Authentication on a simple PHP RESTful API service
Question
I have a developed a very simple PHP API based on the PHP Slim Framework. It does nothing more then doing some SQL queries and returning an JSON object whenever I call it. I am accessing this API on another website through CURL.
My question is: Since the URL of the API is basically public now, what is the best way of securing it? My first thought was HTTP Basic Auth which would be easy and I could pass through the http headers. However I think it's not really safe as long as there is no HTTPS connection (since the website would literally pass username+password over to the API in plain text). Also I would have to store the credentials in PHP code on my website, which I think is not really optimal.
The next solution I've found is token based authentication, which would have the advantage of not having to authorize on each request but might be more tricky to implement. Also I have no experience with that yet whatsoever.
Also I read OAuth/OAuth2 is the way to go.
The thing is: I am planning to use the same API on a mobile application soon.
Any hints? Thanks!
2 answers
solution1
0 2016-01-12 17:02:51
You could use WS-Security which, even though was designed for SOAP APIs, works quite well with REST APIs as well. It is basically a token-based authentication, with a temporary token and a nonce file on the server side.
You have some libraries that implement this in PHP, if you're looking for examples, for instance a Symfony2 bundle .
WS-Security is the middle-ground between HTTP Basic Auth - which is insecure without HTTPS - and OAuth - which might be more complicated to implement.
solution2
0 2017-04-12 18:04:20
您可以使用此slim-jwt ,它将为jwt提供完整的声明,您可以将其用作中间件
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.