Securing a REST API written in PHP with OAuth2 cli

2019-04-05 02:49发布

问题:

I am writing a REST API in PHP using Symfony2. This API is intended to be used by individual websites to access data and this will be done by a client side library.

I need to secure the API however and this is proving to be a bit confusing. I have done some research and as far as I can tell, a good way seems to be to use OAuth2 with the client credentials flow (see RFC draft). I have to admit, I am still fuzzy on the details of how exactly this works but I keep reading that it is so simple. I suppose my first question is: Is this the way to go or have I gone off in the wrong direction? Should I use some other method for authenticating clients? Please bear in mind that I need identity, authentication and authorisation.

If yes, OAuth2 using the client credentials is the way to, then I ask: What is the best way of accomplishing this in PHP? Has anyone actually done this? So far I have been trying to use oauth2-php along with a bundle without too much luck. That bundle seems to focus on 3-legged authentication although I am not quite sure. I was wondering if the best course of action would be to do it manually using the oauth2-php package perhaps?

I would greatly appreciate any information on this. Thanks in advance!

回答1:

Heidar,

I am currently working on a similar project and this is what I found so far.

Oauth is officially to authorize a website with a other resource on the web, Facebook found the whole seperation of autorization and authentication to confusing for its developer base, and started using Oauth for both. Since it its a major player developers have been tagging on.

Even though I am not really sure what you mean with the Identity part in your statement, that you need "identity, authentication and authorisation."

You can use Oauth for the other two, deducted from the fact that all big internet companies do so (best I can do for you on this front,Oauth docs say it is only for Authorization).

Google offers a client library that is maintained quite well: http://code.google.com/p/google-api-php-client/wiki/OAuth2

further more, for server side library I would turn to oauth2-php as you refer to, at https://github.com/quizlet/oauth2-php But please see this post for more details: Are there OAuth 2 server side PHP or Java implementations?

and on the part of the 3-legged authentication please see the answer here (it's really extensive but explains it well) OAuth 2.0: Benefits and use cases — why?

Please keep in mind though that I am still struggling with actually implementing this.