Connect angularjs webapp to REST API (PHP)

StackOverflow https://stackoverflow.com/questions/23675765

سؤال

I have a REST API written in PHP(Slim framework) and my API contains some admin routes for managing private data. I've implemented oAuth2.0 for authorization(this php implementation).

I like to use AngularJS for creating an admin webapplication so users can manage their own data.

I'm now using username-password flow but i'm reading that this is not secure because my webapp exposes client_id & client_secret.

I also looked into implicit grant ( designed for public clients) but it says that it should be for read only purposes.

I also want to use this API for supplying data for mobile apps. Users don't have to sign in for this but data isn't public.

Which oauth grant is suitable for this scenario / setup?

هل كانت مفيدة؟

المحلول

Take a look at Resource Owner Password Credentials Grant. Which is the 4th bullet point in the second link that you provided. password (user credentials)

https://www.rfc-editor.org/rfc/rfc6749#section-4.3

Simply put:

  1. User sends their login and password
  2. Server grants user access_token (equivalent to the old cookie session id)
  3. User sends access_token with the remainder of their requests

Also, If you want to give mobile devices access while keeping data private i'd suggest generating "free" accounts linked to mobile mac addresses. Then have them go through the above said authentication with their mac address as login / password as empty. That way you can implement the same user logic to mobile with throttle/ban/upgrade/etc per device.

نصائح أخرى

I know I'm posting Python to a PHP question but it's not about the code. The example (http://python-eve.org/authentication.html#auth) explains in detail what auth methods are available for a good REST API and it might be useful for your application.

If you're not happy with implicit or username-password that leaves client credentials or authorization code.

Client credentials is not applicable in this situation because it's not possible to secure the credential in a javascript application running on a browser (it might not even be possible to use the client credential if you're talking about a certificate).

So Authorization Code is your only option.

However, you can't secure the client secret in the authorization code flow.

Implicit is really your only OAuth2 option for a browser application. There is a section in the OAuth threat model discussing the potential issues and mitigations. https://www.rfc-editor.org/rfc/rfc6819#section-4.4.2

Here is another question about the security implications of implicit grant. How secure is Oauth 2.0 Implicit Grant?

Since Stack overflow is dumb I can't comment since i don't frequent this site. However before I can offer a solution I am wondering what situation you have that required a user to not be logged in to update data?

مرخصة بموجب: CC-BY-SA مع الإسناد
لا تنتمي إلى StackOverflow
scroll top