0

I have set up a Symfony based API which is being used by an Angular front end which is totally dependent of it (User registration included)

I have read multiple threads recommending using WSSE or FOSOAuthServerBundle but I'm not sure about the best method ?

If I understood correctly, WSSE has to send for each API request x-wsse headers which make me think it is not the best suited for performance.

About the FOSAuthServerBundle I have never used it and looks a bit complicated to me compared to WSSE, thus that's why I'm asking there before trying to implement it.

I have 2 simple groups of user (basic and admin), what would be the best way to secure my API, additionally providing an easy way to keep user persistence (I mean accesses through the different pages)?

How should it be in the Angular front side ?

Thanks for your help.

Refs: http://blog.tankist.de/blog/2013/07/16/oauth2-explained-part-1-principles-and-terminology/

http://obtao.com/blog/2013/06/configure-wsse-on-symfony-with-fosrestbundle/

Improve this question

1 Answer 1

Reset to default
2

It all depends on what your requirements are.

First of all, OAuth 2 is an authentication mechanism/spec which you can use in combination with sessions/bearer tokens/... This also applies for local accounts (since you want to do user registration).

FOSAuthServerBundle is a bundle to implement the server-side of the OAuth2 specification. This basically means you can expose your OAuth2 side of the API to other applications and allow them to use your accounts to authenticate. Think google login, twitter login, etc but for your own app.

This all has nothing to do with the way you validate / authorize your requests after the initial login has taken place.

Do you want to implement stateless authentication? Then I would recommend using the new JSON Web Token (JWT) specification.

See Symfony Bundle (LexikJWTAuthenticationBundle) and JWT description (JWT.io)

There are many resources on it from the angular side of things and the API part is pretty straightforward.

WSSE does not seem suited to implement in a RESTful API and I have no experience using/implementing it so I cannot comment on it too much.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Would definitely concur with going down the JWT / LexikJWTAuthenticationBundle route. Unless you specifically need some of the extra features, WSSE and OAuth are really overkill for most APIs.
@BartVanRemortele not sure why my comment was removed by moderators :-S Well, it's not authentication protocol at all. It does not authenticate a user, it's the purpose of an IP, which oauth2 does not provide facilities for.
@BartVanRemortele oauth can authorize authentication, that's correct. But it does not have to (and nothing in the standard mentions authentication, like at all). Every dog is a mammal, not every mammal is a dog. "How can you use OAuth to authorise when you have not validated who a person is?" --- actually, very easily. An auth token does not have to be associated with any user, any account or anything similar. "It's an authorization protocol to authorize third party apps to verify the identity of a user." --- it's not. It's to authorized 3rd party apps to act on behalf, not authenticate.
"The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service" And I'm done here. Have fun.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.