用于登录功能的OAuth 2.0（令牌）

Question

I am here with some general discussion very famous and interesting topic " Token Based Authentication ".

I need my registered users to login with API. Scenario is quite simple, We want to pass our login details to Server. Server will check the credentials with database. If credentials are proper then Server will create "Session Id" and return back to user (client end). In subsequent requests user just need to pass that "Session Id" to authenticate and access protected data.

Plenty of people suggest about OAuth 2.0 and also some people suggest about Custom Logic. In custom logic they asked to be very sure about security. I read documentation of OAuth and it's good and descriptive. I'm also liking it to use. But wherever I search for OAuth authentication, they are giving example of third party login.

I had installed Php OAuth extension at my side for supporting this feature. In examples they asked to create Request Token first using " getRequestToken " function. Using that Request token they asked to call " getAccessToken " function to get " Access Token ". Using that Access Token just need to call " fetch " to get protected data.

Now my questions are,

1. In my scenario, Do i need Request Token? Is that possible to get Access Token directly
2. What is OAuth Consumer Key and OAuth Consumer Secret key? Do I need such keys in my application? I believe it's used to allow third party applications only. In my case I'm the resource owner and i'm the consumer.
3. Do you guys have any example for me to study?
4. Do you know any well known framework for OAuth for PHP?
5. Is that need any additional database support except "user" table? For storing OAuth details?
6. Any additional documents to study for this would be highly appreciated.

I read different Grant Types in OAuth but confused how to use to achieve my approach.

Thanks in advance.

Answer 1

From what I read, you do not need OAuth at all. OAuth is need if there is a third party involved that needs access to your user resources.

• As you mentioned, you just need a Login API something like https://myserver.com/signin?user=john.doe@gmail.com&password=12345
• After successful login, the server generates a GUID and stores it against the user. You can call it sessionId/cookieId anything you like. Response could be something like '{user:john.doe@gmail.com; sessionId=KJN93EJMQ3WEC9E8RCQJRE8F9E}' '{user:john.doe@gmail.com; sessionId=KJN93EJMQ3WEC9E8RCQJRE8F9E}'
• For subsequent calls, the sessionId can be passed in the header.
• Server validates the session and lets the user in.

Addtional considerations:

• I am assuming your server is HTTPS and hence the user/pwd on the URL are encrypted.
• For security you might want to invalidate the sessionId have the sessionId renewed periodically.
• Have a logout on which you clear the sessionId against the User.

I think it standard stuff if not the logging in happening via REST.

Answer 2

The requirement that I posted before to login with OAuth2.0.

Usually people assume that OAuth2.0 is only for fetching data by Third Party application from resource center behalf of Resource Owner. That approach is called Authorization Code.

OAuth2.0 has various " Authorization Grant ". There are four types,

1. Authrozation Code
2. Implicit
3. Resource Owner Credentials (User Credentials)
4. Client Credentials

After research, I realize that "Resource Owner Credentials" is best suitable for me. I found one perfect library that helps you to understand background process internally. Here's the GitHub link to download .

Found two major issues here,

1. When I use my Access Token created by my Mozila in Chrome. Surprisingly, It's allowing me to access my private data from other browser.
2. I'm unsure but will this approach work same with AJAX type of calls (jQuery tool)

If anyone has idea then please share.

Thanks,
Sanjay