Authentication for a Symfony2 api (for mobile app use)

api authentication authorization symfony mobile-application

16,783

Solution 1

I think you should do it stateless (without cookie).

I had the same problem, what i did:

in your app/config/security.yml, add:

security:
    ...
    firewalls:
        rest_webservice:
            pattern: /webservice/rest/.*
            stateless: true
            http_basic:
                provider: provider_name
    ...

Now you can make a request to your webservice:

class AuthTest extends WebTestCase 
{
    public function testAuthenticatedWithWebservice() 
    {
        $client = $this->createClient();

        // not authenticated
        $client->request('GET', '/webservice/rest/url');
        $this->assertEquals(401, $client->getResponse()->getStatusCode());

        // authenticated
        $client->request('GET', '/webservice/rest/url', array(), array(), array(
            'PHP_AUTH_USER' => 'username', 
            'PHP_AUTH_PW' => 'password'
        ));
        $this->assertEquals(200, $client->getResponse()->getStatusCode());
    }
}

Solution 2

Here you are, How to create a custom Authentication Provider awesome article.

To Authentication to a Symfony2 application through api, you need use: WS-Security

Solution 3

Yes Marc, jules is pointing to an example just to show you how to test authentication with http_basic.

To be RESTful you should avoid using cookies, otherwise just call it an API. About how secure is your authentication system you can go with http_digest over https or more secure signed request with api_key/api_secret approach.

Have a look here http://wiki.zanox.com/en/RESTful_API_authentication

16,783

Author by

Marc

Updated on June 05, 2022

Comments

Marc almost 2 years
I've developed a REST api for my Symfony2 application. This api will be used by a mobile app. Much of the functionality is done in the context of the currently authenticated user, ie:
```
$this->container->get('security.context')->getToken()->getUser()
```
I'm hoping that the mobile app will be able to post to the login action just like a traditional web form. If the credentials check out then Symfony2 does it's thing and sets a cookie (does this even work in the context of a mobile app accessing an api?). Then later api requests from that mobile phone will (hopefully) work with the native symfony2 security.context service container.

Would this work? I need to figure out this authorization process before I take the API to the mobile developers. If possible I'd obviously like to be able to use the native security.context service instead of building out a new auth system for the api that uses xAuth or something similar.

Thanks
Marc almost 13 years

Hmm interesting. I'm not quite sure I follow everything here. Could you walk through a full example case? ie user foo provides their username/password to the mobile app. The app then includes that username and password with every request to the API? In plaintext? Is that secure? Sorry if I'm misunderstanding something here!
julesbou almost 13 years

As dondlero said you have to disabled cookies, that's why i add stateless parameter to true. Personnaly i don't like digest authentication because it's very hard to implement. Http basic method is easy and works fine. username and password are visible in every request. You have to use a SSL certificat.
Adam Monsen about 12 years

Strange, I'm still receiving Set-Cookie headers even after setting stateless: true. Any idea why that might happen?
Owen Beresford over 9 years

@AdamMonsen, late response, did you rebuild your caches?
Adam Monsen over 9 years

@OwenBeresford better late than never! I don't recall, but I probably did. I think I usually tried that when I used to do Symfony2 dev.