Différences

Ci-dessous, les différences entre deux révisions de la page.

--- informatique:oauth [02/09/2025 12:26] – [PHP] cyrille
+++ informatique:oauth [09/09/2025 11:30] (Version actuelle) – [Recherche d'une "bonne" méthode] cyrille
@@ Ligne 110: / Ligne 110: @@
   * https://github.com/thephpleague/oauth2-client
   * [[https://github.com/laravel/socialite|Laravel Socialite]]
+    * [[https://dev.to/philipdroubi/laravel-9-api-authentication-via-sanctum-socialite-and-test-on-postman-2iki|Laravel API Authentication via Sanctum & Socialite and test on Postman]]
     * [[https://medium.com/@faizanrafique/the-social-login-in-laravel-via-api-with-socialite-by-faizan-ali-717ad9075ee7|Social Login In Laravel Via Api With Socialite]]
   * PHP OAuth API on phpclasses.org: [[http://www.phpclasses.org/blog/package/7700/|package]], [[http://www.phpclasses.org/package/7700-PHP-Authorize-and-access-APIs-using-OAuth.html|blog]]
@@ Ligne 118: / Ligne 119: @@
 On trouve des exemples avec Laravel Socialite pour le site et un package OAuth dans l'App mobile. Mais le site ne vérifie pas la validité du token fourni par l'App Mobile, qui l'a obtenue depuis le fournisseur tiers ...
+Aussi il n'est pas sécurisé de stocker le ''client_secret'' dans l'application.
   * [[https://taufanfadhilahiskandar.medium.com/three-ways-to-using-laravel-socialite-5f1280ed3c47|Three ways to using Laravel Socialite]]
   * https://api-platform.com/docs/laravel/
+==== Recherche d'une "bonne" méthode ====
+Exigences:
+  * Ne pas avoir le ''client_secret'' dans l'App
+  * S'assurer que le social login est légitime
+<mermaid 80%>
+sequenceDiagram
+participant User
+participant Mobile
+participant Browser
+participant Api
+participant Auth
+autonumber
+activate User
+User ->> Mobile: Click one provider button
+activate Mobile
+deactivate User
+Mobile ->> Api: request auth provider url<br/>SESSION_COOKIE + STATE
+activate Api
+Api ->> Api: create STATE + SESSION COOKIE
+Api -->> Mobile: return AUTH_PROVIDER_URL<br/>SESSION_COOKIE + STATE
+deactivate Api
+Note over Mobile,Auth: Mobile open the System default Browser
+Mobile ->> Browser: open AUTH_PROVIDER_URL
+activate Browser
+activate Auth
+Browser ->> Auth: request AUTH_PROVIDER_URL
+Auth -->> Browser: return auth ui
+deactivate Auth
+deactivate Mobile
+activate User
+Browser -->> User: read access scopes & login ui
+User ->> Browser: click Accept or Denied
+activate Auth
+Browser ->> Auth: post auth form
+deactivate User
+deactivate Browser
+activate Api
+critical Auth Protocol
+Auth ->> Api: "Auth callback with 'code'"
+Api ->> Auth: "Request Access"
+Auth -->> Api: "return access"
+end
+Note right of Mobile: http(s) deep link is verified with<br/>"assetlinks.json" & "apple-app-site-association"
+deactivate Auth
+Api -->> Browser: return redirect DEEP_LINK
+deactivate Api
+activate Mobile
+Browser -->> Mobile: return redirect DEEP_LINK
+activate Api
+Mobile ->> Api: request Api Token<br/>with SESSION_COOKIE + STATE
+Api -->> Mobile: return API_TOKEN
+deactivate Api
+deactivate Mobile
+Note over User,Api: Authentified user can request the Api
+activate User
+User ->> Mobile: "do something"
+activate Mobile
+activate Api
+Mobile ->> Api: "request something with API_TOKEN"
+Api -->> Mobile: "return something"
+Mobile -->> User: display what ever
+deactivate Api
+deactivate Mobile
+deactivate User
+</mermaid>