单点登录(SSO)在Wordpress和CakePHP之间 [英] Single Sign On (SSO) between Wordpress and CakePHP
问题描述
我有一个现有的Wordpress网站。计划是使用cakePHP框架重建网站。由于时间限制,我想一次一个地替换Wordpress网站的各个部分。这意味着两个应用程序将在一段时间内并行运行。我需要使用由Wordpress提供的授权控制访问cakePHP应用程序。我不确定最好的方法去做这个。我已经看过类似的问题了很多,但我还没有找到一个明确的解决方案。
我在想两种方法:
计划A:
- 配置Cake查找Wordpress的授权Cookie。 / li>
- 配置Cake查看Wordpress的数据库。
- 借助一些Wordpress的授权逻辑来教授Cake的Auth组件如何验证WP用户。
计划B:
- 在我的Wordpress网站上设置授权API。
- 在蛋糕中设置单独的auth组件。
- 受保护的页面,然后手动登录用户。 (这将创建第二组验证Cookie)
这两个听起来都是正确的方法吗?有更好的方法吗?
有用的参考资料:关于Cake会话处理的文章, Cake Auth组件文档, Cake Auth教程, WP授权的简要概述,更深入地了解wordpress授权
UPDATE
我们已经开始工作,看起来它会工作,但有一个非常棘手的方面涉及密码哈希,保证。
我曾经有过类似的情况:几个月前...的跨框架认证zend + codeigniter ...
无论如何,这是我想要的:
- 在我的Wordpress网站上设置授权API。
- 在用户点击蛋糕应用程序中的受保护页面然后手动登录时,ping WP终端节点用户。 (这将创建第二组验证Cookie)
这里,我建议一个轻微的更改是可以做到的。 p>
确保您有一个SSO的令牌系统。当在Wordpress上登录时,设置另一个具有令牌的cookie:令牌将是用户名+密码(哈希)+秘密密钥,这将在Wordpress和CakePHP之间相同。在任一网站上,查找Cookie并手动记录用户或仅执行数据库查找。散列对于该cookie很重要!
然而,如果网站使用不同的域名,您可能需要重新策划:
我有不同的域一次。在登录或未经授权的页面,我会ping其他网站,并打开他们的登录框。在另一个网站上,如果用户登录,他们获得post登录页面,如果请求URI发送了令牌,我们执行正常操作,并将授权令牌返回到此(当前)域。
简单来说:
网站A = WordPress&站点B = CakePHP
站点B访问需要授权的页面,然后ping站点A进行登录(当使用Facebook登录时排序) ,其将通过令牌(私钥)和将作为站点A上的SSO验证表的一部分的REQUEST_URI来请求,如果人已经登录,则站点A将返回(通过POST)令牌,其进一步将经由(私钥)并记录用户。B和A的私钥将是相同的。
希望这是可以理解的。
有问题吗? :)
回答您的问题:
理想情况下,使用SSO?我们使用它,因为有很多限制。例如:你有一个数据库说...百万行有超过一千个表,你需要添加一个模块超过应用程序已经...所以,相反,你会使用另一个数据库... SSO将返回用户信息,可以进一步复制。例如,当您点击使用Facebook登录时,它会返回请求的信息,如电子邮件地址,用户名或甚至个人资料图片。其中可以进一步添加到我们的数据库...强烈建议保持不同的数据库:)
到您的第二和第三个问题:用户表在数据库中?建议不同的数据库,除非你使用相同的数据。或者说改变软件平台。
我应该将网站特定用户行复制到每个应用程序的单独用户表中吗?是的,应该会自动进行。一旦你在一个主要网站上注册,没有什么发生,事情应该发生一旦你已经登录,然后去网站B ...一旦登录,用户信息可以总是被请求:)这样,新网站将有活动用户! 2只鸟?
不要使自己复杂(烦恼)如何工作,但集中于如何,短期内可实现的。 SSO - 登录 - 受限页面 - 注意登录 - 登录 - 如果已登录 - fetch用户信息 - 如果用户信息存在 - 通过辅助站点登录或设置新的用户信息。完成!
我们的开发人员喜欢流程图!我们不是吗?我刚创建了一个:
进一步的答案:
抓取用户信息阶段是指我们从已登录的网站获取用户信息,并在其他网站自动创建新用户(行)?
理想情况下,
换句话说,一个网站会处理您的隐私权政策。所有注册/用户创建和其他网站只是等待该用户显示和触发自动创建。 OR在用户在一个网站上注册时,BOTH数据库会插入用户行?
注册/用户创建,而其他网站只是等待该用户显示并触发自动创建。 您可以同时拥有这两者。在您的网站上注册,以及基于触发器的自动创建。取决于你的策略。 或者,在用户在一个网站上注册时,BOTH数据库会插入用户行? 这将是一个可怕的做法!它会杀死SSO的动机。 SSO的动机是创建一个可以由用户使用的auth系列,以便他们不必每时每刻注册不同的网站。每次仅更新一个数据库,并在需要时更新其他数据库)
有问题吗? :)
I have an existing Wordpress site. The plan is to rebuild the site using the cakePHP framework. Due to time restrictions, I want to replace individual sections of the Wordpress site one at a time. This will mean that both apps will be running side by side for a certain period of time. I need to control access to the cakePHP app using the authorization provided by Wordpress. I'm not sure the best way to go about doing this. I've seen similar questions asked a lot, but I have not yet found a clear solution.
I'm thinking about two approaches:
Plan A:
- Configure Cake to look for Wordpress's authorization cookies.
- configure Cake to look at Wordpress's database.
- Borrow some of Wordpress's authorization logic to teach Cake's Auth component how to authenticate WP users.
Plan B:
- set up an authorization API on my Wordpress site.
- set up separate auth component in cake.
- ping the WP endpoint when a user hits a protected page in the cake app and then manually log in the user. (This would create a second set of auth cookies)
Do either of these sound like the right approach? Is there a better way to do this?
Helpful references: Article about Cake session handling, Cake Auth component documentation, Cake Auth tutorial, brief overview of WP authorization, a more in depth look at wordpress authorization
UPDATE We've started working on this, and it seems like it will work, but there is a very tricky aspect involving password hashing that warrants its own question. If you're following this thread, you may want to have a look.
I once had a similar situation: Cross framework authentication zend + codeigniter which was few months ago...
Anyways, this is what I will prefer:
- set up an authorization API on my Wordpress site.
- set up separate auth component in cake.
- ping the WP endpoint when a user hits a protected page in the cake app and then manually log in the user. (This would create a second set of auth cookies)
Here, I would suggest a slight change which is do-able.
Make sure, you have a token system of SSO. As in, when person is logged in on Wordpress, set another cookie which will have a token: Token will be username + password (hashed) + secret key, which will be same between Wordpress and CakePHP. On either site, look up for cookie and manually log the user in or just perform a database look up. Hashing is important for that cookie! However, if the site is using different domains, you might need to re-strategize:
I had different domains once. At the login or unauthorized page, I would ping the other website and bring up their login box. On the other website if the user is logged in, they get post login page and if request URI has sent a token, we perform normal operation and return the authorized token to this (current) domain.
In simple words:
Site A = WordPress & Site B = CakePHP
Site B hits a page where authorization is required then, ping Site A for a login (as it happens when u do Login-with-Facebook sort), which will request via a Token (private key) and REQUEST_URI which will be part of SSO verification table on Site A, if person is already logged in then, Site A will return (via POST) a token, which further will be decrypted via (private key) of Site B and log the user in. Private key of B and A will be same.
Hope this was understandable.
Questions? :)
Answer to your questions in comment:
Ideally, why we use SSO? We use it because of many constraints. For example: You have a database of say... a million row with more than thousand tables, you need to add a module over ur huge app already... so, instead, you will use another database... SSO will return user information, which can further be replicated. For example, when you click on 'Login with Facebook', it returns requested information, like email address, or user's name or even profile picture. Which can further be added to our database... Keeping different databases is strongly recommended :)
To your 2nd and 3rd question: Should both sites reference the same users table in the database? different databases is recommended unless, you are using the same data. Or say changing the software platform.
Should I copy the site-specific user rows into separate user tables for each app? Yes, that should happen automatically. Once you are registered on a main site, nothing happens, things should happen once you are logged in already and then go to site B... Once logged in, user info can always be requested :) That way, new site will have active users ! 2 birds?
Don't complicate (bother) yourself with how what works but, concentrate on how, what is achievable in short period. SSO - Logged in - Restricted page - Look out for log ins - Either login - If already logged in - fetch user info - If user info exists - login via secondary site OR set the new user info . Done!
We developers love flow charts! Don't we? I just created one:
Further answers:
Does the "Fetch User Info" stage mean that we take the user info from the site which is logged in, and create a new user (row) automatically in the other site?
Ideally, you will ask permission from the user before they 'allow' their info to be used but, it varies how your privacy policies are.
In other words, one site handles all the registration/user-creation and the other site just waits for that user to show up and trigger automatic creation. OR at the moment a user registers on the one site, BOTH databases get a user row inserted?
one site handles all the registration/user-creation and the other site just waits for that user to show up and trigger automatic creation. You can have both. Sign up on your website and also a trigger based automatic creation. Depends on your strategy. OR at the moment a user registers on the one site, BOTH databases get a user row inserted? That would be a horrible practice! It will kill the motive of SSO. Motive of SSO is to create an auth family which can be used by users so that they do not have to register every now and then for different websites. update only one database at a time and other when required :)
Questions? :)
这篇关于单点登录(SSO)在Wordpress和CakePHP之间的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
