Adding OAuth 2.0 authentication to a RESTful API

11
votes

I have an API that requires authentication via OAuth 2.0. I originally anticipated using HWIOAuthBundle, however from investigation this is more to do with hooking up 3rd parties into Symfony's security/auth mechanism and does not provide the required mechanism for validating OAuth 2.0 Authorization headers.

I then found some information about FOSOAuthServerBundle which enables an application to become it's own OAuth 2.0 provider as well as providing the required security mechanisms to validate Authorization headers.

However the problem is that I would like integrate the OAuth 2.0 provider (authorisation server) in an external application (which contains the user base) and not include it within the API. Which will provide some mechanism for performing the token verification against this external app via (another) RESTful API.

Points:

  • RESTful API requires OAuth 2.0 authentication.
  • OAuth 2.0 authorisation server to be situated in a separate application.

I feel I should use Implicit grant and call the authorization server on each request to validate that the token is correct.

Is my thinking correct?

3
apirestsymfonyoauth-2.0
so If I understand correctly, you want to authenticate by using user credentials from an external API?Sehael
Not user credentials. Via oauth but that is external to the API. All examples i have seen have had them togetherMalachi
So you want to setup FOSOAuthServerBundle in your current application so that an external app can use your application to authenticate against?Sehael
I want to setup the OAuth provider on a different app, but have the REST API provide OAuth authentication against this provider.Malachi
I am not sure if that is possible. What's the use case?Sehael

3 Answers

5
votes

As far as I undesratnd your requirement, you require to authenticate your APIs via external OAuth Authorization Server:

  • Client needs to provide the access token retrieved in the above steps along with the request to access the protected resource. Access token will be sent as an authorization parameter in the request header.

  • Server will authenticate the request based on the token.

  • If token is valid then client will get an access to protected resource otherwise access is denied.

here is an example which might help you to achieve your requirement. Check this document .

Or simply, you can do with Jersey and Oauth

Also, you can check Apache Oltu and figure out the way to achieve your requirement.

3
votes

A lot of the big companies like Google, Facebook etc have a separate authorization server from the API server. Check out Google's OAuth authorization flow below Google OAuth Authorization

You can also check Google's OAuth Documentation for the details.

So all you would need to do is implement a OAuth Provider so that you can authorize against that provider. There's a list of libraries available on the OAuth website: http://oauth.net/code. You can specifically look here; there is an example for running an OAuth Service Provider in Java.

2
votes

oAuth can most definitely be a server other than your application server. Below is a picture of what the authentication sequence would look like:

enter image description here

-- Obviously, if the forum can't decode or validate the token, the forum would return a 401 status code instead of a 200 status code.

As long as your oAuth server & the Forum share the same public key, you're more than okay with splitting your oAuth Server & your application.

In fact, take a look at jwt.io. Paste the token you get from the oAuth server into there. It should be able to decode the token right away. Then, you can put your public key into the 'secret' text box to verify the token is verified.

Your application (Forum, in this example) should be able to do the same:

1) Grab the token from the Authorization header of the request

2) Decode the token

3) Check the expire date

4) Verify the token using the oAuth's public key

5) Return successful status code or a failure status code