PHPackages mixu/sso-auth - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. mixu/sso-auth ActiveLibrary[Authentication & Authorization](/categories/authentication) mixu/sso-auth ============= Comprehensive Laravel SSO Authentication package with Security Monitoring, Session Binding, Activity Tracking, and Global Logout Support v1.1.6(2mo ago)010โ†“66.7%MITBladePHP ^8.2 Since Feb 24Pushed 2mo agoCompare [ Source](https://github.com/mixudev/package_sso_client)[ Packagist](https://packagist.org/packages/mixu/sso-auth)[ Docs](https://github.com/mixu/sso-auth)[ RSS](/packages/mixu-sso-auth/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (16)Versions (12)Used By (0) Mixu SSO Auth Package ===================== [](#mixu-sso-auth-package) Sistem SSO (Single Sign-On) authentication lengkap untuk Laravel dengan fitur security monitoring, session binding, dan activity tracking. ๐Ÿ“‹ Fitur Utama ------------- [](#-fitur-utama) - โœ… **OAuth2 Integration** - Mudah integrase dengan Mixu Auth Server atau OAuth2 provider lainnya - โœ… **Session Security** - IP binding dan User-Agent validation untuk mencegah session hijacking - โœ… **Activity Tracking** - Audit trail lengkap untuk setiap user activity - โœ… **Security Monitoring** - Brute force detection, anomaly detection, security event logging - โœ… **Role-Based Access** - Kontrol akses berbasis role dari SSO Server - โœ… **Area-Based Access** - Kontrol akses berbasis access area dari SSO Server - โœ… **Global Logout Webhook** - Logout otomatis di semua aplikasi saat logout di SSO Server - โœ… **Laravel 12+ Support** - Compatible dengan Laravel 12 dan PHP 8.2+ ๐Ÿš€ Instalasi ----------- [](#-instalasi) ### 1. Install via Composer [](#1-install-via-composer) ``` composer require mixu/sso-auth ``` ### 2. Publish Configuration & Migrations [](#2-publish-configuration--migrations) ``` php artisan vendor:publish --provider="Mixu\\SSOAuth\\Providers\\MixuSSOAuthServiceProvider" --tag=mixu-sso-auth-config php artisan vendor:publish --provider="Mixu\\SSOAuth\\Providers\\MixuSSOAuthServiceProvider" --tag=mixu-sso-auth-migrations ``` ### 3. Setup Environment Variables [](#3-setup-environment-variables) Tambahkan di file `.env`: ``` AUTH_BASE_URL=https://auth.example.com AUTH_CLIENT_ID=your-client-id AUTH_CLIENT_SECRET=your-client-secret AUTH_REDIRECT_URI=http://localhost:8000/auth/callback AUTH_SCOPES=openid profile email SSO_WEBHOOK_SECRET=your-webhook-secret ``` ### 4. Run Migrations [](#4-run-migrations) ``` php artisan migrate ``` โš™๏ธ Konfigurasi -------------- [](#๏ธ-konfigurasi) ### Service Provider Otomatis [](#service-provider-otomatis) Package akan secara otomatis terdaftar melalui package auto-discovery. Jika tidak, tambahkan di `config/app.php`: ``` 'providers' => [ // ... Mixu\SSOAuth\Providers\MixuSSOAuthServiceProvider::class, ], 'aliases' => [ // ... 'SSOAuth' => Mixu\SSOAuth\Facades\SSOAuth::class, 'SecurityMonitoring' => Mixu\SSOAuth\Facades\SecurityMonitoring::class, ], ``` > **Catatan penting**: sejak Laravel 11 paket tidak lagi mengandalkan file `Console/Kernel.php`. Jadwal (`schedule`) didefinisikan di provider atau `routes/console.php` aplikasi. lihat bagian berikut untuk detail. ### Register Middleware [](#register-middleware) Daftarkan middleware di `bootstrap/app.php` atau `app/Http/Kernel.php` milik aplikasi (package tidak memerlukan file kernel sendiri): ``` // Middleware untuk authentication & session validation \Mixu\SSOAuth\Http\Middleware\EnsureSSOAuthenticated::class, // alias: sso.auth \Mixu\SSOAuth\Http\Middleware\EnsureSSOSessionAlive::class, // alias: sso.alive \Mixu\SSOAuth\Http\Middleware\ValidateSessionIP::class, // alias: validate.session.ip \Mixu\SSOAuth\Http\Middleware\ValidateSessionUserAgent::class, // alias: validate.session.ua \Mixu\SSOAuth\Http\Middleware\TrackSessionActivity::class, // alias: track.activity \Mixu\SSOAuth\Http\Middleware\CheckRole::class, // alias: role \Mixu\SSOAuth\Http\Middleware\CheckAccessArea::class, // alias: access_area ``` ๐Ÿ“– Cara Penggunaan ----------------- [](#-cara-penggunaan) ### 1. Setup Routes [](#1-setup-routes) Routes sudah otomatis terdaftar: - `GET /login` - Redirect ke SSO login - `GET /auth/callback` - Callback setelah login dari SSO - `POST /logout` - Logout user - `POST /auth/sso/logout-callback` - Webhook untuk global logout ### 2. Protect Routes dengan Middleware [](#2-protect-routes-dengan-middleware) ``` Route::middleware(['sso.auth', 'sso.alive', 'validate.session.ip'])->group(function () { Route::get('/dashboard', [DashboardController::class, 'index'])->name('dashboard'); }); ``` ### 3. Role & Area-Based Access Control [](#3-role--area-based-access-control) ``` // Hanya admin dan super_admin yang bisa akses Route::middleware(['role:admin,super_admin'])->group(function () { Route::get('/admin', ...); }); // Hanya area portal yang bisa akses Route::middleware(['access_area:portal'])->group(function () { Route::get('/portal', ...); }); ``` ### 4. Menggunakan Service di Controller [](#4-menggunakan-service-di-controller) ``` use Mixu\SSOAuth\Services\SSOAuthService; ``` ### ๐Ÿ“† Menjadwalkan Rebuild Statistik [](#-menjadwalkan-rebuild-statistik) Perintah `security:stats` menghitung ulang statistik keamanan. Paket akan mendaftarkannya otomatis melalui service provider, sehingga tidak perlu kode di `Kernel.php`. Pastikan aplikasi memanggil scheduler setiap menit (cron): ``` * * * * * cd /path/to/project && php artisan schedule:run >> /dev/null 2>&1 ``` Jika ingin mengontrol sendiri jadwal, tambahkan snippet berikut di `routes/console.php` aplikasi: ``` use Illuminate\Support\Facades\Schedule; Schedule::command('security:stats --days=7') ->hourly() ->withoutOverlapping(); ``` --- use Mixu\\SSOAuth\\Services\\SecurityMonitoringService; class DashboardController extends Controller { public function \_\_construct( private SSOAuthService $sso, private SecurityMonitoringService $security ) {} ``` public function index() { // Get user dan token dari session $user = auth()->user(); // atau request()->session()->get('sso_user') // Check token masih valid if (!$this->sso->isTokenValid($user['access_token'])) { return redirect()->route('auth.login'); } // Get security stats $stats = $this->security->getSecurityStats(30); return view('dashboard', compact('stats')); } ``` } ``` ### 5. Mengakses Data User di Session ```php // Di controller $user = request()->session()->get('sso_user'); echo $user['id']; // User ID dari SSO echo $user['name']; // User name echo $user['email']; // User email print_r($user['roles']); // Array of roles print_r($user['access_areas']); // Array of access areas // Di Blade template {{ Auth::guard('web')->user()?->name }} // atau {{ session('sso_user.name') }} ``` ๐Ÿ” Security Features ------------------- [](#-security-features) ### IP Binding & Session Hijacking Detection [](#ip-binding--session-hijacking-detection) Session di-bind ke IP address saat login. Jika IP berubah, session otomatis dihapus: ``` // Middleware: validate.session.ip Route::middleware(['sso.auth', 'validate.session.ip'])->group(function () { // Routes di sini dilindungi dari session hijacking }); ``` ### User-Agent Monitoring [](#user-agent-monitoring) Perubahan User-Agent dicatat tapi tidak memblokir request (komplementer ke IP binding): ``` // Middleware: validate.session.ua Route::middleware(['validate.session.ua'])->group(function () { // User-Agent changes are logged }); ``` ### Activity Tracking [](#activity-tracking) Setiap request dari authenticated user dicatat di tabel `session_activities`: ``` // Middleware: track.activity Route::middleware(['track.activity'])->group(function () { // Semua activity dicatat }); ``` ### Security Event Logging [](#security-event-logging) Login, logout, dan anomalous events dicatat di tabel `security_events`: ``` $this->security->logSecurityEvent([ 'event_type' => 'suspicious_activity', 'sso_user_id' => $user['id'], 'email' => $user['email'], 'ip_address' => request()->ip(), 'severity' => 'high', 'details' => ['reason' => 'Multiple failed attempts'], ]); ``` ### Anomaly Detection [](#anomaly-detection) Deteksi pola mencurigakan: ``` $anomalies = $this->security->detectAnomalies($userId); // [ // ['type' => 'multiple_ips', 'message' => '...', 'severity' => 'high'], // ... // ] ``` ### Brute Force Detection [](#brute-force-detection) ``` if ($this->security->checkBruteForceAttempts($ip, minutes: 15, threshold: 3)) { // Block login attempt } ``` ๐Ÿ”„ Global Logout Webhook ----------------------- [](#-global-logout-webhook) Ketika user logout di SSO Server, webhook akan secara otomatis logout user di semua aplikasi: ``` // Webhook endpoint (sudah auto-register): POST /auth/sso/logout-callback // Header diperlukan: X-SSO-Signature: // Payload: { "event": "global_logout", "user_id": 123, "email": "user@example.com" } ``` ๐Ÿ“Š Database Tables ----------------- [](#-database-tables) ### session\_activities [](#session_activities) Audit trail untuk setiap user request: - `id`, `sso_user_id`, `session_id`, `ip_address` - `method`, `path`, `status_code`, `user_agent` - `created_at` ### security\_events [](#security_events) Security events untuk monitoring: - `id`, `event_type`, `sso_user_id`, `email` - `ip_address`, `session_id`, `severity` - `details` (JSON), `user_agent`, `created_at` ๐Ÿ› ๏ธ API Reference ---------------- [](#๏ธ-api-reference) ### SSOAuthService [](#ssoauthservice) ``` // Generate authorize URL $url = $sso->getAuthorizeUrl($state); // Generate CSRF state $state = $sso->generateState(); // Exchange code untuk token $tokens = $sso->exchangeCodeForToken($code); // Get user info dari SSO $user = $sso->getUser($accessToken); // Refresh token $tokens = $sso->refreshToken($refreshToken); // Logout dari SSO $result = $sso->logout($accessToken); // Check token validity $valid = $sso->isTokenValid($accessToken); // Check if configured $configured = $sso->isConfigured(); // Get last error $error = $sso->getLastError(); ``` ### SecurityMonitoringService [](#securitymonitoringservice) ``` // Check brute force attempts $isBruteForce = $security->checkBruteForceAttempts($ip, $minutes, $threshold); // Get IP mismatch patterns $ips = $security->checkIPMismatchPatterns($userId, $minutes); // Log security event $security->logSecurityEvent($eventData); // Detect anomalies $anomalies = $security->detectAnomalies($userId); // Get security statistics $stats = $security->getSecurityStats($days); ``` ๐Ÿงช Testing --------- [](#-testing) ``` // Unit test example public function test_sso_login() { $sso = app(SSOAuthService::class); $this->assertTrue($sso->isConfigured()); $state = $sso->generateState(); $this->assertNotEmpty($state); } ``` \##๐Ÿ› Troubleshooting ### SSO Not Configured [](#sso-not-configured) **Error:** "SSO not configured. Set AUTH\_BASE\_URL..." **Solution:** Pastikan semua envvar di `.env` sudah diatur: ``` AUTH_BASE_URL=https://auth.example.com AUTH_CLIENT_ID=your-id AUTH_CLIENT_SECRET=your-secret AUTH_REDIRECT_URI=http://yourapp.test/auth/callback ``` ### Token Exchange Failed [](#token-exchange-failed) **Error:** "Tukar authorization code ke access token gagal" **Solution:** Periksa: 1. `AUTH_BASE_URL` benar 2. `AUTH_CLIENT_ID` dan `AUTH_CLIENT_SECRET` benar 3. `AUTH_REDIRECT_URI` sama dengan di SSO Server 4. Network connectivity ke SSO Server ### Session IP Mismatch [](#session-ip-mismatch) **Error:** "Your session was accessed from a different location" **Solution:** User mengakses dari IP berbeda. Normal jika: - Mobile user pindah dari wifi ke cellular - User di behind proxy/VPN yang berubah Jika perlu melonggarkan, disable middleware `validate.session.ip`. ๐Ÿ“ License --------- [](#-license) MIT License. See LICENSE file for details. ๐Ÿค Contributing -------------- [](#-contributing) Contributions welcome! Silakan buat issue atau pull request. ๐Ÿ“ง Support --------- [](#-support) Email: Website: ### Health Score 39 โ€” LowBetter than 86% of packages Maintenance85 Actively maintained with recent releases Popularity5 Limited adoption so far Community2 Small or concentrated contributor base Maturity53 Maturing project, gaining track record How is this calculated?**Maintenance (25%)** โ€” Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** โ€” Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** โ€” Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** โ€” Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 11 Last Release 79d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/c1a6b529c899b610aee5a9de86028864518cc829de64c55d0f6c6e46b28a587e?d=identicon)[mixudev](/maintainers/mixudev) --- Tags laravelAuthenticationSSOoauth2single sign onaudit-trailanomaly-detectionrole-based-accessactivity-trackingsecurity-monitoringsession-bindingsession-hijacking-preventionbrute-force-detectionarea-based-access ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/mixu-sso-auth/health.svg) ``` [![Health](https://phpackages.com/badges/mixu-sso-auth/health.svg)](https://phpackages.com/packages/mixu-sso-auth) ``` ### Alternatives [tymon/jwt-auth JSON Web Token Authentication for Laravel and Lumen 11.5k49.1M350](/packages/tymon-jwt-auth)[php-open-source-saver/jwt-auth JSON Web Token Authentication for Laravel and Lumen 8359.8M53](/packages/php-open-source-saver-jwt-auth)[laragear/two-factor On-premises 2FA Authentication for out-of-the-box. 339785.3k8](/packages/laragear-two-factor)[yadahan/laravel-authentication-log Laravel Authentication Log provides authentication logger and notification for Laravel. 416632.8k5](/packages/yadahan-laravel-authentication-log)[alajusticia/laravel-logins Session management in Laravel apps, user notifications on new access, support for multiple separate remember tokens, IP geolocation, User-Agent parser 2011.0k](/packages/alajusticia-laravel-logins)[aedart/athenaeum Athenaeum is a mono repository; a collection of various PHP packages 245.2k](/packages/aedart-athenaeum) PHPackages ยฉ 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)