Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Apigility and oAuth for users

Tags:

oauth

laminas-api-tools

zend-framework2

I'm about to start working on application with rest API and I want to use apigility. There is one problem unfortunately with this idea. I cannot find reliable source of information how to allow for authentication by oAuth for regular users.

I need to provide access for angular app and native mobile one (possibly in future for third-party web apps). All resources that I have found are about granting access to api for specific client application, not for specific users that use this applications. I don't want to implement two different authentication methods, so if there is a way to resolve this issue with apigility it would be great.

Do you have any suggestions how to approach this? I know that I can generate client id and secret for all registered users but this seams a little crappy solution and I have database schema already in place for storing user info.

like image 403
Adam Avatar asked Feb 12 '23 22:02

Adam

1 Answers

What you're likely looking for is the "password" grant type. In this scenario, you will have a way of registering users and their passwords, and then a "login" screen of sorts. This login screen will send the following information:

  • username
  • password
  • client_id -- this will be the OAuth2 client ID (not the user ID!) for the application
  • "grant_type": "password"

Note that you are NOT providing the client_secret in this scenario! In the case of a user credential scenario, the user's credentials are validated, and then the server verifies that the client_id supports this grant type.

If the user provides successful credentials, then the OAuth2 endpoint will return a token, a TTL, and a refresh_token (which, if you send it before the TTL expires, will give you a new set of tokens).

From here, you will then send the token in the Authorization header: "Authorization: Bearer ". Apigility will then pick this up on each request and validate the token.

The validation returns also the username as part of the identity. This means that you can query the ZF\Mvc\Identity to retrieve the user in order to perform user-specific ACL assertions later!

Poke me on the mailing list (http://bit.ly/apigility-users) if you need some more direction.

like image 97
weierophinney Avatar answered Mar 07 '23 04:03

weierophinney
Sign in to Comment

Related questions

Zend Framework: Zend_Oauth and Zend_Service_Twitter
Has OAuth failed?
OAuth on iPhone: using Safari or UIWebView?
How can I generate CMAC-AES in javascript
HybridAuth Twitter Failure 401
Spring Security OAuth 2 implicit grant - No support for refresh token

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!