Securing a REST API written in PHP with OAuth2 client credentials flow

php api rest symfony oauth-2.0
17,606

Heidar,

I am currently working on a similar project and this is what I found so far.

Oauth is officially to authorize a website with a other resource on the web, Facebook found the whole seperation of autorization and authentication to confusing for its developer base, and started using Oauth for both. Since it its a major player developers have been tagging on.

Even though I am not really sure what you mean with the Identity part in your statement, that you need "identity, authentication and authorisation."

You can use Oauth for the other two, deducted from the fact that all big internet companies do so (best I can do for you on this front,Oauth docs say it is only for Authorization).

Google offers a client library that is maintained quite well: http://code.google.com/p/google-api-php-client/wiki/OAuth2

further more, for server side library I would turn to oauth2-php as you refer to, at https://github.com/quizlet/oauth2-php But please see this post for more details: Are there OAuth 2 server side PHP or Java implementations?

and on the part of the 3-legged authentication please see the answer here (it's really extensive but explains it well) OAuth 2.0: Benefits and use cases — why?

Please keep in mind though that I am still struggling with actually implementing this.

Share:
17,606
Admin
Author by

Admin

Updated on June 09, 2022

Comments

  • Admin
    Admin almost 2 years

    I am writing a REST API in PHP using Symfony2. This API is intended to be used by individual websites to access data and this will be done by a client side library.

    I need to secure the API however and this is proving to be a bit confusing. I have done some research and as far as I can tell, a good way seems to be to use OAuth2 with the client credentials flow (see RFC draft). I have to admit, I am still fuzzy on the details of how exactly this works but I keep reading that it is so simple. I suppose my first question is: Is this the way to go or have I gone off in the wrong direction? Should I use some other method for authenticating clients? Please bear in mind that I need identity, authentication and authorisation.

    If yes, OAuth2 using the client credentials is the way to, then I ask: What is the best way of accomplishing this in PHP? Has anyone actually done this? So far I have been trying to use oauth2-php along with a bundle without too much luck. That bundle seems to focus on 3-legged authentication although I am not quite sure. I was wondering if the best course of action would be to do it manually using the oauth2-php package perhaps?

    I would greatly appreciate any information on this. Thanks in advance!

  • Admin
    Admin almost 12 years
    Hi Willem, thanks for the reply. We decided to not go with OAuth2 in the end, it was not worth the trouble for us. Now after seeing what is happening with the development of the standard I think it's good that we didn't go with it. We will use a simple key+secret authentication for now to get the API out of the door and once we can we will probably implement OAuth1 or something a bit more sophisticated than just key+secret since it leaves us open to some security issues. How did you get on with OAuth2 in the end?
  • Willem de Vries
    Willem de Vries almost 12 years
    Hi Heidar, thanks for asking. Well here things are not so well as well;-) I have a OAuth 2 implemented in PHP through this OAuth2-php, yet we have not time to actually implement it in our REST framework. Yet, there is no doubt about the necessity of OAuth2 (I seriously wouldn't go for OAuth 1a, 2 will be the standard and it is widely accepted and implemented already.) If you implement something, best implement it well;-) right? Good luck!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Laravel Api update and delete function
Using PHP cURL to POST data on /oauth2/access_token and GET data as jSON
Is HTTPS protocol relevant for REST API Webservices?
Proper Http status codes for uploading files on rest end point
How can I download/upload images in a REST API?
REST API in PHP output to JSON file extension
Securing a REST API and Slim Framework
How do I catch the request url / domain in my REST api?
FOSRestBundle can't get param fetcher
how to call an api via php and get a json file from it