I’m currently building an application that will use Laravel as a REST client for an Angular JS front-end. The API and client facing website will be completely separate from one another and even reside on separate domains. The Laravel end uses JWT as an authentication mechanism. So when a user currently signs in via the Angular JS app a AJAX request is made to controller that returns the JWT. The server-side JWT portion of this is all being handled by this community provider. This all works fine with a basic username and password registration process. I now need to implement social sign using hybrid auth. Which unless I’m wrong I’m going to need to use my Laravel app as not only a REST client but also for social sign-in a central authentication server. This will result in a single controller that interfaces with hybrid auth allowing redirect(s) to social providers websites so they can sign-in which obviously can’t be done using REST. So the flow will be something like this for social sign-in.
- In Angular JS app login screen shows.
- User pushes button that initiates social sign-in.
- Angular JS app instead of making REST request redirects user to Laravel controller that will centralize social sign-in.
- The controller will initiate hybrid auth to authenticate against the specified social providers website, which will create another redirect to the social provider website.
- The user will allow or deny my application.
- The social provider website will than redirect back to a controller in the Laravel application.
- The Laravel application will determine whether the user is registered or not via matching email.
- If the user is not signed up they will be registered.
- Once this is done a new JWT will be created.
Now the part of this I’m unsure of is at this point I was now going to get the Hybrid Auth session data as a serialized array and store it in a claim on the JWT token. using the methods outlined here.
http://hybridauth.sourceforge.net/userguide/HybridAuth_Sessions.html
These methods:
- Hybrid_Auth::getSessionData()
- Hybrid_Auth::restoreSessionData()
At the end of this entire process the Laravel application will than redirect back to the Angular app with the JWT token in query string. At which point the Angular JS app will store the JWT in local storage to be passed in subsequent requests to the Laravel application. When this happens the Laravel app will than decode the JWT, get the hybrid auth session data from a claim and restore the Hybrid auth session manually.
Does all that sound correct and safe?