smskin / laravel-identity-service-client
Guards for auth by identity service
Requires
- php: ^8.1
- ext-sync: *
- guzzlehttp/guzzle: ^7.0
- laravel/framework: ^8 || ^9
- smskin/laravel-support: ^1.0
This package is auto-updated.
Last update: 2024-11-22 19:48:05 UTC
README
Identity service is a service that allows you to organize authorization in a laravel application through a common remote server. This allows you to organize a multi-service architecture with end-to-end authorization.
Identity service library consists of 2 parts:
- identity service - Master auth service (https://github.com/smskin/laravel-idenity-service)
- identity service client - this package. A client that allows application users to log in through a shared service
Installation
- Run
composer require smskin/laravel-identity-service-client
- Run
php artisan vendor:publish --tag=identity-service-client
- Configure identity service client with
identity-service-client.php
in config folder and environments - Change create user table migration file
- Run
php artisan migrate
Migrations
User will be creating automatically if user open site with correct jwt. You must change users table for support nullable fields.
I usually remove all columns except id and dates because they are not needed (authorization happens through a remote server). For example:
Schema::create('users', function (Blueprint $table) { $table->id(); $table->string('name'); $table->timestamps(); });
Environments
- IDENTITY_SERVICE_CLIENT_HOST - public address of identity service (https://github.com/smskin/laravel-idenity-service)
- IDENTITY_SERVICE_CLIENT_DEBUG - debug mode of auth gates
- IDENTITY_SERVICE_CLIENT_API_TOKEN - secret key for admin functionality (admin api - https://github.com/smskin/laravel-idenity-service)
Configuration
You can configure library with identity-service-client.php
file.
- classes
- models
- user - Class of User model. You can override it with your user model class. You must implement
HasIdentity
contract and implementIdentityTrait
trait
- user - Class of User model. You can override it with your user model class. You must implement
- models
- scopes
- initial - initial jwt scope for receive basic user data
- uses - array of scopes, that uses by this service (the service in which this library is installed). For example service for administrate identity service uses the
Scope::IDENTITY_SERVICE_LOGIN
scope
Example of Users model:
<?php namespace App\Models; use Illuminate\Contracts\Auth\MustVerifyEmail; use Illuminate\Database\Eloquent\Factories\HasFactory; use Illuminate\Foundation\Auth\User as Authenticatable; use Illuminate\Notifications\Notifiable; use Laravel\Sanctum\HasApiTokens; use SMSkin\IdentityServiceClient\Models\Contracts\HasIdentity; use SMSkin\IdentityServiceClient\Models\Traits\IdentityTrait; class User extends Authenticatable implements HasIdentity { use HasApiTokens, HasFactory, Notifiable; use IdentityTrait; /** * The attributes that are mass assignable. * * @var array<int, string> */ protected $fillable = [ 'identity_uuid', 'name', ]; }
Using
This library register 2 guards:
- identity-service-client-jwt
- identity-service-client-session
You can use it with auth middleware (for example: auth:identity-service-client-jwt
) or bind it's to already exists guards by auth.php
config file.
For example:
... 'guards' => [ 'web' => [ 'driver' => 'identity-service-client-session', 'provider' => 'users', ], 'api' => [ 'driver' => 'identity-service-client-jwt', 'provider' => 'users', ], ], ...
User has method hasScope
for check required scope in jwt.
Gate::define('viewNova', function (User $user) { return $user->hasScope(Scopes::IDENTITY_SERVICE_LOGIN); });
Logic of authorization with unknown available scopes
- Gate tries login with email credentials and initial scope (
identity-service-client.scopes.initial
) - Gate receives JWT
- Gate calls
/identity-service/api/identity/scopes
method for receive available user scopes - Gate filters available scopes by uses scopes (
identity-service-client.scopes.uses
) - Gate calls
/identity-service/api/auth/jwt/refresh
method for refresh the token with uses scopes - Gate receives correct JWT for use in service