Authentication for a Symfony2 api (for mobile app use)
Solution 1
I think you should do it stateless (without cookie).
I had the same problem, what i did:
- in your app/config/security.yml, add:
security: ... firewalls: rest_webservice: pattern: /webservice/rest/.* stateless: true http_basic: provider: provider_name ...
- Now you can make a request to your webservice:
class AuthTest extends WebTestCase
{
public function testAuthenticatedWithWebservice()
{
$client = $this->createClient();
// not authenticated
$client->request('GET', '/webservice/rest/url');
$this->assertEquals(401, $client->getResponse()->getStatusCode());
// authenticated
$client->request('GET', '/webservice/rest/url', array(), array(), array(
'PHP_AUTH_USER' => 'username',
'PHP_AUTH_PW' => 'password'
));
$this->assertEquals(200, $client->getResponse()->getStatusCode());
}
}
Solution 2
Here you are, How to create a custom Authentication Provider awesome article.
To Authentication to a Symfony2 application through api, you need use: WS-Security
Solution 3
Yes Marc, jules is pointing to an example just to show you how to test authentication with http_basic.
To be RESTful you should avoid using cookies, otherwise just call it an API. About how secure is your authentication system you can go with http_digest over https or more secure signed request with api_key/api_secret approach.
Have a look here http://wiki.zanox.com/en/RESTful_API_authentication
Marc
Updated on June 05, 2022Comments
-
Marc almost 2 years
I've developed a REST api for my Symfony2 application. This api will be used by a mobile app. Much of the functionality is done in the context of the currently authenticated user, ie:
$this->container->get('security.context')->getToken()->getUser()
I'm hoping that the mobile app will be able to post to the login action just like a traditional web form. If the credentials check out then Symfony2 does it's thing and sets a cookie (does this even work in the context of a mobile app accessing an api?). Then later api requests from that mobile phone will (hopefully) work with the native symfony2 security.context service container.
Would this work? I need to figure out this authorization process before I take the API to the mobile developers. If possible I'd obviously like to be able to use the native security.context service instead of building out a new auth system for the api that uses xAuth or something similar.
Thanks
-
Marc almost 13 yearsHmm interesting. I'm not quite sure I follow everything here. Could you walk through a full example case? ie user foo provides their username/password to the mobile app. The app then includes that username and password with every request to the API? In plaintext? Is that secure? Sorry if I'm misunderstanding something here!
-
julesbou almost 13 yearsAs dondlero said you have to disabled cookies, that's why i add stateless parameter to true. Personnaly i don't like digest authentication because it's very hard to implement. Http basic method is easy and works fine. username and password are visible in every request. You have to use a SSL certificat.
-
Adam Monsen about 12 yearsStrange, I'm still receiving
Set-Cookie
headers even after settingstateless: true
. Any idea why that might happen? -
Owen Beresford over 9 years@AdamMonsen, late response, did you rebuild your caches?
-
Adam Monsen over 9 years@OwenBeresford better late than never! I don't recall, but I probably did. I think I usually tried that when I used to do Symfony2 dev.