2014-09-30 22:44:18 +01:00
|
|
|
---
|
|
|
|
layout: default
|
|
|
|
title: Securing your API
|
|
|
|
permalink: /resource-server/securing-your-api/
|
|
|
|
---
|
|
|
|
|
|
|
|
# Securing your API
|
|
|
|
|
2016-03-24 15:45:40 +00:00
|
|
|
This library provides a PSR-7 friendly resource server middleware that can validate access tokens.
|
2014-09-30 22:44:18 +01:00
|
|
|
|
2016-03-24 15:45:40 +00:00
|
|
|
## Setup
|
2014-09-30 22:44:18 +01:00
|
|
|
|
2016-03-24 15:45:40 +00:00
|
|
|
Wherever you intialize your objects, initialize a new instance of the resource server with the storage interfaces:
|
|
|
|
|
|
|
|
{% highlight php %}
|
|
|
|
// Init our repositories
|
|
|
|
$clientRepository = new ClientRepository();
|
|
|
|
$accessTokenRepository = new AccessTokenRepository();
|
|
|
|
$scopeRepository = new ScopeRepository();
|
|
|
|
|
|
|
|
// Path to public and private keys
|
|
|
|
$privateKeyPath = 'file://path/to/private.key';
|
|
|
|
$publicKeyPath = 'file://path/to/public.key';
|
|
|
|
|
|
|
|
// Setup the authorization server
|
|
|
|
$server = new \League\OAuth2\Server\Server(
|
|
|
|
$clientRepository,
|
|
|
|
$accessTokenRepository,
|
|
|
|
$scopeRepository,
|
|
|
|
$privateKeyPath,
|
|
|
|
$publicKeyPath
|
2014-09-30 22:44:18 +01:00
|
|
|
);
|
2016-03-24 15:45:40 +00:00
|
|
|
{% endhighlight %}
|
2014-09-30 22:44:18 +01:00
|
|
|
|
2016-03-24 15:45:40 +00:00
|
|
|
Then add the middleware to your stack:
|
2014-09-30 22:44:18 +01:00
|
|
|
|
2016-03-24 15:45:40 +00:00
|
|
|
{% highlight php %}
|
|
|
|
new \League\OAuth2\Server\Middleware\ResourceServerMiddleware($server);
|
|
|
|
{% endhighlight %}
|
2014-09-30 22:44:18 +01:00
|
|
|
|
2016-03-24 15:45:40 +00:00
|
|
|
## Implementation
|
2014-09-30 22:44:18 +01:00
|
|
|
|
2016-03-24 15:45:40 +00:00
|
|
|
The authorization header on an incoming request will automatically be validated.
|
2014-09-30 22:44:18 +01:00
|
|
|
|
2016-03-24 15:45:40 +00:00
|
|
|
If the access token is valid the following attributes will be set on the ServerRequest:
|
2014-09-30 22:44:18 +01:00
|
|
|
|
2016-03-24 15:45:40 +00:00
|
|
|
* `oauth_access_token_id` - the access token identifier
|
|
|
|
* `oauth_client_id` - the client identifier
|
|
|
|
* `oauth_user_id` - the user identifier represented by the access token
|
|
|
|
* `oauth_scopes` - an array of string scope identifiers
|
2014-09-30 22:44:18 +01:00
|
|
|
|
2016-03-24 15:45:40 +00:00
|
|
|
If the authorization is invalid an instance of `OAuthServerException::accessDenied` will be thrown.
|