Wordpress 和 CakePHP 之间的单点登录 (SSO) [英] Single Sign On (SSO) between Wordpress and CakePHP
问题描述
我有一个现有的 Wordpress 网站.计划是使用 cakePHP 框架重建站点.由于时间限制,我想一次替换 Wordpress 站点的各个部分.这意味着这两个应用程序将并行运行一段时间.我需要使用 Wordpress 提供的授权来控制对 cakePHP 应用程序的访问.我不确定这样做的最佳方法.我看到很多类似的问题被问到,但我还没有找到明确的解决方案.
I have an existing Wordpress site. The plan is to rebuild the site using the cakePHP framework. Due to time restrictions, I want to replace individual sections of the Wordpress site one at a time. This will mean that both apps will be running side by side for a certain period of time. I need to control access to the cakePHP app using the authorization provided by Wordpress. I'm not sure the best way to go about doing this. I've seen similar questions asked a lot, but I have not yet found a clear solution.
我正在考虑两种方法:
A 计划:
- 配置 Cake 以查找 Wordpress 的授权 cookie.
- 配置 Cake 以查看 Wordpress 的数据库.
- 借用 Wordpress 的一些授权逻辑来教 Cake 的 Auth 组件如何对 WP 用户进行身份验证.
B 计划:
- 在我的 Wordpress 网站上设置授权 API.
- 在 cake 中设置单独的身份验证组件.
- 当用户点击 cake 应用程序中的受保护页面时 ping WP 端点,然后手动登录用户.(这将创建第二组身份验证 cookie)
这两种方法听起来是否正确?有没有更好的方法来做到这一点?
Do either of these sound like the right approach? Is there a better way to do this?
有用的参考资料:关于 Cake 会话处理的文章,Cake Auth 组件文档,Cake Auth 教程,WP 授权简要概述, 更深入地了解 wordpress 授权
Helpful references: Article about Cake session handling, Cake Auth component documentation, Cake Auth tutorial, brief overview of WP authorization, a more in depth look at wordpress authorization
更新我们已经开始着手解决这个问题,看起来它会起作用,但是有一个非常棘手的方面涉及密码散列,需要 它自己的问题.如果您正在关注此线程,您可能想看看.
UPDATE We've started working on this, and it seems like it will work, but there is a very tricky aspect involving password hashing that warrants its own question. If you're following this thread, you may want to have a look.
推荐答案
我也遇到过类似的情况:几个月前的跨框架认证zend + codeigniter...
I once had a similar situation: Cross framework authentication zend + codeigniter which was few months ago...
无论如何,这是我更喜欢的:
Anyways, this is what I will prefer:
- 在我的 Wordpress 网站上设置授权 API.
- 在 cake 中设置单独的身份验证组件.
- 当用户点击 cake 应用程序中的受保护页面时 ping WP 端点,然后手动登录用户.(这将创建第二组身份验证 cookie)
在这里,我建议做一个可行的小改动.
Here, I would suggest a slight change which is do-able.
请确保您拥有 SSO 的令牌系统.例如,当用户登录 Wordpress 时,设置另一个 cookie 将有一个令牌:令牌将是用户名 + 密码(散列)+ 密钥,这在 Wordpress 和 CakePHP 之间是相同的.在任一站点上,查找 cookie 并手动登录用户或仅执行数据库查找.散列对于那个 cookie 很重要!但是,如果站点使用不同的域,您可能需要重新制定策略:
Make sure, you have a token system of SSO. As in, when person is logged in on Wordpress, set another cookie which will have a token: Token will be username + password (hashed) + secret key, which will be same between Wordpress and CakePHP. On either site, look up for cookie and manually log the user in or just perform a database look up. Hashing is important for that cookie! However, if the site is using different domains, you might need to re-strategize:
我曾经有过不同的域.在登录或未经授权的页面上,我会 ping 另一个网站并调出他们的登录框.在另一个网站上,如果用户登录,他们会获得登录后页面,如果请求 URI 发送了令牌,我们将执行正常操作并将授权令牌返回到此(当前)域.
I had different domains once. At the login or unauthorized page, I would ping the other website and bring up their login box. On the other website if the user is logged in, they get post login page and if request URI has sent a token, we perform normal operation and return the authorized token to this (current) domain.
简单来说:
站点 A = WordPress &站点 B = CakePHP
Site A = WordPress & Site B = CakePHP
站点 B 访问需要授权的页面,然后 ping 站点 A 进行登录(就像您使用 Facebook 登录排序时发生的那样),这将通过令牌(私钥)和 REQUEST_URI 进行请求,这将是站点 A 上 SSO 验证表的一部分,如果有人已经登录,则站点 A 将(通过 POST)返回一个令牌,该令牌将通过站点 B 的(私钥)进一步解密并登录用户.B 和 A 将相同.
Site B hits a page where authorization is required then, ping Site A for a login (as it happens when u do Login-with-Facebook sort), which will request via a Token (private key) and REQUEST_URI which will be part of SSO verification table on Site A, if person is already logged in then, Site A will return (via POST) a token, which further will be decrypted via (private key) of Site B and log the user in. Private key of B and A will be same.
希望这是可以理解的.
有问题吗?:)
在评论中回答您的问题:
理想情况下,我们为什么要使用 SSO?我们使用它是因为有很多限制.例如:你有一个数据库说......一百万行,有一千多个表,你需要在你的巨大应用程序上添加一个模块......所以,相反,你将使用另一个数据库...... SSO将返回用户信息,可以进一步复制.例如,当您单击使用 Facebook 登录"时,它会返回请求的信息,例如电子邮件地址、用户姓名甚至个人资料图片.哪些可以进一步添加到我们的数据库中...强烈建议保留不同的数据库:)
Ideally, why we use SSO? We use it because of many constraints. For example: You have a database of say... a million row with more than thousand tables, you need to add a module over ur huge app already... so, instead, you will use another database... SSO will return user information, which can further be replicated. For example, when you click on 'Login with Facebook', it returns requested information, like email address, or user's name or even profile picture. Which can further be added to our database... Keeping different databases is strongly recommended :)
对于您的第二和第三个问题:两个站点是否应该引用数据库中相同的用户表?建议使用不同的数据库,除非您使用相同的数据.或者说改变软件平台.
To your 2nd and 3rd question: Should both sites reference the same users table in the database? different databases is recommended unless, you are using the same data. Or say changing the software platform.
我是否应该将特定于站点的用户行复制到每个应用程序的单独用户表中?是的,这应该自动发生.一旦您在主站点上注册,什么都不会发生,一旦您已经登录然后转到站点 B 就会发生事情......一旦登录,总是可以请求用户信息:) 这样,新站点将处于活动状态用户!2 只鸟?
Should I copy the site-specific user rows into separate user tables for each app? Yes, that should happen automatically. Once you are registered on a main site, nothing happens, things should happen once you are logged in already and then go to site B... Once logged in, user info can always be requested :) That way, new site will have active users ! 2 birds?
不要让自己复杂化(打扰)什么是有效的,而是专注于如何在短时间内实现.SSO - 登录 - 受限页面 - 寻找登录信息 - 要么登录 - 如果已经登录 - 获取用户信息 - 如果用户信息存在 - 通过辅助站点登录或设置新用户信息.大功告成!
Don't complicate (bother) yourself with how what works but, concentrate on how, what is achievable in short period. SSO - Logged in - Restricted page - Look out for log ins - Either login - If already logged in - fetch user info - If user info exists - login via secondary site OR set the new user info . Done!
我们开发人员喜欢流程图!不是吗?我刚刚创建了一个:
We developers love flow charts! Don't we? I just created one:
更多答案:
获取用户信息"阶段是否意味着我们从登录的站点中获取用户信息,并在其他站点中自动创建一个新用户(行)?
理想情况下,您会在用户允许"使用他们的信息之前先征得他们的许可,但这会因您的隐私政策而异.
Ideally, you will ask permission from the user before they 'allow' their info to be used but, it varies how your privacy policies are.
换句话说,一个站点处理所有注册/用户创建,而另一个站点只等待该用户出现并触发自动创建.或者当用户在一个站点上注册时,两个数据库都会插入一个用户行?
一个站点处理所有注册/用户创建,另一个站点只等待该用户出现并触发自动创建.您可以同时拥有两者.在您的网站上注册以及基于触发器的自动创建.取决于你的策略.或者当用户在一个站点上注册时,两个数据库都会插入一个用户行?那将是一种可怕的做法!它会扼杀 SSO 的动机.SSO 的动机是创建一个可供用户使用的身份验证系列,这样他们就不必时不时地为不同的网站注册.一次仅更新一个数据库,并在需要时更新其他数据库:)
one site handles all the registration/user-creation and the other site just waits for that user to show up and trigger automatic creation. You can have both. Sign up on your website and also a trigger based automatic creation. Depends on your strategy. OR at the moment a user registers on the one site, BOTH databases get a user row inserted? That would be a horrible practice! It will kill the motive of SSO. Motive of SSO is to create an auth family which can be used by users so that they do not have to register every now and then for different websites. update only one database at a time and other when required :)
有问题吗?:)
这篇关于Wordpress 和 CakePHP 之间的单点登录 (SSO)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
