Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Opauth/Oauth + Rest API
  • So i am trying to secure my api with rest login in, and have been trying to get opauth to play nice with rest but can't. Optimally i want a user to be able to post to some route with an authentication strategy i.e. Facebook, get a message back either containing the link to visit or respond with already logged in. Once they have visited the URL they can then go back to the original route and it will either create or login the user from the fb details. 

    Is this possible or should i be approaching this in another way?

    TLDR: How can i use oauth(fbauth) with a restful api?
  • That might prove to be a challenge. RESTful services are per definition not (user) interactive, but OAuth authentication is.

    Fuel's Auth class only uses Opauth for the initial login, once done, it uses it's own internal tracking of the login, based on information in the session. So if this is RESTful in function of ajax calls in an interactive application, you can do the OAuth authentication in a standard controller, and have your RESTful controllers use Auth::check() to check for a valid user, like you would do in standard controllers.

    If you want stateless RESTful methods, you need to pass a token back and forth. http://blog.cloudfoundry.com/2012/10/09/securing-restful-web-services-with-oauth2/ is an interesting read.
  • Thanks that what i was starting to work that out i think i may have to make my API have "default/basic" auth and then get the front end web app to do all the oauth and get the userid/email then send it to the API which would force login the user
  • I have been working on a project with a somewhat similar necessity but using LDAP as the authentication method.  My solution was to extend OrmAuth and used the username and login_hash as a token.  In my case, the reason I chose OrmAuth was so that I could take advantage of some of its other built in features.

    But obviously OrmAuth isn't the only solution.  Consider extending OpAuth and creating some override methods that would allow you to store an identifier (like auth.uid@auth.provider) and generate tokens like the link Harro provided describes.

    I would just like to add that I have not really dug into the OpAuth code like I have OrmAuth.  But I am familiar with the process of using 3rd party authentication using the REST controller.  Having a token that can be passed back and forth is key (no pun intended)

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion