0

I'm building a REST API on symfony2 and I'm not sure what would be the best way to manage different security levels.

  • Unauthenticated clients (apps or websites that have no permission to reach the API data) can't get (get, put, post, etc) data from the API
  • Authenticated clients will be able to request some data from the API but not user related data.
  • On the other hand, end users need to be logged in somehow to access some private resources from the API.

For example, api/v1/philosophies would list all the phylosophies to an authenticated client. Unregistered end users could see the list: 'idealism, realism, existencialism, ...'. But end users would need to be authorized (registered and logged) to access their favorite phylosophies through api/v1/user/{userID}/favorites.

I've been reading and testing stuff with FOSUserBundle, FOSRestBundle and FOSOAuthServerBundle but all the information i find has the users always logged in order to get the token and the whole api is protected both by client and by users.

Any idea?

Some light?

please?

Improve this question

1 Answer 1

Reset to default
1

FOSRest and FOSAuth will work fine for what you need, it just looks like you will need to change the way your access is defined in security.yml. The only reason you always have to be logged in to access resources, is because the resources are protected. If you have a resource that you want to allow anonymous access to, then make that entry in security.yml, something like this:

security:
    access_control:
        - { path: ^/api/v1/pilosophies$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/v1, roles: IS_AUTHENTICATED_FULLY }

This would make /api/v1/pilosophies accessible without logging in, but all other resources would still be protected. you can read more about this in the docs Securing specific url patterns

In the end, you are the one that decides what resources are protected or not. FOSOAuth has nothing to do with that decision.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

So what would be the flow for clients in order to use the api? get the token through /oauth/v2/auth // /oauth/v2/token on initialize and then use the api. Whenever the end user tries to access information from a protected part of the api, the api would return a login form¿??¿ I understand the api should return an unauthorized access error or something like that and the user should log in somehow. I thought the user would login through oauth also. i'm a bit confused.
if the user gets an oAuth token, then he is already logged in, so there is no need for a login form. As long as he has a token, he should be able to access any protected part of the api.
mh... I think i'm getting all wrong then. How do i know which websites or apps have access to the API? i thought i would use oauth for that too.
in order for an app or website to have access to your api, you have to give them a client_id and client_secret. So you control who has access to your api.
oAuth2 has several 'grant_types'. Read this blog post, it will help you understand the different oAuth concepts, and is a great tutorial for setting up the FOSOAuthServerBundle
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.