smskin/laravel-identity-service-client
Guards for auth by identity service
Downloads
Stars
Version
About Identity service library
Identity service is a service that allows you to organize authorization in a laravel application through a common remote server. This allows you to organize a multi-service architecture with end-to-end authorization.
Identity service library consists of 2 parts:
- identity service - Master auth service (https://github.com/smskin/laravel-idenity-service)
- identity service client - this package. A client that allows application users to log in through a shared service
Installation
- Run
composer require smskin/laravel-identity-service-client - Run
php artisan vendor:publish --tag=identity-service-client - Configure identity service client with
identity-service-client.phpin config folder and environments - Change create user table migration file
- Run
php artisan migrate
Migrations
User will be creating automatically if user open site with correct jwt. You must change users table for support nullable fields.
I usually remove all columns except id and dates because they are not needed (authorization happens through a remote server). For example:
Schema::create('users', function (Blueprint $table) {
$table->id();
$table->string('name');
$table->timestamps();
});
Environments
- IDENTITY_SERVICE_CLIENT_HOST - public address of identity service (https://github.com/smskin/laravel-idenity-service)
- IDENTITY_SERVICE_CLIENT_DEBUG - debug mode of auth gates
- IDENTITY_SERVICE_CLIENT_API_TOKEN - secret key for admin functionality (admin api - https://github.com/smskin/laravel-idenity-service)
Configuration
You can configure library with identity-service-client.php file.
- classes
- models
- user - Class of User model. You can override it with your user model class. You must implement
HasIdentitycontract and implementIdentityTraittrait
- user - Class of User model. You can override it with your user model class. You must implement
- models
- scopes
- initial - initial jwt scope for receive basic user data
- uses - array of scopes, that uses by this service (the service in which this library is installed). For example service for administrate identity service uses the
Scope::IDENTITY_SERVICE_LOGINscope
Example of Users model:
<?php
namespace App\Models;
use Illuminate\Contracts\Auth\MustVerifyEmail;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Illuminate\Notifications\Notifiable;
use Laravel\Sanctum\HasApiTokens;
use SMSkin\IdentityServiceClient\Models\Contracts\HasIdentity;
use SMSkin\IdentityServiceClient\Models\Traits\IdentityTrait;
class User extends Authenticatable implements HasIdentity
{
use HasApiTokens, HasFactory, Notifiable;
use IdentityTrait;
/**
* The attributes that are mass assignable.
*
* @var array<int, string>
*/
protected $fillable = [
'identity_uuid',
'name',
];
}
Using
This library register 2 guards:
- identity-service-client-jwt
- identity-service-client-session
You can use it with auth middleware (for example: auth:identity-service-client-jwt) or bind it's to already exists guards by auth.php config file.
For example:
...
'guards' => [
'web' => [
'driver' => 'identity-service-client-session',
'provider' => 'users',
],
'api' => [
'driver' => 'identity-service-client-jwt',
'provider' => 'users',
],
],
...
User has method hasScope for check required scope in jwt.
Gate::define('viewNova', function (User $user) {
return $user->hasScope(Scopes::IDENTITY_SERVICE_LOGIN);
});
Logic of authorization with unknown available scopes
- Gate tries login with email credentials and initial scope (
identity-service-client.scopes.initial) - Gate receives JWT
- Gate calls
/identity-service/api/identity/scopesmethod for receive available user scopes - Gate filters available scopes by uses scopes (
identity-service-client.scopes.uses) - Gate calls
/identity-service/api/auth/jwt/refreshmethod for refresh the token with uses scopes - Gate receives correct JWT for use in service
