[How?] Laravel native Auth with FusionAuth

  • I am using FusionAuth with Laravel quite differently than as example in official blog.
    I am using FusionAuth hosted pages and OAuth flow.

    • guest are redirected to fusionauth login page from where they are redirected to myapp.com/callback?code=xxx on successful login.

    • backend exchange the authorization code for token with fusionAuth,
      if successful: then either creates a new user entry in app DB with UUID given by fusionauth or fetches user entry (if already exist). and set a user session.
      if fails: throws 401 unauthorized error.

    • App doesn't store or use the authorization code after that, the user stays logged in as long as session is alive irrespective of FusionAuth SSO session or authorization code life time.

    Is there any better way to implement SSO where fusionAuth's sessions also stays alive along with app's session? and where I can implement logout from all devices mechanism.

    Laravel has inbuilt support for logoutFromOtherDevices in its Auth facade but we have already replaced Auth:: with self created sessions to use FusionAuth, can't we use fusionAuth with laravel Auth facade to utilize most of its features? or my apprch is wrong? Please correct me.

  • Power User

    The logout from other devices functionality is based on access and refresh tokens. To implement it, you should configure access tokens to be short lived, and restrict access in your services backend only to users that authorize themselves with a valid access token. Since the tokens are short lived, your applications will require refresh tokens to obtain new access tokens when the old ones expire.

    With such preconditions fulfilled, the logout form other devices functionality is all about revoking the refresh tokens provided for other devices. The other devices will still be able to utilize the session, but no longer than access token validity period (that cannot be revoked). Once it expires, they will try to obtain new one using the refresh token but this request will be denied - at this point, the device can be considered logged out.

  • @chirag have you seen these? https://fusionauth.io/learn/expert-advice/authentication/login-authentication-workflows/

    Reviewing them and mapping your use case on to them may be helpful.