Barebones CMS

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Golang SSO client
#1
I have been using your SSO system for over two years now, with great success.

One of the factors that made me choose it as the replacement for the SSO system I was previously using was the fact that it only requires PHP and a database to work, and both were things that I already had in place for my existing projects I wanted to integrate with the authentication system. Those projects were PHP applications too, so the fact that only a PHP client was available was not an issue, initially.

However, over the years, I stopped developing new projects in PHP. Now I tend to use Go to write the backend of my web applications. Integrating SSO authentication in those projects proved difficult, and for more than a year I used a hacked-together solution where a PHP script would be used to act as the "bridge" between the SSO system, using the SSO client, and my applications. I was not happy with this solution, because it was not as secure, and the additional component - the "bridge" - posed an additional point of failure (and attack vector).

More recently, I needed to integrate SSO login in an open source project. Using the "bridge" was more or less out of the equation, as it relied, in part, in "security"-through-obscurity. So I finally took the time to digest your SSO documentation and write a SSO client in Go. After carefully analyzing lots of PHP code and after much trial and error, I finally got something that could talk to the SSO server and support all the features I needed: https://github.com/gbl08ma/ssoclient

This client is nowhere as complete as the PHP one, but this is, in part, by design. It is meant to be flexible enough so it can be integrated in another session mechanism (unlike the PHP client, which has its own session mechanism). This was important, as one of my projects supports logging in through multiple authentication methods, and the SSO system is only one of them, which means that project already had its own session system.

This library also doesn't do any kind of incoming HTTP request handling (it expects the users of the library to handle HTTP requests for it, and call the functions with the right arguments). The readme should list all the limitations.

I think this project is also a good starting point for those wishing to write their own SSO clients in other languages, as it contains the bare-minimum to successfully perform authentication against the SSO server. This way, you don't need to read through lots of PHP code to get to the "meat of the problem".

I didn't write example code for the library, but this file shows the library being used together with a rudimentary cookie-based session system: https://github.com/gbl08ma/disturbancesm...d1/auth.go
(daClient is the variable that corresponds to the SSO client instance).

I hope this will be useful to someone, if you have any questions or suggestions, feel free to ask.
Reply
#2
This is an excellent start!  I'd like to see AES added for performance reasons (e.g. Intel Core i5 and i7 processors have the AES-NI instruction set for a 200x improvement in encryption/decryption performance). I obviously prefer dual encryption support.  Remote Login support would be interesting but I'm not sure who would use it.  CanAutoLogin() is only useful in certain circumstances. Overall, you've picked off all the highlights and I have no complaints/issues from a cursory overview. Great job.  I've linked to your project so someone can pick up where you've left off and add any missing features that they need and commit back to your project accordingly.

The extra session logic and capabilities of the PHP SSO client make the PHP client code a bit of a mess to sift through. The ASP.NET client may, in some ways, be a better starting point for a generic port. I picked PHP and ASP.NET since, between the two languages, there's 97% coverage of the dynamic web.

By the way, you can write HTTP servers in PHP and then proxy requests from Nginx or Apache to the servers.  The Ultimate Web Scraper Toolkit includes two classes for that purpose (WebServer and WebSocketServer), but, depending on the need, it might be easier to extend Cloud Storage Server which uses those two classes with a new API.  And Service Manager can start PHP (and Go) applications as system services.
Author of Barebones CMS

If you found my reply to be helpful, be sure to donate!
All funding goes toward future product development.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)