I am here with some general discussion very famous and interesting topic " Token Based Authentication ".
I need my registered users to login with API. Scenario is quite simple, We want to pass our login details to Server. Server will check the credentials with database. If credentials are proper then Server will create "Session Id" and return back to user (client end). In subsequent requests user just need to pass that "Session Id" to authenticate and access protected data.
Plenty of people suggest about OAuth 2.0 and also some people suggest about Custom Logic. In custom logic they asked to be very sure about security. I read documentation of OAuth and it's good and descriptive. I'm also liking it to use. But wherever I search for OAuth authentication, they are giving example of third party login.
I had installed Php OAuth extension at my side for supporting this feature. In examples they asked to create Request Token first using " getRequestToken " function. Using that Request token they asked to call " getAccessToken " function to get " Access Token ". Using that Access Token just need to call " fetch " to get protected data.
Now my questions are,
I read different Grant Types in OAuth but confused how to use to achieve my approach.
Thanks in advance.
From what I read, you do not need OAuth at all. OAuth is need if there is a third party involved that needs access to your user resources.
https://myserver.com/signin?user=john.doe@gmail.com&password=12345
'{user:john.doe@gmail.com; sessionId=KJN93EJMQ3WEC9E8RCQJRE8F9E}'
'{user:john.doe@gmail.com; sessionId=KJN93EJMQ3WEC9E8RCQJRE8F9E}'
Addtional considerations:
I think it standard stuff if not the logging in happening via REST.
The requirement that I posted before to login with OAuth2.0.
Usually people assume that OAuth2.0 is only for fetching data by Third Party application from resource center behalf of Resource Owner. That approach is called Authorization Code.
OAuth2.0 has various " Authorization Grant ". There are four types,
After research, I realize that "Resource Owner Credentials" is best suitable for me. I found one perfect library that helps you to understand background process internally. Here's the GitHub link to download .
Found two major issues here,
If anyone has idea then please share.
Thanks,
Sanjay
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.