Connect angularjs webapp to REST API (PHP)

Question

I have a REST API written in PHP(Slim framework) and my API contains some admin routes for managing private data. I've implemented oAuth2.0 for authorization(this php implementation).

I like to use AngularJS for creating an admin webapplication so users can manage their own data.

I'm now using username-password flow but i'm reading that this is not secure because my webapp exposes client_id & client_secret.

I also looked into implicit grant ( designed for public clients) but it says that it should be for read only purposes.

I also want to use this API for supplying data for mobile apps. Users don't have to sign in for this but data isn't public.

Which oauth grant is suitable for this scenario / setup?

Answer 1

Take a look at Resource Owner Password Credentials Grant. Which is the 4th bullet point in the second link that you provided. password (user credentials)

https://www.rfc-editor.org/rfc/rfc6749#section-4.3

Simply put:

1. User sends their login and password
2. Server grants user access_token (equivalent to the old cookie session id)
3. User sends access_token with the remainder of their requests

Also, If you want to give mobile devices access while keeping data private i'd suggest generating "free" accounts linked to mobile mac addresses. Then have them go through the above said authentication with their mac address as login / password as empty. That way you can implement the same user logic to mobile with throttle/ban/upgrade/etc per device.

Answer 2

I know I'm posting Python to a PHP question but it's not about the code. The example (http://python-eve.org/authentication.html#auth) explains in detail what auth methods are available for a good REST API and it might be useful for your application.