How to use with multiple guards?

Adldap2 / Adldap2-Laravel

LDAP Authentication & Management for Laravel

MIT License

911 stars 185 forks source link

How to use with multiple guards? #514

Open raysn0w opened 6 years ago

raysn0w commented 6 years ago

Laravel Version: 5.5
Adldap2-Laravel Version: ^4.0
PHP Version: 7.1
LDAP Type: ActiveDirectory

Description:

I'm using multiple authentication guards:

        'admins' => [
            'driver' => 'adldap',
            'model' => \App\Admin::class,
        ],

        'managers' => [
            'driver' => 'adldap',
            'model' => \App\Models\Employee\Manager::class,
        ],

Now my problem is that scopes and rules are global settings tied to the adldap driver, what I'm trying to accomplish for example is that only the users with valid scope/rules of admin can login against the admin guard and the same for managers which would be a different set of scope/rules.

warlord0 commented 6 years ago

I leave authentication to ldap - that's just my means of are you who you say you are. Then I'd use some other mechanism to determine what level of access that authenticated user has. It could be as simple as a database column for a user class, but I've tended to use spatie's excellent laravel-permission so I can assign users roles and permissions and be very granular about who can access what component and to what degree.

For me the guards are used just to test the type of access eg, web or api. The auth remains the same.

raysn0w commented 6 years ago

I understand your approach, but that will mean that the admin portal, for example, all users will succeed the authentication but will then be denied access by PHP, I would like to not even allow the user to pass authentication if they are not part an admin group.

Does that make sense?

warlord0 commented 6 years ago

Yeah I get it. But by using something like @hasRole('Admin') you can control what is seen from the blades and by using it as middleware at the controller or in your routes you can stop anyone without the required role.

So in my blade I have the links to admin portal only show if you have the role. In my routes you must have the admin role to be able to go there, and in my controllers I stop anyone without a the necessary role from either accessing the entire set of controller methods or a method by method approach.

I guess you're using a different logon page based on if you're a manager or an admin? Then trying to allow them through or not?

Just wondered if this may be more applicable?

https://github.com/Adldap2/Adldap2-Laravel/blob/master/docs/auth.md#rules

raysn0w commented 6 years ago

You are correct, I'm using different login pages for normal users and admins, I would like to use rules/scopes on my admin authentication to not even allow the user to log in.

I'll guess I'll have to deny the access after the authentication has succeeded.