Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

API Client Secret with REST Using Slim Framework

Tags:

rest

php

slim

I have a simple REST API (using the Slim framework) set up where the user can call a page like this:

subdomain.domain.com/api/musician/id/3273

to retrieve and display some simple JSON data.

I want to add some authentication to this so that only users with some kind of client ID (at the minimum) can access this data. I'd like the user to be able to pass in their client secret/id information in the URL, but I want to pull this off without butchering the REST structure too much.

Is there a certain framework or library that would be particularly effective for achieving this?

like image 474
user1427661 Avatar asked Apr 07 '13 05:04

user1427661


4 Answers

I too, had this issue for a while, i also have a question without an answer regarding this very topic(here on so).

Basically your choices are OAuth or something custom.

Now, for oauth, they are working on version 2.0 and you shouldn't start a new project using OAuth 1, but the thing is that, oauth2 is far from being finished and there is little support for a oauth2 server for php right now. I don't want to say that oauth2 2-legged/3-legged is complex, but it is more than it should be and also after reading a lot of posts regarding this, i decided that for now, i should go with something else, not oauth(also, one of the oauth creators left the project because he wasn't satisfied with the direction this project goes) because it is in a "undecided" state(of course people will argue that is pretty much ready for use, but i don't care, i want something proven already, don't want to be a lab rat for huge companies to test oauth [yes, oauth goes for huge companies interests, not yours]).

Anyway, going back to my issue, i always liked the way Amazon works with their api, it's so simple to implement, so why not going in the same direction? I mean, amazon is one of the biggest api providers out there, if they use it, they have a real reason to do so.
Said and done, in less than 2 hours i had my authentication/authorization protocol up-and-running, and guess what, it was easy, simple and i enjoy writing it(not get frustrated because of oauth). A good article that helped me start was this: http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/ which basically exmplains what you have to do.

So, if i were you, i would start from there :)

like image 50
Twisted1919 Avatar answered Oct 07 '22 05:10

Twisted1919


If your API clients are not acting "on behalf of" your users then OAuth is overkill in my opinion.

A standard API key that you can issue will work. You can add a request signature if needed too.

Some Slim examples: here and here

like image 5
Shane O'Grady Avatar answered Oct 07 '22 03:10

Shane O'Grady


Maybe this can be useful slim HttpBasicAuth

You can use HTTP basic auth per request to validate if the user that do the request is a valid user.

like image 2
Yago Riveiro Avatar answered Oct 07 '22 03:10

Yago Riveiro


Since REST is stateless, you pretty much need to butcher it if you want different data representation for different users (ergo - stateful), meaning that with each request you'll provide data (about user state) that is not relevant for specific entity.

So either authenticate user every time, or temporary cookie + session, or, if you have third parties involved, OAuth.

See also Dave Ingram - API Design presentation

like image 1
Artjom Kurapov Avatar answered Oct 07 '22 05:10

Artjom Kurapov