I have an API that requires authentication via OAuth 2.0. I originally anticipated using HWIOAuthBundle, however from investigation this is more to do with hooking up 3rd parties into Symfony's security/auth mechanism and does not provide the required mechanism for validating OAuth 2.0 <code>Authorization</code> headers. I then found some information about FOSOAuthServerBundle which enables an application to become it's own OAuth 2.0 provider as well as providing the required security mechanisms to validate <code>Authorization</code> headers. However the problem is that I would like integrate the OAuth 2.0 provider (authorisation server) in an external application (which contains the user base) and not include it within the API. Which will provide some mechanism for performing the token verification against this external app via (another) RESTful API. Points: <ul> <li>RESTful API requires OAuth 2.0 authentication.</li> <li>OAuth 2.0 authorisation server to be situated in a separate application.</li> </ul> I feel I should use Implicit grant and call the authorization server on each request to validate that the token is correct. <img src="https://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgSW1wbGljaXQgR3JhbnQKClVzZXItPkZvcnVtOiBHRVQgdG9rZW4AEQYADwlBY2NlcHRzIGcALwUAKAUtPlVzZXI6IE9BdXRoIFRva2Vu&s=napkin" alt=""> <img src="https://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgQXV0aGVudGljYXRlZCByZXF1ZXN0CgpVc2VyLT5IdWI6IFBPU1QgL2RlYWwvY291cG9uICsgT0F1dGggVG9rZW4KSHViLT5Gb3J1bTogdmFsaWRhdGUgdAAWBQARBQBABwANBSBWYWxpZAAmDQBOEQApDVN1Y2Nlc3MAXwZVc2VyAAoJ&s=napkin" alt=""> Is my thinking correct?

As far as I undesratnd your requirement, you require to authenticate your APIs via external OAuth Authorization Server: <ul> <li>Client needs to provide the access token retrieved in the above steps along with the request to access the protected resource. Access token will be sent as an authorization parameter in the request header.</li> <li>Server will authenticate the request based on the token.</li> <li>If token is valid then client will get an access to protected resource otherwise access is denied.</li> </ul> here is an example which might help you to achieve your requirement. Check this document . Or simply, you can do with Jersey and Oauth Also, you can check Apache Oltu and figure out the way to achieve your requirement.

A lot of the big companies like Google, Facebook etc have a separate authorization server from the API server. Check out Google's OAuth authorization flow below <img src="https://i.stack.imgur.com/iGo69.png" alt="Google OAuth Authorization"> You can also check Google's OAuth Documentation for the details. So all you would need to do is implement a OAuth Provider so that you can authorize against that provider. There's a list of libraries available on the OAuth website: http://oauth.net/code. You can specifically look here; there is an example for running an OAuth Service Provider in Java.

Adding OAuth 2.0 authentication to a RESTful API

I have an API that requires authentication via OAuth 2.0. I originally anticipated using HWIOAuthBundle, however from investigation this is more to do with hooking up 3rd parties into Symfony's security/auth mechanism and does not provide the required mechanism for validating OAuth 2.0 Authorization headers.

I then found some information about FOSOAuthServerBundle which enables an application to become it's own OAuth 2.0 provider as well as providing the required security mechanisms to validate Authorization headers.

However the problem is that I would like integrate the OAuth 2.0 provider (authorisation server) in an external application (which contains the user base) and not include it within the API. Which will provide some mechanism for performing the token verification against this external app via (another) RESTful API.

Points:

RESTful API requires OAuth 2.0 authentication.
OAuth 2.0 authorisation server to be situated in a separate application.

I feel I should use Implicit grant and call the authorization server on each request to validate that the token is correct.

Is my thinking correct?

Can OAuth be used for REST API?

OAuth is an authorization framework that enables an application or service to obtain limited access to a protected HTTP resource. To use REST APIs with OAuth in Oracle Integration, you need to register your Oracle Integration instance as a trusted application in Oracle Identity Cloud Service.

As far as I undesratnd your requirement, you require to authenticate your APIs via external OAuth Authorization Server:

Client needs to provide the access token retrieved in the above steps along with the request to access the protected resource. Access token will be sent as an authorization parameter in the request header.
Server will authenticate the request based on the token.
If token is valid then client will get an access to protected resource otherwise access is denied.

here is an example which might help you to achieve your requirement. Check this document .

Or simply, you can do with Jersey and Oauth

Also, you can check Apache Oltu and figure out the way to achieve your requirement.

A lot of the big companies like Google, Facebook etc have a separate authorization server from the API server. Check out Google's OAuth authorization flow below Google OAuth Authorization

You can also check Google's OAuth Documentation for the details.

So all you would need to do is implement a OAuth Provider so that you can authorize against that provider. There's a list of libraries available on the OAuth website: http://oauth.net/code. You can specifically look here; there is an example for running an OAuth Service Provider in Java.

Adding OAuth 2.0 authentication to a RESTful API

Tags:

rest

oauth-2.0

symfony

api

Malachi

People also ask

2 Answers

ajitksharma

java_geek

Recent Activity

Donate For Us

Adding OAuth 2.0 authentication to a RESTful API

Tags:

rest

oauth-2.0

symfony

api

Malachi

People also ask

2 Answers

ajitksharma

java_geek

Related questions

Recent Activity

Donate For Us