Cookbook article: Authenticating against an external API

[weaverryan]

This is a question that comes up quite frequently: how to setup a custom authentication system where the username/password are checked in the background against an API. In this case, things in the normal flow like UserProvider::loadUserByUsername don't make sense.

I think it may be useful to have a second cookbook entry (in addition to custom_authentication_provider, which talks about WSSE) for this use-case. The "custom-authentication" world is big and varied - if we added this, it would serve to cover more common, but difficult use cases.

[romaricdrigon]

This is tricky.

On the one hand, we need to check the password. The AuthenticationProvider is the place for this, we can not just implement a UserProvider proxying an external service as it's obviously not gonna give you this information.

On the other hand, without an UserProvider, we may be running issues when refreshUser will be called.

What would be the use cases of this cookbook article?
In my experience, when dealing with services such as OpenID, you create an OpenIDIdentity object linked to your users and it's that entity that go through a specific workflow. You still need to have an User entity in your "Symfony2", in your application, as rarely you get enough informations from external service nor when to pollute it with application-specific details.

[weaverryan]

I think we can and should handle this in #3357. Since I'm the one who opened this issue, I'm going to close it now and hope that we handle it well there. @romaricdrigon since you've been working on some security stuff, if you have some time to look at the implementation in #3357, I'd love your thoughts :).

Cheers!

[skobkin]

Did it cover things like OpenID? I didn't found any cookbook entries which can help to do some types of authentication similar to the OpenID (redirect from login form and then check some credentials when user returned back to the login check route from extenal API).

[romaricdrigon]

The closest thing to using an external API would be this article : http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html

Basically this is this + handling redirection/responses in the firewall. Last time I had to implement such a thing, I looked a lot to similar OAuth or OpenID bundles. Also I'm not sure if there are no way to simplify this with 2.4+ Security component, at that time I had to use 2.3 LTS.

However, I'm wondering if we should cover this in the documentation. I feel like it's pretty advanced and we would be going way further than the other articles. Implementing this requires understanding a lot of subsystems, and the debug during implementation is usually tricky.

[romaricdrigon]

Is there still some interest for that cookbook entry?
I thought about it, if still relevant I may work on it next days.

[skobkin]

@romaricdrigon, Yes! I will be very grateful if you do it.
Meanwhile I began to understand how to do it, but I'm new to the Symfony and I will check and correct my own unfinished code considering your article if it will be written.
Also I think I'm not alone with this kind of problem and your cookbook entry may be very helpful to many newbies in the Symfony community.

[pawelkolanowski]

@romaricdrigon +1

[damijanc]

@romaricdrigon +1

[nmoreaud]

+1, still wondering how to do this...

[chakiri]

@romaricdrigon + 1