The first and most logical thing is to give them access to the already available Synology.
And then there was a desire to do it beautifully, not with a separate username / password, but using those already issued earlier from the personal account. A seamless transition from your personal account to Synology services is what you need.
Description and script under the cut.
For further work, we need an installed LDAP Server and SSO Server.
SSO Server is Synology's proprietary OAuth2.0 implementation.
We configure LDAP and create the desired user, set access rights to services for him.
Then the php script I wrote, which we install on the site, comes into operation. It's not big and is available on GitHub .
It's simple with him. Download and place on the site in the / my folder.
In config.php you need to replace the following values ββwith your own:
config.php
<?php
define('APP_ID', 'a8d0f0835eda3517f3e8fd70c10500e7');
define('SSO_HOST', 'https://DSM:5001');
define('LOCAL_HOST', 'https://yourwebsite.ru');
define('REDIRECT_URI', 'https://yourwebsite.ru/my/SSO_Oauth.php');
?>
- APP_ID - you will get it in the next step, when registering with SSO Server
- SSO_HOST is the host address for accessing Synology
- LOCAL_HOST - the address of the site on which the script is located
- REDIRECT_URI - the address where the SSO_Oauth.php script is available
In index.php (place indicated) add further logic or redirects after the user is successfully logged in.
index.php
<?php
session_start();
include_once('config.php');
if (!isset($_SESSION['user_id'])) {
header('location: '.SSO_HOST.'/webman/sso/SSOOauth.cgi?app_id='.APP_ID.'&scope=user_id&redirect_uri='.REDIRECT_URI);
}
if (isset($_GET['logout'])) {
unset($_SESSION['user_id']);
header('location: '.LOCAL_HOST);
}
// here we can do something after login
echo 'User ID:'.$_SESSION['user_id'].' logged in';
?>
Well, the request processing script itself:
SSO_Oauth.php
<?php
session_start();
include_once('config.php');
if (isset($_GET['access_token'])) {
$access_token = $_GET['access_token'];
$resp = file_get_contents(SSO_HOST.'/webman/sso/SSOAccessToken.cgi?action=exchange&access_token='.$access_token.'&app_id='.APP_ID);
$json_resp = json_decode($resp, true);
if($json_resp['success'] == true){
$_SESSION['user_id'] = $json_resp["data"]["user_id"];
header('location: '.LOCAL_HOST.'/my/');
}
exit();
}
?>
<html>
<body>
<script>
var get = window.location.hash.substr(1);
if (get) {
window.location.href = "<?=REDIRECT_URI?>?" + get;
}
</script>
</body>
</html>
Next, you need to bind authorization on the site through the SSO Server. Everything is quite simple in it - Open SSO Server > Application List > Add > Enter the name and URI address to the SSO_Oauth.php script. After clicking on "Ok", the application ID will be generated . It needs to be copied and placed in our config.php> APP_ID .
Thus, if a user is authorized on your site through SSO, then clicking on a link to any of the Synology services to which he has access in LDAP, he will not have to re-authorize. This is true in the opposite direction - if he is authorized in your cloud, then the personal account on the site will also be available.
The implementation turned out to be not so simple. I found only one guide on this API on the network - Synology SSO API Guide, but everything is done on the client side via ajax and for some reason it was not detected that the user was authorized, and it also worked sooo slowly. Therefore, I had to find my own solution, but it turned out to be much shorter and simpler.
I would be glad if it is useful to someone else.