4

I'm about to start working on application with rest API and I want to use apigility. There is one problem unfortunately with this idea. I cannot find reliable source of information how to allow for authentication by oAuth for regular users.

I need to provide access for angular app and native mobile one (possibly in future for third-party web apps). All resources that I have found are about granting access to api for specific client application, not for specific users that use this applications. I don't want to implement two different authentication methods, so if there is a way to resolve this issue with apigility it would be great.

Do you have any suggestions how to approach this? I know that I can generate client id and secret for all registered users but this seams a little crappy solution and I have database schema already in place for storing user info.

edigu
  • 9,878
  • 5
  • 57
  • 80
Adam
  • 873
  • 7
  • 33

1 Answers1

8

What you're likely looking for is the "password" grant type. In this scenario, you will have a way of registering users and their passwords, and then a "login" screen of sorts. This login screen will send the following information:

  • username
  • password
  • client_id -- this will be the OAuth2 client ID (not the user ID!) for the application
  • "grant_type": "password"

Note that you are NOT providing the client_secret in this scenario! In the case of a user credential scenario, the user's credentials are validated, and then the server verifies that the client_id supports this grant type.

If the user provides successful credentials, then the OAuth2 endpoint will return a token, a TTL, and a refresh_token (which, if you send it before the TTL expires, will give you a new set of tokens).

From here, you will then send the token in the Authorization header: "Authorization: Bearer ". Apigility will then pick this up on each request and validate the token.

The validation returns also the username as part of the identity. This means that you can query the ZF\Mvc\Identity to retrieve the user in order to perform user-specific ACL assertions later!

Poke me on the mailing list (http://bit.ly/apigility-users) if you need some more direction.

weierophinney
  • 1,790
  • 9
  • 17
  • password granttype actually requires the client secret .. at least according to their examples. This person might want the implicit grant type.. http://bshaffer.github.io/oauth2-server-php-docs/grant-types/user-credentials/ – Erik May 30 '14 at 15:59
  • 1
    You can left the client_secret null in the database and empty in the api call. – Agustincl Oct 30 '14 at 19:53