I am trying to setup API authentication for APIs that I have created using PHP. My website, (Client) has been created using React. I have been researching and I cannot find anything that explains what I need to know. One of the main resources I am using is the PHP documentation:
https://www.php.net/manual/en/book.oauth.php
The things I am struggling with is the generating of the tokens, what information do I use in the creation of tokens? How do I setup my APIs to be classed as a protected resource?
From the understanding that I have about oauth, The client will send a request to the server for a request token. Once it has the request token, in the callback, it will request an access token using the request token. The access token will then be used to request access to the API. Does that sound right?
Any help would be greatly appreciated.
Oauth is pretty complex to implement, and is mostly used in situations where 3rd parties need to authenticate you users in their own code, or where there are complex authentication requirements.
Your case seems to be pretty simple, have you considered just using session/cookie based authentication, or using tokens generated on the server side?
Related
I am trying to build a web app that is using RingCentral PHP SDK to subscribe to presence events. The application will be using Authorization Code flow. I am getting the access token but have no idea how to use this token with SDK and Platform objects. It looks like SDK is geared towards using Password flow.
Should I use plain curl to invoke POST /restapi/v1.0/subscription HTTP/1.1 passing access token in Authorization Header? Or there are ways to use RingCentral SDK objects for it? Am I missing something?
If you could provide a little more information about your use-case, and how you're implementing the code, I can provide greater detail.
To create a subscription using the PHP SDK, here is the demo code contained within the RingCentral PHP SDK repository on Github
TL;DR
I see two questions being asked:
Does the RingCentral PHP SDK support Authorization Flow (3-Legged OAuth), because currently it appears the SDK is focused only upon the Password Flow?
Authorization Flow is the best-practice for building multi-tenant applications since it removes the security risk of your application storing usernames and passwords which are associated with RingCentral accounts. The RingCentral PHP SDK supports Authorization Flow and Password Flow authentication types. Once your PHP SDK instance has a valid access_token then it can create a subscription quite easily.
We can see in the PHP SDK code on Github within src/Platform.php that constant AUTHORIZE_ENDPOINT is supported as a returnable value from a request to authUrl().
You can see in Grokify's RingCentral OAuth PHP Example that Authorization Flow is supported by the PHP SDK.
Once your SDK instance has a valid access_token, it will use that token in the Authorization header when you createSubscription(), addingListeners(), and register() as seen in this PHP demo code to create a subscription
How do I create a RingCentral Subscription using with the PHP SDK (does the SDK have objects associated with it I can use)?
There are several ways you can go about using the RingCentral SDK(s). I've provided a link to the PHP Demo on creating a subscription in the above TL;DR.
Since you are working with the RingCentral PHP SDK, then you are restricted to server-side implementations as PHP is a server-side only language.
How you choose to implement your subscription is entirely dependent upon your application's use-case needs and your architectural requirements. Since you have indicated you are using Authorization Flow, that leads me to believe you are building a multi-tenant, web-based application integration. Since you said you are getting an access_token, I am guessing you've called the Platform.login() and passed it the code value you receive from the 3-Legged auth request to /restapi/oauth/authorize and received in the redirect. I'm not sure if you're doing all this from the client or server, but I'm assuming the server.
You would need to associate the session to the SDK instance and subscription on the server-side. This means you will have to manage multiple SDK, and Subscription instances for each client-side session. You might also need to implement WebSockets or Long-Polling so you can achieve the near real-time event updates that Subscriptions enable. So while, yes the RingCentral PHP SDK can be used with Authorization Flow, I personally would recommend against using it for any end-user, client-side, multi-tenant application development (unless you have properly prepared for mapping the sessions to the SDK/Subscription instances as I described earlier.
If you do not want to manage all of that on your server-side, you could use the RingCentral JS SDK on the client-side of your PHP application, but this might get a little messy and require some re-architecting of your solution depending upon how you have things built. Of course, this approach has a data-volatile aspect depending upon what you want to do with the data you obtain from the subscription and if you need it to persist between sessions (once again depends upon your use case).
I am building my first rest API for an iOS app.
The framework I use for buidling the API is Laravel.
Everything works great so far but I am not sure on how to log users in using the API.
Could sessions work here? Im already using SSL/HTTPS but I dont wanna authenticate users on each
request, so whats the best way to only make them log in once?
Also, should oAuth work fine here?
If you have any examples on how to log users in on a Laravel built api please share.
Thanks in advance
With my experience, Laravel built in Authentication component is just be able to applied to normal authentication via form, session and cookie. To handled API authentication, I have used these methods, hope that one of them is suitable for you.
OAuth 2
With the help of lucadegasperi/oauth2-server-laravel, you can make your API secured via OAuth flows. More documentation can be found at the package wiki on Github or the PHP League Oauth2 home page. You can use filters to secure your API routes as follow:
Route::get('protected-resource', ['before' => 'oauth:scope1,scope2', function() {
// return the protected resource
}]);
However, OAuth need a database to save client credentials and some more settings, if your API is not so complicated, this solution may not suitable.
HTTP Authentication
This solution is more simple than OAuth and I recommend using it with an SSL (HTTPS) connection because the authentication information can be visible why using this. The packages I used before is Intervention/httpauth. You have two options with authentication method by using this package: basic (send a base64 encoded of the combination username:password via HTTP header) or digest (use MD5 algorithm to encode your information before sending via HTTP header). This solution does not required any database.
I have a main website (which contain all data) and multiple client websites which fetch data from the main website. Each client website has access to different set of data on main website. I want to create a PHP based web API for this. This is my first API so I am not sure what is the best and most secure way to do this.
After some googling I found OAuth to be the most common authentication method for APIs. however in my case I want the client website to be configured once and then the communication should be automatic, i.e. communication should take place in background without any user interference. Is OAuth required for this scenario?
Or is there any other method I can implement here?
oauth is way to complicated to implement for your needs.
If you are using rest, i suggest using a basic-auth in the header and using SSL so that your communication is encrypted.
You could make a small SecurityFilter that checks if for any request with a url pattern /api/ that the basic-auth is correct and that it use SSL...
It really depends on how you are exposing your API.
If you are using REST, HTTP Basic Auth over HTTPS is sufficient. I see a lot of people try to implement their own solutions when the provided approach is quite sufficient.
If you are using SOAP, there is a SOAP-based approach you could use: WS-Security (which is just a standard using anything from SAML assertions to OAuth tokens).
If passing Basic Auth credentials over HTTPS is too "open" for you, in that the credentials are saved in config on the client server somewhere, OAuth2 is probably the best solution. Doing OAuth on the server side wouldn't require any user interaction. You just store your tokens in a server config and let the OAuth library take care of the rest. PHP has a library for this PHP OAuth Library. There are plenty of OAuth2 libraries for PHP. Just Google it.
After some more googling and research I found answer to my question:
The scenario I explained is an example of 2-legged oauth (one can find many articles about 2-legged and 3-legged oauth)
Also, OAuth is not difficult to implement, infact for a developer with good knowledge of API and Auth system its very easy.
Here's a link of very good php OAuth library with example code http://code.google.com/p/oauth-php/
i am writing an iphone app that would need to communicate with our servers. on the server side, im am writing an api in php that the app would talk to. What is the best way to authenticate the apps and basically restrict access to the apps and shut everyone else out?
I need a way of recognizing that an incoming request to the api is a legitimate request from our api.
What other security concerns should i keep in mind and calculate for?
any design suggestions?
i am currently looking into what oauth can do for me here!
I think you don't need oauth because it will only help you when you need authentication involving three parties. Example: your application authenticating a Fecebook user (three parties here: you, Facebook user and Facebook).
I would make sure you use this:
HTTPS (never send password or sensitive data over plain HTTP)
A login.php script that will authenticate your user, and upon valid authentication will generate an access_token for your mobile user.
Each restricted service you provide with PHP will ask for a valid access_token as a parameter to execute.
Make sure your access_token expires after certain time or conditions you might impose.
Look at the big companies? Google uses an API key for all their public APIs so they can track behavior and block if they expect abuse.
Since your API is probably not public you might need more security but then you'd probably need to encrypt all communication :<
I'm developing a social networking website. This service will be available across various mediums, for example: the web, iPhone, Facebook application etc.
My idea for this application was to have all of these properties interact with one central point for fetching and saving data: an API. My various applications would then interact with this API, sending a GET request to fetch some data; a POST request to submit some data; DELETE requests and so on.
This API will be web-accessible, so I need a way to authenticate only white-listed applications. This API will never be available for third parties to interact with or build third-party applications with; it's to facilitate my applications only so I can cut out re-coding solutions across various platforms and focus only on the logic (controllers, essentially).
Therefore, would OAuth be suitable to be used as the authentication method for the above scenario?
My knowledge of OAuth isn't great, but if it is deemed a viable solution then I'll obviously read up on it before implementing. But as far as I know it works on tokens. A consumer (for example, my website) would request a token from the application (the API in this instance) and then the application would return a token to use in subsequent requests. Or something.
When a request comes in to my application, am I then able to accept/deny requests based on the requesting application? I.e. can I deny access to applications that aren't my own? How do I differentiate between applications? Do I retain a whitelist of IP address or URLs, and compare upon incoming requests?
Any help on the above would be most appreciated.
OAuth is not designed to authenticate some applications the way you want to.
Juste create your own private way to authenticate, because you're the only one to know about your API. Dont forget to pipe the authentication in SSL and everything will be ok !
I don't think OAuth is the best solution for your problem. OAuth is great when you plan to give your API to the 3rd parties as it allows to authenticate user without giving users's credentials to the 3rd party. If you have all control over the API there is no need for this.
It's still a good idea to read about it thou. :)