Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question on protecting an API using AbstractRestfulController with OAuth2 #12

Open
weierophinney opened this issue Dec 31, 2019 · 3 comments
Open

Question on protecting an API using AbstractRestfulController with OAuth2 #12

weierophinney opened this issue Dec 31, 2019 · 3 comments

Comments

@weierophinney
Copy link
Contributor

I've finally managed securing my controller (extending the AuthController class) as mentioned in the documentation ( https://github.com/zfcampus/zf-oauth2#how-to-protect-your-api-using-oauth2 ) :

class MyTestController extends AuthController {

    ...

    public function __construct($serverFactory, UserIdProviderInterface $userIdProvider) {

        parent::__construct($serverFactory, $userIdProvider);
    }

    public function onDispatch(\Zend\Mvc\MvcEvent $e) {

        $server = call_user_func($this->serverFactory, "oauth");

        if (!$server->verifyResourceRequest($this->getOAuth2Request())) {

            $response = $server->getResponse();
            return $this->getApiProblemResponse($response);
        }

        return parent::onDispatch($e);
    }

    ...

As my API is RESTful, I would like to use the AbstractRestfulController as base for my controller. Could you please give me a hint/code example, how to secure a controller which extends the AbstractRestfulController? I have not found any useful information so far regarding this topic (and as I'm still quite new to ZF2, there's a lot to learn).

Any help would be greatly appreciated!

Originally posted by @humphrey09 at zfcampus/zf-oauth2#130
@weierophinney
Copy link
Contributor Author

hi,
i have the same problem, have you solved it and can give me a hint?

Originally posted by @gnomium at zfcampus/zf-oauth2#130 (comment)

@weierophinney
Copy link
Contributor Author

Well, detailing a thorough answer on OAuth2 workflows and architecture would take ages, and here is definitely not the right place.

Briefly, AuthController is not meant to be extended for "business controllers". Its purpose is to handle authentication requests:

  • generating / revoking tokens
  • handling authorization code...

and upon success, redirect to the requested routes (controller/action).

What you can do indeed, as referred in https://github.com/zfcampus/zf-oauth2#how-to-protect-your-api-using-oauth2, is to inject the server instance (OAuth2\Server) into your controller from its factory and call its methods from your actions ($this->server->verifyResourceRequest...)

Note: forget about this ugly 'onDispatch' call within your controller. Its location should be in a dedicated listener and called from you 'onBootstrap' callback in your module class ;)

Originally posted by @jguittard at zfcampus/zf-oauth2#130 (comment)

@weierophinney
Copy link
Contributor Author

@jguittard

Can you please share any code example for injecting the server instance (OAuth2\Server) into controller from its factory and call its methods from actions ?

Originally posted by @fahadonline at zfcampus/zf-oauth2#130 (comment)

@weierophinney weierophinney mentioned this issue Dec 31, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@weierophinney