0

I'm currently developing a RESTful API in PHP an I'd like to implement some user authentication to it. I have read through some literatures and the most efficient/secure way to allow authentication through rest api seems to be the use of the access tokens via the oauth protocol.

I have understood the way the protocol works but I don’t understand how to implement it to our api & database when the user has got his access token. The documentation about it is very unclear/nearly non-existent...

My idea was basically to save this access_token in my "users" MySQL table. That way we could verify if the user exists and has the appropriate permissions during each requests on the API.

However I’m not sure it is the most proper way to do that. Is it safe enough? How would you personally proceed to deal with that?

JeremyW
  • 673
  • 2
  • 8
  • 17

1 Answers1

1

As this access token is like a temporary password, you can indeed store it in your table.

But as with storing passwords, you might want to hash and salt the token (depending on how relatively easy your tokens can be guessed). See the why's and how's here: Secure hash and salt for PHP passwords

Community
  • 1
  • 1
Kay Tsar
  • 1,428
  • 11
  • 14