Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Adding OAuth 2.0 authentication to a RESTful API

I have an API that requires authentication via OAuth 2.0. I originally anticipated using HWIOAuthBundle, however from investigation this is more to do with hooking up 3rd parties into Symfony's security/auth mechanism and does not provide the required mechanism for validating OAuth 2.0 Authorization headers.

I then found some information about FOSOAuthServerBundle which enables an application to become it's own OAuth 2.0 provider as well as providing the required security mechanisms to validate Authorization headers.

However the problem is that I would like integrate the OAuth 2.0 provider (authorisation server) in an external application (which contains the user base) and not include it within the API. Which will provide some mechanism for performing the token verification against this external app via (another) RESTful API.

Points:

  • RESTful API requires OAuth 2.0 authentication.
  • OAuth 2.0 authorisation server to be situated in a separate application.

I feel I should use Implicit grant and call the authorization server on each request to validate that the token is correct.

Is my thinking correct?

like image 755
Malachi Avatar asked Oct 10 '14 15:10

Malachi


People also ask

Can OAuth be used for REST API?

OAuth is an authorization framework that enables an application or service to obtain limited access to a protected HTTP resource. To use REST APIs with OAuth in Oracle Integration, you need to register your Oracle Integration instance as a trusted application in Oracle Identity Cloud Service.


2 Answers

As far as I undesratnd your requirement, you require to authenticate your APIs via external OAuth Authorization Server:

  • Client needs to provide the access token retrieved in the above steps along with the request to access the protected resource. Access token will be sent as an authorization parameter in the request header.

  • Server will authenticate the request based on the token.

  • If token is valid then client will get an access to protected resource otherwise access is denied.

here is an example which might help you to achieve your requirement. Check this document .

Or simply, you can do with Jersey and Oauth

Also, you can check Apache Oltu and figure out the way to achieve your requirement.

like image 159
ajitksharma Avatar answered Oct 03 '22 08:10

ajitksharma


A lot of the big companies like Google, Facebook etc have a separate authorization server from the API server. Check out Google's OAuth authorization flow below Google OAuth Authorization

You can also check Google's OAuth Documentation for the details.

So all you would need to do is implement a OAuth Provider so that you can authorize against that provider. There's a list of libraries available on the OAuth website: http://oauth.net/code. You can specifically look here; there is an example for running an OAuth Service Provider in Java.

like image 21
java_geek Avatar answered Oct 03 '22 06:10

java_geek