oAuth2 + PHP-auth implementation
ponasromas opened this issue · 2 comments
Well, I know how to implement oAuth2, but how to pair it with PHP-auth?
Example:
- User goes to domain.tld/register
- User choose Github as registration method
- oAuth2 lib used
- User goes to domain.tld/login
- User choose Github as login method
Now, how to actually "login" user via PHP-auth? Because main authorization library would be still PHP-auth. Is it possible to programatically "login" user?
I've implemented what you're talking about with google OAuth, I'm not familiar with the process of GitHub authorization, but I assume it would be similar. Here is the process I've implemented:
1 User goes to domain.tld/register
2. User creates an account
3. User is emailed a verification key/token (as outlined in the php-auth documentation for $auth->register)
4. User clicks the link in their account, they hit the site, their account is verified, and they are automatically logged in
5. User logs out
6. User attempts to now login using the Google OAuth button
7. Google OAuth provides a $_POST['credential'] value with login that can be used to verify a users account. In these creds are a unique google ID that I store in the php-auth database as part of the user's information. So when the user attempts to login with google I match their email and OAuth creds for login. This allows the user to login with OAuth or the 'login with google' button.
Alternatively, this process can be reversed:
- User uses the 'login with google' button
- System uses info in $_POST['credential'] to create a new account, and automatically logs the user in (no authentication email is sent)
- User then requests a password reset via domain.tld/reset
- User account is emailed a password reset link
- User resets their php-auth password, allowing them to login with a U/P or the 'login with google' button.
So when a user attempts to login with OAuth, the $_POST['credential'] value is pulled for the user's email and google unique ID, if $_POST['credential'] passes authentication, the user is logged in via $auth->login. I would assume GitHub passes similar user data.