I am building my first rest API for an iOS app.
The framework I use for buidling the API is Laravel.
Everything works great so far but I am not sure on how to log users in using the API.
Could sessions work here? Im already using SSL/HTTPS but I dont wanna authenticate users on each
request, so whats the best way to only make them log in once?
Also, should oAuth work fine here?
If you have any examples on how to log users in on a Laravel built api please share.
Thanks in advance
With my experience, Laravel built in Authentication component is just be able to applied to normal authentication via form, session and cookie. To handled API authentication, I have used these methods, hope that one of them is suitable for you.
OAuth 2
With the help of lucadegasperi/oauth2-server-laravel, you can make your API secured via OAuth flows. More documentation can be found at the package wiki on Github or the PHP League Oauth2 home page. You can use filters to secure your API routes as follow:
Route::get('protected-resource', ['before' => 'oauth:scope1,scope2', function() {
// return the protected resource
}]);
However, OAuth need a database to save client credentials and some more settings, if your API is not so complicated, this solution may not suitable.
HTTP Authentication
This solution is more simple than OAuth and I recommend using it with an SSL (HTTPS) connection because the authentication information can be visible why using this. The packages I used before is Intervention/httpauth. You have two options with authentication method by using this package: basic (send a base64 encoded of the combination username:password via HTTP header) or digest (use MD5 algorithm to encode your information before sending via HTTP header). This solution does not required any database.
Related
I am trying to setup API authentication for APIs that I have created using PHP. My website, (Client) has been created using React. I have been researching and I cannot find anything that explains what I need to know. One of the main resources I am using is the PHP documentation:
https://www.php.net/manual/en/book.oauth.php
The things I am struggling with is the generating of the tokens, what information do I use in the creation of tokens? How do I setup my APIs to be classed as a protected resource?
From the understanding that I have about oauth, The client will send a request to the server for a request token. Once it has the request token, in the callback, it will request an access token using the request token. The access token will then be used to request access to the API. Does that sound right?
Any help would be greatly appreciated.
Oauth is pretty complex to implement, and is mostly used in situations where 3rd parties need to authenticate you users in their own code, or where there are complex authentication requirements.
Your case seems to be pretty simple, have you considered just using session/cookie based authentication, or using tokens generated on the server side?
This question already has answers here:
how to authenticate RESTful API in Laravel 5?
(2 answers)
Closed 6 years ago.
What is best way to secure API calls from AngularJS(Mobile application) / HTML pages to a Laravel PHP backend?
To be clear, I'm NOT talking about user login authentication.
I'm planning an API based application. I would like to read the JSON data from my API into an page using AngularJS, before any user is asked to sign up or log in.
I need to ensure that only my client front-end can access this data. Is there an existing system to send a token or utilise my secret key, to ensure that only my front-end can access my API? I would also like to be able to revoke access from a specific client or tenant.
What are security options for this set up? I'm thinking along the lines of JWT, CORS etc... This is my first attempt at such an application, so please forgive my ignorance! How to securely access API from Mobile application
You should use CORS and only allow the web application domain to request the API. Then any other request won't have access to the data.
Using a token won't be safe since anybody can access it from your application and use it outside.
Take a look at this package to manage CORS inside Laravel
This is application to application authorization. You could use a protocol such as OAuth2, however there's an interesting way of avoiding such a protocol.
If I were you, I'd go with client-side SSL certificate. The idea is that your client (mobile app) presents a certificate to the web server. Web server tries to verify the certificate. If it verifies it, it sends a parameter to PHP script that it verified you. If not, the parameter is empty or not sent.
Here's a link to a blog post that describes this process.
There are other ways to implement app to app authorization, by implementing secret keys, one time passwords etc. but no approach is as straight-forward and easy as client-side certificate.
I am implemented In App Billing for android.I wanted to implement subscription validity checking through my backend server. As Google Play Documentation, for making call for Google Play API,need authentication using oauth 2.0.
I followed instructions for registering project and creating credentials. But from there I have no idea how to use those credentials, I tried authentication via CURL request, but it asking permission as shown in follwing image
This permissions works fine I can exchange code and get access token, but all this done by manually, how should I implement this on backend.
I even try to use google api php library provided by Google, but It adds confusion. Also they didn't provide any example, how to use library.
Can anybody elaborate how exactly use library or pure php?
Thanks in advance.
To perform LVL and/or IAB validation on a server, do not access Google servers directly from the server. Even if all information were available, you would face integrity problems, because your app and your server will see different information due to synchronization latencies.
Instead, use your app as a proxy and validate the Google Play information on your server as described here.
I have a main website (which contain all data) and multiple client websites which fetch data from the main website. Each client website has access to different set of data on main website. I want to create a PHP based web API for this. This is my first API so I am not sure what is the best and most secure way to do this.
After some googling I found OAuth to be the most common authentication method for APIs. however in my case I want the client website to be configured once and then the communication should be automatic, i.e. communication should take place in background without any user interference. Is OAuth required for this scenario?
Or is there any other method I can implement here?
oauth is way to complicated to implement for your needs.
If you are using rest, i suggest using a basic-auth in the header and using SSL so that your communication is encrypted.
You could make a small SecurityFilter that checks if for any request with a url pattern /api/ that the basic-auth is correct and that it use SSL...
It really depends on how you are exposing your API.
If you are using REST, HTTP Basic Auth over HTTPS is sufficient. I see a lot of people try to implement their own solutions when the provided approach is quite sufficient.
If you are using SOAP, there is a SOAP-based approach you could use: WS-Security (which is just a standard using anything from SAML assertions to OAuth tokens).
If passing Basic Auth credentials over HTTPS is too "open" for you, in that the credentials are saved in config on the client server somewhere, OAuth2 is probably the best solution. Doing OAuth on the server side wouldn't require any user interaction. You just store your tokens in a server config and let the OAuth library take care of the rest. PHP has a library for this PHP OAuth Library. There are plenty of OAuth2 libraries for PHP. Just Google it.
After some more googling and research I found answer to my question:
The scenario I explained is an example of 2-legged oauth (one can find many articles about 2-legged and 3-legged oauth)
Also, OAuth is not difficult to implement, infact for a developer with good knowledge of API and Auth system its very easy.
Here's a link of very good php OAuth library with example code http://code.google.com/p/oauth-php/
I am developing an API using Codeigniter and Phils RESTserver.
I need to have authentication working with oAuth but I cannot find a library
that works with both Codeigniter and MongoDB.
Is it simple to create the oAuth process myself? I know it is hard to answer
not knowing my level of expertise.
This is my understanding of the oAuth process.
User clicks on link and are redirected to the servers login form.
User will be asked to authorize the developers app.
If he does authorize it he is redirected back to the developers website.
On this website the code that he got from step 3 will be exchanged for an access token.
Developers app will now be able to access the users account on the server.
I know there are parameters to be sent along with the requests like client_id and client_secret and redirect URL. But my question is. Is it this easy to implement an oAuth server? Just create the classes and functions? What else are the requirements to
be able to call the process a true oAuth authentication?
Thankful for all input!
Have you had a play with this?
https://github.com/alexbilbie/CodeIgniter-OAuth-2.0-Server
Alex has also written a Mongo library, so if his server doesn't support Mongo out of the box then just have a play with that. Just because your API is in Mongo though doesn't mean the api keys, tokens, etc HAVE to be in Mongo too, but they easily can be.