Laravel makeshift SSO approach

Question

We want to implement a SSO like approach in our program where users will register in a third party program and synchronously register in our program and authenticate the login/logout from the third party. Since we don't have access to the third party's authentication. The 3rd party program is our client's program that wants to use our program's services.

Since packages like miniorage is not free, we need to do this the hard way.

Here is what I have done and will try finish:

Already done code:

1. Install laravel/passport in our program.
2. Create an registration API that the client in third party can use to register in our program
3. With passport, it will return a Bearer token that they need to save in their system (Remove the expi`ration date)
4. Create a URL that will accept the bearer token that was created during the registration
5. When the URL is opened, I will be able to use the Auth::user() and get user info.

Trying to accomplish:

$credentials = ([
    'email' => 'test@gmail.com',
]);

if (Auth::attempt($credentials)) {
    Log::info(Auth::user());
}

1. From the Auth::user(), get the email address and re-login using the code above
2. However, when I open another page, the Auth::user() is empty.

My question is:

1 Is this approach okay for a makeshift SSO?

2 Why is the Auth::user() empty on a different url even if I manually login the user?

UPDATE

So I think I will continue with the Laravel Passport as a makeshift SSO on our program. However I want to do a Auth::login() when I pass the token in the header:

Here would be the code:

public function authenticate()
{
    $user = Auth::user();
    Log::info($user);
    . . . . . . 
    $authuser = User::where('email', '=', $user->email)->first();
    $authuser = Auth::login($authuser);
    Log::info($authuser);
    return $user;
}

The reason why I wish to use Auth::Login here is so that the user is authenticated on all pages. Not just in the first page. The function authenticate is used when I access the program with the Bearer Token. In the $authuser part, I want to re login the user with just the email. Reason why only email is because of the logic before this. Yes we already consider this one. However when I use the Auth::login($authuser);, it returns Method Illuminate\Auth\RequestGuard::login does not exist error message.

Possible data that you wish to see:

'guards' => [
    'web' => [
        'driver' => 'session',
        'provider' => 'users',
    ],

    'api' => [
        'driver' => 'passport',
        'provider' => 'users',
        'hash' => false,
    ],
],

api => driver was originally token before the laravel passport was implemented

Answer 1

After trial and errors, I decided to use Laravel Passport and fixed the Auth::login not persisting. For the Auth::login issue, I moved \Illuminate\Session\Middleware\StartSession::class, from $middlewareGroups to $middleware

Answer 2

Is this approach okay for a makeshift SSO?

It might work with Passport, but it's not really the intended use (OAuth2) for it. I found it more confusing than just rolling out a custom solution:

• Install JWT auth - https://jwt-auth.readthedocs.io/en/develop/laravel-installation/

• Set guard in config/auth.php

I'd look into using a manual JWT auth solution (https://jwt-auth.readthedocs.io/en/develop/laravel-installation/)

2 Why is the Auth::user() empty on a different url even if I manually login the user?

Most likely because the route/controller method is missing an auth middleware that says it's an authenticated.