How use oauth 2.0 for rest api calls in php?
REST APIs are a big part of today’s Internet. Some of the everyday use cases of REST APIs are: Show
REST API security is essential because an API can expose powerful, mission-critical, and outright dangerous functionality over the Internet. For example, a fintech SaaS application might offer an API that allows you to manipulate your bank accounts, make payments, transfer funds abroad, or download sensitive information like your bank statements, personal address/name/SSN. Most Web application frameworks provide tools to build secure REST APIs quickly using industry-standard solutions like JSON Web Tokens (JWT) and OAuth 2.0. However, it pays to understand what goes under the hood and how to authenticate and authorize your API users securely. In this tutorial, I’ll walk you through building a simple API in PHP from scratch and integrating it with Okta to provide user authentication. Okta is an API service that allows you to create, edit, and securely store user accounts and user account data, and connect them with one or more applications. The tutorial will not rely on any external libraries to implement the Okta integration or to work with the JWT access tokens. The only prerequisites are PHP, Composer, and a free Okta developer account. Create the REST API SkeletonStart by creating a blank project with a In the
Install the dependencies: This will create a Create a
Create a
There are two sets of credentials - one for the Service application (the REST API), and one for the Client application which will make use of the API. Some of the variables will be shared between the two applications (the Issuer, Scope, and Audience). Create a
Copy the
Implement the Initial REST API VersionThe REST API will have 3 public endpoints:
The initial version will not require any authentication/authorization. Create a
Modify the
Start the built-in PHP server and test the front controller:
Load
You will need a tool like Postman to test the full API including the POST requests. Note: when making POST requests, make sure to set the content type to
JSON ( Use Postman to confirm that the three correct routes are displayed and all other URLs result in a 404 Not Found response before proceeding further. Create a
Modify
Test the route endpoints in Postman again and confirm they generate the expected JSON responses. Using Okta and OAuth 2.0 to Secure the APIThe API will use Okta as the authorization server. You’ll implement the Client Credentials Flow in this exercise. This flow is recommended for machine-to-machine authentication when the client is private and can hold a secret. For simplicity in this article, both the client and server applications will be stored in the same repository and will share parts of the Okta configuration. The authorization process works like this:
There are two ways to verify the token:
The API will use the local method to authorize the When using the local verification, it’s possible that the user could be suspended at Okta but the token would still be considered valid by the API server because it does not check the user status in real-time - it only verifies the validity of the provided token. Setting Up OktaLog into your Okta account or create a new one for free, create your authorization server and set up your client application. Log in to your developer console, navigate to API, then to the Authorization Servers tab: Click on the link to your default server. Copy the
Click the Edit icon, go to the Scopes tab and click Add Scope to add a scope for the REST API: Name it Add the scope to the Create a Client Application next. Go to Applications, click Add Application, select Service, then click Next: Title the service Customer
Manager and click Done. Copy the Client ID and Client Secret from the screen, and put them in the
Finally, create another client application (Service Application) to represent the API, because the API doesn’t have access to the client app credentials, but it would need client credentials to authorize itself when accessing some of the Okta endpoints. Go to Applications, click Add Application, select Service, then click Next. Title the service Customer Manager API and click Done: Copy
the Client ID and Client Secret from the screen and put them in the
Obtain an Access Token from OktaCreate a new
Call the file from the command line and copy the token: The token should look something like this:
Update
the front controller so it requires authorization for all API endpoints (using local validation for the index and store methods, and remote validation for the charge method). Here’s the full code of
There’s a lot going on here but the most important parts are:
The local authentication verifies the following attributes of the token:
On the next step, you’ll test the authentication using Postman. Provide the access token as an
Test the endpoints again in Postman.
If you don’t provide a valid token, you should get a Revoking the Access TokenCreate a new file
Call the tool like this (replace
Example:
After revoking the token, try all API calls with that token again. You will see that Learn More About OAuth 2.0 Authorization in PHPYou can find the whole code example on GitHub. If you would like to dig deeper into the topics covered in this article, the following resources are a great starting point:
Like what you learned today? Follow us on Twitter, like us on Facebook, check us out on LinkedIn, and subscribe to our YouTube channel for more awesome content! How use OAuth 2.0 for REST API calls?Creating an OAuth 2.0 provider API. In a command window, change to the project folder that you created in the tutorial Tutorial: Creating an invoke REST API definition.. In the API Designer, click the APIs tab.. Click Add > OAuth 2.0 Provider API.. Complete the fields according to the following table: ... . Click Create API.. What is OAuth2 in PHP?league/oauth2-server is a standards compliant implementation of an OAuth 2.0 authorization server written in PHP which makes working with OAuth 2.0 trivial. You can easily configure an OAuth 2.0 server to protect your API with access tokens, or allow clients to request new access tokens and refresh them.
How do I pass OAuth 2.0 token in Postman?Get the OAuth Access Token (Postman). In Postman, go to Authorization and select OAuth 2.0 as Type.. Press button Get new Access Token.. Enter any name for In In How do I access API with OAuth?At a high level, you follow five steps:. Obtain OAuth 2.0 credentials from the Google API Console. ... . Obtain an access token from the Google Authorization Server. ... . Examine scopes of access granted by the user. ... . Send the access token to an API. ... . Refresh the access token, if necessary.. |