Question on protecting an API using AbstractRestfulController with OAuth2

[weierophinney]

I've finally managed securing my controller (extending the AuthController class) as mentioned in the documentation ( https://github.com/zfcampus/zf-oauth2#how-to-protect-your-api-using-oauth2 ) :

class MyTestController extends AuthController {

    ...

    public function __construct($serverFactory, UserIdProviderInterface $userIdProvider) {

        parent::__construct($serverFactory, $userIdProvider);
    }

    public function onDispatch(\Zend\Mvc\MvcEvent $e) {

        $server = call_user_func($this->serverFactory, "oauth");

        if (!$server->verifyResourceRequest($this->getOAuth2Request())) {

            $response = $server->getResponse();
            return $this->getApiProblemResponse($response);
        }

        return parent::onDispatch($e);
    }

    ...

As my API is RESTful, I would like to use the AbstractRestfulController as base for my controller. Could you please give me a hint/code example, how to secure a controller which extends the AbstractRestfulController? I have not found any useful information so far regarding this topic (and as I'm still quite new to ZF2, there's a lot to learn).

Any help would be greatly appreciated!

---

Originally posted by @humphrey09 at https://github.com/zfcampus/zf-oauth2/issues/130

[weierophinney]

hi, i have the same problem, have you solved it and can give me a hint?

---

Originally posted by @gnomium at https://github.com/zfcampus/zf-oauth2/issues/130#issuecomment-207287451

[weierophinney]

Well, detailing a thorough answer on OAuth2 workflows and architecture would take ages, and here is definitely not the right place.

Briefly, AuthController is not meant to be extended for "business controllers". Its purpose is to handle authentication requests:

• generating / revoking tokens
• handling authorization code...

and upon success, redirect to the requested routes (controller/action).

What you can do indeed, as referred in https://github.com/zfcampus/zf-oauth2#how-to-protect-your-api-using-oauth2, is to inject the server instance (OAuth2\Server) into your controller from its factory and call its methods from your actions ($this->server->verifyResourceRequest...)

Note: forget about this ugly 'onDispatch' call within your controller. Its location should be in a dedicated listener and called from you 'onBootstrap' callback in your module class ;)

---

Originally posted by @jguittard at https://github.com/zfcampus/zf-oauth2/issues/130#issuecomment-228499534

[weierophinney]

@jguittard

Can you please share any code example for injecting the server instance (OAuth2\Server) into controller from its factory and call its methods from actions ?

---

Originally posted by @fahadonline at https://github.com/zfcampus/zf-oauth2/issues/130#issuecomment-235199151