clearlink / auth
Facilitates authentication and authorization with Clearlink's OAuth2 implementation
Requires
- php: >=5.6.4
- clearlink/permissions: ^0.1
- clearlink/users: ^0.1
- guzzlehttp/guzzle: ~6.0
- illuminate/auth: ~5.3|~5.4
- illuminate/cache: ~5.3|~5.4
- illuminate/config: ~5.3|~5.4
- illuminate/contracts: ~5.3|~5.4
- illuminate/http: ~5.3|~5.4
- illuminate/support: ~5.3|~5.4
- lcobucci/jwt: ^3.2
Requires (Dev)
- mockery/mockery: ~0.9
- phpunit/phpunit: ~5.0
README
Note that this package is not yet stable and the api is subject to change
This package is used to facilitate authentication with Clearlink's SSO and authorization via Clearlink's Permission microservice.
This package will also retreive a token on behalf of the client using OAuth2 client credentials grant type.
Installation
These instructions assume that you have already added Clearlink's composer repository to your project's composer.json file.
First, require the package:
composer require clearlink/auth
This will also require the following packages:
clearlink/dto
clearlink/permissions
clearlink/users
In the projects .env file, add the following lines, replacing {{client_id}}, {{client_secret}}, {{sso_url}}, and {{users_url}} with their respective values for your application:
CL_SSO_CLIENT_ID={{client_id}}
CL_SSO_CLIENT_SECRET={{client_secret}}
CL_SSO_URL={{sso_url}}
CL_USERS_URL={{users_url}}
In the future, the following step will no longer be required once the key is placed in a publically available location.
You will then need to create a file in storage/app/ called cl_auth_public.pem.
The contents for this file is the public key set in the SSO application configuration.
From here, the installation differs slightly from Laravel to Lumen. The Laravel instructions are given first, followed by the Lumen instructions.
Laravel Installation
Add the following lines to the projects config\app.php file in the 'providers' array:
/*
* Package Service Providers...
*/
Clearlink\Auth\AuthServiceProvider::class,
Clearlink\DTO\DTOServiceProvider::class
Both clearlink/auth and clearlink/dto have configuration files, but the clearlink/auth config only needs to be published if you are connecting to the UAT environment or if you are wanting to use an instance of a locally defined user. To publish to clearlink/dto config file, run the following:
php artisan vendor:publish --tag=clearlink-dto
The file will be published to config/clearlink-dto.php and will contain an array with a key of modules. You will need to uncomment the first two entries in modules so that your file looks like the following:
return [
'modules' => [
\Clearlink\Users\Factory::class,
\Clearlink\Permissions\Factory::class,
// Possible other entries...
]
];
This will allow the clearlink\auth package to marshal JSON representation of objects into hard-typed objects.
Configuration for using the UAT environment or a custom user can be found in a later section.
Modify the app\Exceptions\Handler->unauthenticated to redirect to SSO in the case of not being authenticated:
protected function unauthenticated($request, AuthenticationException $exception)
{
if ($request->expectsJson()) {
return response()->json(['error' => 'Unauthenticated.'], 401);
}
//replace this line
//return redirect()->guest('login');
//with this line
return app(AuthService::class)->getAuthorizationCodeRedirect($request);
}
Update config/auth.php to use the provided authorization guards and user provider. Simply prepend 'clearlink-' to both of the drivers for the api and web authentication guards, and change the driver for the users provider to 'clearlink':
'guards' => [
'web' => [
'driver' => 'clearlink-session',
'provider' => 'users',
],
'api' => [
'driver' => 'clearlink-token',
'provider' => 'users',
],
],
'providers' => [
'users' => [
'driver' => 'clearlink',
],
],
Finally, you need to add the auth middleware to the routes that you want to protect. Please see the Laravel documentation for adding middleware to routes.
Now, whenver you call $request->user() or Auth::user(), you will get an instance of Clearlink\Auth\User.
Lumen Installation
Open bootstrap/app.php and add the following lines in the service providers section (around line 72):
$app->register(Clearlink\DTO\DTOServiceProvider::class);
$app->register(Clearlink\Auth\AuthServiceProvider::class);
Note: In Lumen, it matters what order the service providers are registered. As of Lumen 5.3, a providers boot method is called immediatly following the register method whereas it should call all provider register methods followed by all the provider boot methods.
While still in bootstrap/app.php, uncomment the lines adding the auth middleware to the application (around line 68):
$app->routeMiddleware([
'auth' => App\Http\Middleware\Authenticate::class,
]);
Lumen does not contain the artisan vendor:publish command, so the clearlink-dto.php config file will need to be copied from the vendor folder to the config folder:
cp vendor/clearlink/dto/config/clearlink-dto.php config/
If you plan on using a custom user, you will also need to publish the clearlink-auth.php config file:
cp vendor/clearlink/auth/config/clearlink-auth.php config/
The clearlink-dto.php config file will contain an array with a key of modules. You will need to uncomment the first two entries in modules so that your file looks like the following:
return [
'modules' => [
\Clearlink\Users\Factory::class,
\Clearlink\Permissions\Factory::class,
// Possible other entries...
]
];
This will allow the clearlink\auth package to marshal JSON representation of objects into hard-typed objects.
All that is left to do is to add the auth middleware to the routes that you want to protect. Please see the Laravel documentation for adding middleware to routes.
Additional Configuration
UAT Environment
Note: This is only applicable for Laravel installations.
If you are connecting to the UAT environment, you will also need to publish the clearlink/auth configuration file with the following:
php artisan vendor:publish --tag=clearlink-auth
In the config, find the key authEndpoint and add a trailing slash to the value so that it is:
'authEndpoint' => env('CL_SSO_URL') . '/v1/auth/'
NOTE: Typically, the config files are source controlled. The configuration in the clearlink-auth file needs to be different between UAT and non-UAT environments. The default configuration in the file is for non-UAT environments so it is acceptable to .gitignore the clearlink-auth.php config file.
Custom User Objects
The clearlink/auth package by default returns a user of type Clearlink\Auth\User but you can override the package to return and object of your choice. If you choose to override the default object, the object that you wish to use MUST implement Illuminate\Contracts\Auth\Authenticatable and have the trait Clearlink\Auth\Traits\ClearlinkUser. The default user in Laravel\Lumen implement the interface Illuminate\Contracts\Auth\Authenticatable, so all that will be needed if you wish to use that class are to add the trait to the User class:
<?php
namespace App;
...
use Clearlink\Auth\Traits\ClearlinkAuthUser;
use Illuminate\Foundation\Auth\User as Authenticatable;
...
class User extends Authenticatable
{
use Notifiable, ClearlinkAuthUser;
...
}
To override the returned user, you must specify userRepository in the clearlink/auth configuration file. That file can be published by:
#For Laravel:
php artisan vendor:publish --tag=clearlink-auth
#For Lumen:
cp vendor/clearlink/auth/config/clearlink-auth.php config/
The object that is specified must have a function with the signature find($id) where $id is the DNA User Id.
'userRepository' => new \App\User
If you do override the default user, and the repository you specify returns NULL, the object does not implement Illuminate\Contracts\Auth\Authenticatable, or the object does not have the trait Clearlink\Auth\Traits\ClearlinkUser, and exception will be thrown.
Post Authorization
It can be helpful to execute code after a user is authenticated, and this package provides a means to can a function after a user is authenticated to your project. The specified function will run after the user object is retrieved from the Users Microservice but before a User is returned from the UserProvider. This can be helpful when overriding the user to create a user in your project's database.
The function specified MUST take a single arguement of type Clearlink\Users\BaseUser. It needs to be BaseUser because both applications and regular (human) users can authenticate to your system and they have different classes that extend from BaseUser. The most common class will be User (this will be humans) while application users will be of type ApplicationUser.
To specify the function, place the following in the boot method of your AppServiceProvider, replacing the function with the function of your choice:
$this->app[\Clearlink\Auth\AuthService::class]->setAuthenticatedFunction(function (\Clearlink\Users\BaseUser $user){});
Note: If this is a Lumen installation, the AppServiceProvider must be registered after the Clearlink/Auth/AuthServiceProvider.
Logging Out
Note: This is only applicable for Laravel installations.
The AuthService class provides a function that will flush the session and generate a RedirectResponse that you can use to logout from SSO. Something similar to this in your application's route file will successfully log the user out from your application and SSO:
Route:get('/logout', function(Request $request) {
return app(\Clearlink\Auth\AuthService::class)->getLogoutRedirect($request);
});
Note: There is currently a bug in SSO that will not allow applications using the clearlink/auth package to log back in from the logout page. Instead, your user will need to logout, then navigate back to the root url of your application which will then redirect to the SSO login page.