I am creating an apigility project where we will be hosting all of our APIs. We need to be able to use OAuth2 for authentication but we cannot figure out how to control access to certain APIs, it seems like once a client authenticates, they can use any of our APIs but we want to limit them to use only specific ones that we define. After reading about the OAuth2 library that apigility uses, I saw that there are scopes that can be defined but I have not found any documentation about how to check a user's scope to see if they have access. I want to find out if this is the best way to restrict access to certain APIs and how to set it up if it is, or is there a better way to control access?
Asked
Active
Viewed 906 times
1 Answers
4
Just implemented this functionality using the following recipe ...
https://github.com/remiq/apigility-zfc-rbac-recipe
It worked really well and only took a few hours to get it all working.
Alternatively you can just do the checking in the Controller Action (Resource method)
$identity = $this->getIdentity()->getAuthenticationIdentity();
$scope = $identity["scope"]
if (! in_array('admin', $scope)) {
return new ApiProblem(Response::STATUS_CODE_401, 'No Auth');
}
The above code is untested but should get you on the right path if you wanted to do it that way
Purple Hexagon
- 3,538
- 2
- 24
- 45
-
1Thanks, I will look into that. I am just surprised that we would have to use another module to handle this when it appears to be part of the OAuth library that Apigility uses. – Jeff Burgin Oct 02 '15 at 14:11
-
From the docs https://apigility.org/documentation/auth/authorization ... "By default, everything is accessible to all authenticated identities and "guest" identities. Apigility does not, by default, give you the ability to create user groups, or assign specific permissions to specific authenticated users." – Purple Hexagon Oct 02 '15 at 15:08