I'm new to Yii2. I want to implement Oauth2 with Resource owner credentials grant type in Yii2.
For that, I found this Yii2 specific library:
https://github.com/Filsh/yii2-oauth2-server
But the documentation is poor and doesn't show exact steps to use it.
So far I did this:
1) Install package using composer
2) Added module configuration into common/config/main.php
Now I'm getting confused for the next steps.
It says to create a class called "PublicKeyStorage". Is it really necessary or optional step? If yes then where should I create this file? Do I need to create privkey.pem and pubkey.pem file manually? If yes there what content should they have?
Next, it says to extend the common\models\User model. So where should I create this file? Into frontend/models?
3) Next, it says to run the package migration which is clear.
4) Next, it says to set URLs, which is also clear.
5) Next, it says to set controller, I believe it is to verify incoming token. Am I correct?
The last question I have is that what URLs should I hit to get the access token? Is it /oauth2/token?
If you want to get JSON Web Token (JWT) instead of the conventional token, you will need to set 'useJwtToken' => true in module and then define two more configurations: 'public_key' => 'app\storage\PublicKeyStorage' which is the class that implements PublickKeyInterface and 'access_token' => 'app\storage\JwtAccessToken' which implements JwtAccessTokenInterface.php.
5) Next, it says to set controller, I believe it is to verify incoming token. Am I correct?
A) Yes
Related
I would like to change the authenticated user server-side. I'm trying to use:
Auth::loginUsingId($id);
This should work from everything I've read but I'm getting the following error:
Call to undefined method Illuminate\Auth\RequestGuard::loginUsingId()
I get the same error with:
Auth::login();
It should be noted that I'm using the namespace "Illuminate\Support\Facades\Auth" and that Auth::user(); return the expected authenticated user.
So what am I missing here?
You are using RequestGuard not SessionGuard. This guard does not have those methods as there is no such concept as 'logging' in with it.
The Auth docs are for the default guard web, SessionGuard. Which is something you can log into because there is state on the server side to track this. This is what all the auth scaffold is for.
RequestGuard is something you have to define the callback for how you want to authenticate the user for each request.
Since RequestGuard isn't going to give you persistence and you are only looking to set a user on a guard for the current reqeuest you can call setUser (takes an Authenticatable[interface] instance) which all the guards have as a method for setting a user instance on a guard.
I'm building an application via slim framework and it's slim-jwt-auth middleware.
I installed it, and it works fine but I'm a bit confused with the passthrough possibility.
My RequestPathRule:
new \Slim\Middleware\JwtAuthentication\RequestPathRule([
"path" => ["/api"],
"passthrough" => ["/api/auth", "/api/users", "/api/products", "/api/orders", "/api/streets",
"/api/reservations", "/api/feedbacks", "api/menu"]
])
And my RequestMethodRule:
new \Slim\Middleware\JwtAuthentication\RequestMethodRule([
"passthrough" => ["POST", "GET"]
])
But it allows these methods to all endpoints. Actually, I want to let POST only to /api/auth, /api/orders, /api/reservations and /api/feedbacks, and GET for every endpoint except /api/users.
How is this possible?
Thank you in advance.
It would be interesting to see which are your routes, but basically in your current configuration your are saying:
1) DON'T Authenticate "/api/auth", "/api/users", "/api/products", "/api/orders", "/api/streets", "/api/reservations", "/api/feedbacks" and "api/menu" (rest of endpoints under /api MUST be authenticated)
2) AND also dont authenticate whatever POST or GET request
some examples:
PUT /api/users NEVER will be authenticate since /api/users is in
RequestPathRule
GET /api/users NEVER will be authenticate since /api/users is in
RequestPathRule AND GET is in RequestMehtodRule
PUT /api/whatever ALWAYS will be authenticate since /api/users is
NOT in RequestPathRule AND GET is NOT in RequestMethodRule
Basically rules work like an OR comparison operator and in the right moment an endpoint is in RequestPathRule OR a request method is in RequestMethodRule the request will be not authenticated.
A better approach could be trying not to use RequestMethodRule as much as possible (generally you just include OPTIONS method) and play with different paths.
In a normal web application you will provide a public API path to your clients under /api and the only endpoint you don't generally authenticate is /api/login (or /api/auth in your example) the rest of the endpoint under /api are authenticated. If your provide another set of endpoints which you don't want to authenticate you provide another different path like /service and your don't include it as "path" in RequestPathRule. If you need a set of endpoint ALL authenticated you create all of then under a new path, let's say /admin and you include on path in RequestPathRule and you don't add any "passthrough" for them.
So the idea is play with different path and just add those methods under RequestMethodRule for specific use cases. Moreover, in that way you will have a better clear and organized API.
Looking at your endpoints I recommend you create different path for most of them, so instead of having "/api/auth", "/api/users", "/api/products", "/api/orders" I would suggest you to have "/auth", "/user", "/product", "/order"... and you can add a RequestPathRule and RequestMethodRule for every path.
To be honest, as the slim-jwt-auth middleware is thought, it's difficult to provide CRUD operations over same endpoint, let's say you have GET, POST, PUT and DELETE over /user and you want just authenticate POST, PUT and DELETE. For that case you could have 2 options:
create differen endpoint for each verb like: GET /user/all, POST /user/add, PUT /user/edit and DELETE /user/delete (which is a bad practice
Create or extend your RequestPathRule and RequestMethodRule callable with the only conditions that they must implement RuleInterface and adapt them to your needs (highly recommended)
If you choose the 2nd option you only have to add those callable to the rules option. Something like this:
$app->add(new \Slim\Middleware\JwtAuthentication([
"rules" => [
new \My\Auth\Rules\RequestPathRule([
"path" => "/",
"passthrough" => []
]),
new \My\Auth\Rules\RequestMethodRule([
"passthrough" => ["OPTIONS"]
])
]
]));
I am using the Laravel 5.2 Auth system coming up with this command :
php artisan make:auth
Although this works totally fine as is, my goal is to use an external API to perform login, registering and changing password while still being able to use the core function of the Auth class.
So taking the login for example, I want to use something like
function login(ApiController $api) {
// This function return data or error code and message in JSON
$login = $api->login([ $credentials['email'], $credentials['password']]);
if($login->success)
// login successfully like normal Auth would do
else
// redirect to main page with $login->message
}
By the way, I want to pass fields coming up from $login to the Auth class, like we can actually do Auth::user()->email giving us the email, I'd want to set value like "database field" but with my API JSON fields behind
I looked on the Internet and found something to do inside AuthController and something related to ServiceProvider, but I don't know how to follow my exact needs
Adding a custom user provider would help in this case. There is no need to play with AuthController here. Check this Laravel Docs page.
You will need to create a new User Provider which implements Illuminate\Contracts\Auth\UserProvider, specify it in AuthServiceProvider and update your auth config file accordingly.
Here are the links to the framework's default User Providers for reference :
1) DatabaseUserProvider
2) EloquentUserProvider
I ended up coding my own Auth system...
Using session() and Input()
I am new to Magento.
Is it possible to (temporarily?) disable the requirement for oAuth in Magento and still retrieve customer data. through the REST API?
So basically be able to issue GET, PUT requests over HTTP without using oAuth?
URL: http://magento/api/rest/customers?limit=2
I am getting Access denied(403) error.
Note: I am able to read products.
Please try this one.may b it works.
go to Magento admin panel,System->Webservices->REST Attributes->Select User type customer and select resource access as ALL and save.
and check now:http://magento/api/rest/customers?limit=2
You can go to app/code/core/Mage/Api2/Model/Auth.php and change const DEFAULT_USER_TYPE = 'guest' to const DEFAULT_USER_TYPE = 'admin' and go to app/code/core/Mage/Api2/Model/Auth/Adapter.php and change return (object) array('type' => Mage_Api2_Model_Auth::DEFAULT_USER_TYPE, 'id' => null) to return (object) array('type' => Mage_Api2_Model_Auth::DEFAULT_USER_TYPE, 'id' => 1).
This will set default consumer to Admin and you will be able to access all API with admin privileges. You can also change it to 'customer' and provide any customer id in Adapter.php.
You would need to give guest access to customer resources.
Havent tried it yet, but i would suggest you extend the module
copy mage/customer with etc/api2 and model/api2/customer/rest/ to local modules so you dont modify core data.
then modify etc/api2 so you have access from guest calls and add attribute permissions as well
add the required model on api2/customer/rest so that guest may process callbacks, im guessin that just copying the admin, rename to guest and rename class name in v1 should do the trick.
Instead of oAuth you can implement your own authentication adapter for REST API in Magento. You can find more details in this article.
I'm pretty new to Laravel, I've spent some time reading about it and doing some tutorials. Lately, I've been following this tutorial about creating an authentication bundle:
http://net.tutsplus.com/tutorials/php/build-your-first-admin-bundle-for-laravel/
Basically, it's creating a simple custom auth driver extending the default auth one. Everything works quite nicely.. inside the bundle. My problem is more about how to use/access this admin/login bundle in my main application. I feel a bit ashamed asking this, I guess it has something to do with loading/starting the admin bundle in my application controller(s), but i can't get it to work.
Thank you
You have a couple of options, you can either start the bundle manually from within your application controllers each time by calling:
Bundle::start("<Your Bundle Name>");
Or when you register the bundle with Laravel (when you add it to /application/bundles.php) you can also choose to autoload it:
return array(
// ... other bundles
"<Your Bundle Name>" => array("auto" => true),
);
From looking at the tutorial this might look something like:
'admin' => array('handles' => 'admin', 'auto' => true)
Once you have either started the bundle manually, or autoloaded it, you can then call the bundle classes directly (make sure you use the proper namespace when calling the class).
You can also check out Laravel's documentation.