the OneloginSamlBundle userprovider AND then fetch the user, but I don't know how I am supposed to do it with Symfony.

Related

authentication with firebase authorization with custom service

I need to use the authentication service from firebase. but use my existing authorization service.
Can i use user token, sessions info from firebase.auth().onAuthStateChanged(function(user) {})
what is the best way/ways to manage these kind of use cases.
Should i also store my user details cookies, token etc?
You can implement a custom provider for Firebase Authentication. In this process:
You sign the user in to your service with their credentials as usual.
You then mint a token based on the user's profile.
The user then uses that token to sign in to Firebase.
The entire process is quite well documented on the links I included above.

Symfony JWT - Change the login way using symfony lexik JWT Authentication Bundle

In the Symfony Lexik JWT Authentication bundle, It is explained how to authenticate users using a table in the database.
In my case, My users aren't in the database but are in another application that I can access via API calls.
Also, to retrieve the users from this API, all I have to do is send a token associated with every user and get his information.
This token is well handled and is unique for each user.
How can I change the way LexikJWTAuthenticationBundle authenticate users using this API instead of the database.
And after this authentication, I want the JWT token to contain all the user information so I won't have to call this API each time a request is made to my application.
I made this diagram to explain my situation:
I tried from my side building a custom ApiUserProvider and an ApiUserAuthenticator but I am struggling to get this working.
Any help?
Here's described how to manually create JWTs for users: https://github.com/lexik/LexikJWTAuthenticationBundle/blob/2.x/Resources/doc/7-manual-token-creation.md you should be able to use that in your endpoint which authenticates the user, and return your own JWT.

Firebase custom auth provider I don't control/have access to?

Is it possible to use a custom authentication provider which I don't have any control over?
I develop an app in addition to a teachable course. Teachable is a platform like shopify where you can create online courses.
I want to use it as an auth provider, so a user, that already has an account can login with his teachable account.
To my knowledge custom authentications with auth tokes work like this: I send a request to my server with the entered user credentials. From my server I use these credential to login to teachable, if that was successful my server gets a callback and I return a token to my client, so the login was successful.
However as far as I know teachable doesn't have an api option for me to login and get a callback if it was successful.
What can I do about this? Also are there any security issues I didn't realized?
Your understanding of the flow to add a custom provider to Firebase Authentication is correct. You need to be able get the authenticated token from the provider, and mint a Firebase custom token from it.
If the provider you're looking to add doesn't have an API, you won't be able to add it as a custom provider to Firebase though.
I don't immediately see another way to connect the provider without an API.

How do I structure authentication with a social IdP?

My system works as follows;
I have an ASP.Net RESTful API server, which contains a user database.
I also have a Xamarin.Forms application, with a registration and login page.
What I want is to have the ability to authenticate a login using a social IdP, and then, if that user has not been logged in before, register that user in my local database.
I have been reading up on how to implement OAuth 2.0 with OpenID Connect to authenticate my users with a social IdP, however, I cannot seem to wrap my head arround it. From what I've read, I shouldn't use an Access token for authentication, since that i what the ID token is for, however, I have also read that the only intended purpose for an ID token, is the client.
My problem then is, how can I make sure that calls made to my ASP.Net server, has been made by "real person", and how do I determine who makes the call?
Access token will be used determine whether the client application was authorized by a user to access a resource. The concept of ID token comes from OpenID Connect. Main purpose of the ID token is to authenticate the user to the client application (i.e. letting the client application know that the person who authorized the access is a valid person).
To do this, you have to validate the ID token. This can be done using third party libraries such as nimbusds or auth0. You can validate the signature of the token verify the integrity of the token and check the claims included in the token (by comparing them with expected values) to verify the user details. Also, you can add custom claims (any claim that is specific for your application/implementation) to the tokens through your identity provider so that you'll be able to validate those particular claims in order to verify the user.

Authentication in Symfony2 without being able to read the password

I'm writing my first Symfony2 app after a few years with Symfony and am having trouble converting our user management code. It seems that to fit in with Symfony2's authentication model I have to provide user details including their (encrypted) passwords. We authenticate via a webservice that takes the username and password and responds with a confirmation and user level (user, admin etc), but it never sends the real password back to us.
What I want to do is accept the login details from a form, confirm they are valid and then set the user's roles according to the webservice's response. Where do I start?
You need to use a custom authentication provider to authenticate against your webservice. It is explained quite clearly in this blog post
You can create an user provider and its loadUserByName you can call the webservice. If success return the new UserInterface object with the password of the form empty salt string and the roles returned by the service. Also set encoder of the UserInterface to plaintext in security.yml. And then set the new created user provider in form_login auth provider in the firewall.

Resources