12

I am writing a REST API in PHP using Symfony2. This API is intended to be used by individual websites to access data and this will be done by a client side library.

I need to secure the API however and this is proving to be a bit confusing. I have done some research and as far as I can tell, a good way seems to be to use OAuth2 with the client credentials flow (see RFC draft). I have to admit, I am still fuzzy on the details of how exactly this works but I keep reading that it is so simple. I suppose my first question is: Is this the way to go or have I gone off in the wrong direction? Should I use some other method for authenticating clients? Please bear in mind that I need identity, authentication and authorisation.

If yes, OAuth2 using the client credentials is the way to, then I ask: What is the best way of accomplishing this in PHP? Has anyone actually done this? So far I have been trying to use oauth2-php along with a bundle without too much luck. That bundle seems to focus on 3-legged authentication although I am not quite sure. I was wondering if the best course of action would be to do it manually using the oauth2-php package perhaps?

I would greatly appreciate any information on this. Thanks in advance!

  • I've been using the FOSOAuthServerBundle successfully with client credentials grant type. What problems did you have ? – AdrienBrault Jul 07 '12 at 10:28
  • Thanks for the reply. I suppose I am mostly confused about what each part does and how it works. So far as I understand I have to create my own authentication mechanism (API key + secret) which the client can use to log in and gain access to /oauth/v2/auth and there it gets a token. Once that token expires it can use a refresh token to get a new token from /oauth/v2/token. Does that seem right? I would appreciate any tips you might have about this, it's good to know this is possible at least! –  Jul 07 '12 at 17:45

1 Answers1

4

Heidar,

I am currently working on a similar project and this is what I found so far.

Oauth is officially to authorize a website with a other resource on the web, Facebook found the whole seperation of autorization and authentication to confusing for its developer base, and started using Oauth for both. Since it its a major player developers have been tagging on.

Even though I am not really sure what you mean with the Identity part in your statement, that you need "identity, authentication and authorisation."

You can use Oauth for the other two, deducted from the fact that all big internet companies do so (best I can do for you on this front,Oauth docs say it is only for Authorization).

Google offers a client library that is maintained quite well: http://code.google.com/p/google-api-php-client/wiki/OAuth2

further more, for server side library I would turn to oauth2-php as you refer to, at https://github.com/quizlet/oauth2-php But please see this post for more details: Are there OAuth 2 server side PHP or Java implementations?

and on the part of the 3-legged authentication please see the answer here (it's really extensive but explains it well) OAuth 2.0: Benefits and use cases — why?

Please keep in mind though that I am still struggling with actually implementing this.

Community
  • 1
  • 1
Willem de Vries
  • 153
  • 1
  • 2
  • 9
  • 2
    Hi Willem, thanks for the reply. We decided to not go with OAuth2 in the end, it was not worth the trouble for us. Now after seeing what is happening with the development of the standard I think it's good that we didn't go with it. We will use a simple key+secret authentication for now to get the API out of the door and once we can we will probably implement OAuth1 or something a bit more sophisticated than just key+secret since it leaves us open to some security issues. How did you get on with OAuth2 in the end? –  Jul 27 '12 at 14:12
  • 2
    Hi Heidar, thanks for asking. Well here things are not so well as well;-) I have a OAuth 2 implemented in PHP through this OAuth2-php, yet we have not time to actually implement it in our REST framework. Yet, there is no doubt about the necessity of OAuth2 (I seriously wouldn't go for OAuth 1a, 2 will be the standard and it is widely accepted and implemented already.) If you implement something, best implement it well;-) right? Good luck! – Willem de Vries Jul 27 '12 at 15:22