Social Auth

Overview

This document provides information about Social Auth.

Resources:

• https://laravel.com/docs/7.x/socialite
• https://auth0.com/docs/api-auth/which-oauth-flow-to-use
• https://drive.google.com/file/d/19_M_0cMmrgfQLIHkKw2ZJIwkskrT7lFV/view
  • Edit here https://app.diagrams.net/#G19_M_0cMmrgfQLIHkKw2ZJIwkskrT7lFV

We use OAuth 2.0.

We use the "Authorization Code grant" which is the most widely used flow when integrating OAuth 2.0.
However, we do something special in order to bypass one of the OAuth 2.0 requirements. The standard states that the redirect_url the user is going to be redirected to when authorizing an app must be whitelisted in the provider configuration. This is to say that we would need to whitelist each and every tenant URL into each social provider, and that is if they even let us enter thousands of records. Or create profiles for each tenant. Or ask for the customers to create the profiles and provide the configuration.
So, to avoid all of that we point all social auth callbacks to a single redirect_url in farfalla. When we redirect the user to the provider we also send a state param with information about the tenant_id and a key to validate the state params themselves. When the user is redirected from the provider to us again he/she arrives at farfalla's main tenant domain and we use the information in the state param to do a final redirect to the corresponding tenant.

Other resources:

• https://itnext.io/laravel-api-authentication-for-social-networks-oauth2-social-grant-3ec1085b58b6
• https://binary-studio.com/2015/05/25/laravel-oauth2/

---