Implement OAuth 2.0 Authentication with the Laravel API

Question

Implement OAuth 2.0 Authentication with the Laravel API

I am currently creating a web application that is an AngularJS interface that interacts with a RESTful API created using Laravel. I'm making good progress, but it's hard for me to figure out how to handle user authentication.

I was told that I should use OAuth for authentication, and I decided to use it, as it could be a learning experience for me. The package I use for processing is oauth2-server-laravel .

The main history of users is that users can register their combination of username and password for the application, and then they register in the application with the same username and password. They are authenticated only by username and password, and not by any client secrecy. After entering the system, they should be given an access token, which will be sent along with each future request for authentication at different API endpoints.

The OAuth2 library has a grant type of “password stream” that I seem to need, but it also accepts client_id and client_secret parameters that I don’t need. The request URI looks something like this:

 POST https://www.example.com/oauth/access_token? grant_type=password& client_id=the_client_id& client_secret=the_client_secret& username=the_username& password=the_password& scope=scope1,scope2& state=123456789

But I just want to:

 POST https://www.example.com/oauth/access_token? grant_type=password& username=the_username& password=the_password

How can I provide a client id and secret for a user who is not yet authenticated?

Is there any other grant I can use, or is this what I want to achieve that is simply not suitable for OAuth?

+7

angularjs authentication php oauth laravel

John dorean Jun 08 '14 at 2:22

source share

3 answers

You are missing something with the OAuth specification. client_id and client_secret really important when requesting an access token when using the OAuth v2 password method. In fact, they are important for every method that gives you an access token. They identify the application or server that made the request.

For example, let's say you have your API, 2 mobile applications and another server that perform some tasks with your API. You will create 3 clients with your client_id and client_secret . If your application has different access levels (they are called scopes in OAuth v2), the client_id corresponding to another server will be able to call your API functions that require the admin area, while your mobile application will only be able to call your API functions that require The basic scope, if you defined areas like this.

If your API grows in the future, this is really important. Another example, suppose you provided an API key (a pair of client_id and client_secret ) to one of your friends, and he created a good mobile application with your API. If one day he starts doing naughty things with your API, you won’t be able to stop him very easily. While you could just remove your key pair if you followed the principles of OAuth v2.

OAuth v2 is not easy to understand, don't waste time reading specifications and good tutorials before developing your API.

Some useful links:

Official RFC: http://tools.ietf.org/html/rfc6749
Tutsplus Tutorial: http://code.tutsplus.com/articles/oauth-20-the-good-the-bad-the-ugly--net-33216

0

Antoine augusti Jun 08 '14 at 6:09

source share

Just add a little to plunntic's excellent answer: remember that the “client” is not associated with the “user”, so when I use the password stream, I just define client_id and client_secret as constants in the AngularJS application to tell the api server: hey, this application -browser that is used to request a token.

-one

Jannie theunissen Oct 6 '14 at 7:29

source share

plunntic · Accepted Answer · 2014-06-08T09:02:35+0000

Note that client id and client secret are not parameters that you must force your end user to pass. They are static and defined in / for your client application (angular application in this case).

All you have to do is create an entry for the main application in the oauth_clients table and create an area with full access in the oauth_scopes table and send these values when requesting a token.

And that’s all really.

In addition, you may want to use an implicit grant flow when creating a js-only application, since maintaining the privacy of the client and the update token in the js application is unsafe. Using an implicit grant in the final product may look like a login window to soundcloud and is more secure, as the token is obtained on the server side without disclosing the client's privacy.

Another way to go, if you still want to use a password stream, creates a proxy for updating tokens. A proxy can hide the update token in an encrypted http-only cookie, and your js application does not request your api for a new token, but instead a proxy. The proxy reads the update token from the encrypted cookie, requests the api for the new token and returns it. Thus, the update token is never displayed. If you install the ttl token within an hour, tell me, then stealing the token will be completely "pointless *" in the case of a regular application, and stealing the update token will be "impossible".

* Of course, if someone really wants him to probably be able to crack it.

And yes, I know that all this looks a bit hacked - modal windows for logging in to the system, proxies, etc. But even searching on this topic, I could not find a better and more elegant way to do this. I think that there is still a flaw that all js applications have to deal with if you want token authentication.

Implement OAuth 2.0 Authentication with the Laravel API

More articles: