How would you wrap EE authentication around a custom app?

15

5

A client has an EE2 site and wants us to setup a 3rd party app but keep it private to EE members only. How would you extend EE's member sessions to provide single sign on with a 3rd party PHP app?

The app is made up of multiple PHP files and has it's own interface. So, it won't be easy to extract into a custom plugin or module.

We thought about using an iFrame to load the app into an EE page that is for members-only, but it wouldn't be hard to get the iFrame's source URL and hit it directly, bypassing the security.

Now we're considering building a custom module that provides an EE authentication API via action ID. So, we'd create a simple is_logged_in() function that is used in the custom PHP app that sends the value of the EE session cookie to our API and the custom module would determine if it's a valid session or not. If it's not a valid session, the custom app would redirect to our EE login page.

Are there any other ideas we should consider?

Assume for this exercise that the app runs on the same server as the EE site.

Jason Siffring

Posted 2012-11-15T20:04:37.693

Reputation: 493

Jason, was there a correct answer to this question posted? – Anna_MediaGirl – 2012-12-12T05:12:59.407

1Just selected a winner. – Jason Siffring – 2012-12-13T17:33:22.570

Answers

3

It's worth bearing in mind that EE has plenty of hooks to make this sort of thing easier - sessions_end and member_member_logout are a couple that would be worth looking at.

Depending on whether or not your app has a built in authentication library it would probably be fairly simple to write an extension that initiates a new session within your app. You'd just need to include the relevant assets and fire off a call to MyApp::Authenticate($session_id) when the EE session is created. When the EE logout hook's called you'd clear out your app's session via MyApp::DestroySession($session_id).

Dom Stubbs

Posted 2012-11-15T20:04:37.693

Reputation: 3 767

Yes, this is what I was going to say - you should hook into the authentication structure provided by EE and create or destroy the needed cookies / session IDs / whatever within the custom application when the user logs in or out of ExpressionEngine. This should be fairly trivial actually, provided there is some sort of reusable library of authentication code in the app. – Isaac Raway – 2012-11-19T04:10:54.483

6

Take a look at system/expressionengine/libraries/Auth.php. You should have all the available methods at your disposal to properly create any member session without actually submitting a login form. The ACT would work well I think, provided you pass all the other correct information.

Here is a very minimal example of the proposed process.

// Grab the member record using a standard ActiveRecord query
$this->db->where('username', 'some_user');
$member = $this->db->get('members');

// Instantiate the Auth_results, which created the user session
$result = new Auth_result($member->row());

Justin Kimbrell

Posted 2012-11-15T20:04:37.693

Reputation: 5 352

4

I would develop an EE add-on that implements an SSO (single sign on) protocol, like oauth or SAML: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

and then have the the 3rd party app authenticate the user using their EE credentials, which would get passed back and forth between EE and the app using oauth, saml, or some other open authentication protocol.

Lowell Kitchen

Posted 2012-11-15T20:04:37.693

Reputation: 41

1

Perhaps you could build a wee API that returns a JSON or xml file for the active user.

Something along the lines of..

Logged in True Username joe.bloggs Email joe.blogs@gmail.com

Have a simple login template that could be popped up if the result of the above was false. Once they login refresh the page and their details would be good as gold. Additionally you could perhaps have the user ID in that file so you can actually connect to the SQL and grab more data that way.

The method I've described is purely hypothetical and I'm not sure if it would work - but it is based on the same basic theory of Facebook Connect.

Mutual

Posted 2012-11-15T20:04:37.693

Reputation: 1 304

I was thinking along the same lines as this. If you didn't want to write an add-on to connect the two, you could use the EE auth creds and pass them through a handler, (similar to a SOAP request), and authenticate then redirect to whatever landing in the app. – Brian Mallett – 2012-11-15T20:44:37.247