使用 OAuth2 客户端凭据流保护用 PHP 编写的 REST API
我正在使用 Symfony2 在 PHP 中编写 REST API.此 API 旨在供个人网站使用以访问数据,这将由客户端库完成.
I am writing a REST API in PHP using Symfony2. This API is intended to be used by individual websites to access data and this will be done by a client side library.
但是,我需要保护 API,事实证明这有点令人困惑.我做了一些研究,据我所知,一个好方法似乎是将 OAuth2 与客户端凭据流一起使用(请参阅 RFC 草案).我不得不承认,我仍然不清楚它究竟是如何工作的细节,但我一直在阅读它是如此简单.我想我的第一个问题是:这是要走的路还是我走错了方向?我应该使用其他方法来验证客户端吗?请记住,我需要身份、身份验证和授权.
I need to secure the API however and this is proving to be a bit confusing. I have done some research and as far as I can tell, a good way seems to be to use OAuth2 with the client credentials flow (see RFC draft). I have to admit, I am still fuzzy on the details of how exactly this works but I keep reading that it is so simple. I suppose my first question is: Is this the way to go or have I gone off in the wrong direction? Should I use some other method for authenticating clients? Please bear in mind that I need identity, authentication and authorisation.
如果是,使用客户端凭据的 OAuth2 是一种方法,那么我问:在 PHP 中实现此目的的最佳方法是什么?真的有人这样做过吗?到目前为止,我一直在尝试使用 oauth2-php 和 bundle 没有太多运气.尽管我不太确定,但该捆绑包似乎专注于 3-legged 身份验证.我想知道最好的做法是否是使用 oauth2-php 包手动完成?
If yes, OAuth2 using the client credentials is the way to, then I ask: What is the best way of accomplishing this in PHP? Has anyone actually done this? So far I have been trying to use oauth2-php along with a bundle without too much luck. That bundle seems to focus on 3-legged authentication although I am not quite sure. I was wondering if the best course of action would be to do it manually using the oauth2-php package perhaps?
我将不胜感激任何有关此的信息.提前致谢!
I would greatly appreciate any information on this. Thanks in advance!
Heidar,
我目前正在从事一个类似的项目,这是我目前所发现的.
I am currently working on a similar project and this is what I found so far.
Oauth 正式授权一个网站与网络上的其他资源,Facebook 发现自动化和身份验证的整个分离对其开发人员基础感到困惑,并开始将 Oauth 用于两者.由于它是开发人员一直在关注的主要参与者.
Oauth is officially to authorize a website with a other resource on the web, Facebook found the whole seperation of autorization and authentication to confusing for its developer base, and started using Oauth for both. Since it its a major player developers have been tagging on.
尽管我不太确定您声明中的身份部分是什么意思,但您需要身份、身份验证和授权".
Even though I am not really sure what you mean with the Identity part in your statement, that you need "identity, authentication and authorisation."
您可以将 Oauth 用于其他两个,这是从所有大型互联网公司都这样做的事实中扣除的(在这方面我可以为您做的最好,Oauth 文档说它仅用于授权).
You can use Oauth for the other two, deducted from the fact that all big internet companies do so (best I can do for you on this front,Oauth docs say it is only for Authorization).
Google 提供了一个维护得很好的客户端库:http://code.google.com/p/google-api-php-client/wiki/OAuth2
Google offers a client library that is maintained quite well: http://code.google.com/p/google-api-php-client/wiki/OAuth2
此外,对于服务器端库,我将转向 oauth2-php,如您所指,位于 https://github.com/quizlet/oauth2-php 但请参阅这篇文章了解更多详情:是否有 OAuth 2 服务器端 PHP 或 Java 实现?
further more, for server side library I would turn to oauth2-php as you refer to, at https://github.com/quizlet/oauth2-php But please see this post for more details: Are there OAuth 2 server side PHP or Java implementations?
关于 3-legged 身份验证,请在此处查看答案(它确实很广泛,但解释得很好)OAuth 2.0:优点和用例 - 为什么?
and on the part of the 3-legged authentication please see the answer here (it's really extensive but explains it well) OAuth 2.0: Benefits and use cases — why?
请记住,我仍在努力实现这一点.
Please keep in mind though that I am still struggling with actually implementing this.