I need to build a Symfony application where the users are not stored in the local database as Entity: the application uses an external user database located at a separate domain, and I am looking at authentication via API. I can't find any extensive examples about this, not even in the documentation, so I came up with my own implementation which I don't think is good at all.
In my app I created the following:
- A class User, which implements UserInterface, PasswordAuthenticatedUserInterface
- My UserAuthenticator class is essentially a standard one
- My UserProvider is what makes the difference, as it makes an HTTP request to https://externaluserdb.example.com (fake url for dummy purpose) in order to fetch user information, instead of relying on local database.
However, this is where I'm getting confused. I have two approaches in mind, but none of these seem to be secure or good practice at all
APPROACH 1 (must be really wrong)
- Application makes API call to https://externaluserdb.example.com providing
usernameonly - https://externaluserdb.example.com returns the user's hashed password (I think this is terrible?)
- Application locally hashes
passwordand compares it with value from remote database; logs user in if it's a match - If authentication is successful, application fetches the rest of user data from https://externaluserdb.example.com (not sure how, unless correct password is provided)
APPROACH 2
This makes a lot more sense to me, but I am not sure it's good practice as I would be passing the clear password to the third-party service (even though it's https, I'm not sure it's good)
- Application makes API call to https://externaluserdb.example.com providing
usernameandpassword - https://externaluserdb.example.com checks credentials and responds with a status (authentication OK or NO) and user data if authentication is successful