I do single sign on. Am I setting up authorization correctly?

R

RNB2015-12-22 13:37:45

PHP

RNB, 2015-12-22 13:37:45

Hello.
Preamble:
There are several PHP projects. Each project currently has its own table of users in which: id, login, password, role. There are no complex ACLs, roughly speaking only 3 roles. Admin, manager, user. Checked with controller and prefixes.
It is required to make a single authentication = a common database with users and passwords. The ability to go to one site and be logged into all the others
But the question is not about authentication. Let's assume it works.
The problem is in authorization = to whom and what is allowed to do: since authentication is one, then we remove the table with users from each project and the project looks at them in a common database.
Question: a user can have different rights in different projects, this was not a problem before. However, now that the table is the same for everyone, how to determine which user can do what on this site?
I see the following solution: we store logins / passwords in a common database. But for each project, we still leave the users table where there will be an id and a role.
So normal or crooked?
Thank you.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

Sergey, 2015-12-22
@Realnewbie

Firstly, they should not look into a common database, they should all be connected to a separate authorization server.
See how OAuth solved this problem. There, simply for the user for a specific resource, their rights are assigned.
that is, the algorithm is as follows:
- authorize the dude on the authorization server and get a token
- using the token, we get the rights available for a specific application. if you do not have control over all applications, you can still keep a private token for everyone so that one apa cannot change the rights of another apa.

M

Michael, 2015-12-22
@scherbuk