Secure REST Authentication in PHP

4

I am wondering how to work with system authentication using restful. In my case there will be user / password and permissions / hierarchies for the user, and until then as the most interesting solution found in searches was the work with token, where it is renewed every request to the webservice and sent to the user interface.

Note: The language used is php and the interface will be in html, but the focus is on secure authentication with REST.

For those who already know / have experience on the subject, what is the most appropriate way to work safely in REST for this case?

    
asked by anonymous 20.03.2015 / 13:00

1 answer

4

Working with an REST API developed with PHP / Symfony2 that uses authentication via OAuth v2.

The idea is for the consumer to get an access token with a grant type and that access token has an expiration time of, say, one hour. The authorization happens when the token passes through the Authorization header.

When this access token expires, you can get another token using a refresh token or the user credentials themselves (so the various types of grant type - password, refresh token etc).

The implementation of this protocol involves, in my case, only 4 tables: oauth_access_token (where user access tokens are stored), oauth_client (in which are stored the clients that can get access tokens and refresh tokens - you can even create clients for third parties), oauth_refresh_token (where refresh tokens are stored, which can eventually be exchanged for an access token) and oauth_auth_code .

Anyway, I think this solution is well suited when granting access to your application's resources. Also, I usually protect the TSL connection and use basic authorization on routes that do not require an access token. :)

    
20.03.2015 / 13:18