Creating new clients in OAuth2 implementation

laminas-api-tools / api-tools

Laminas API Tools module for Laminas

https://api-tools.getlaminas.org/documentation

BSD 3-Clause "New" or "Revised" License

37 stars 19 forks source link

Creating new clients in OAuth2 implementation #31

Open michalbundyra opened 4 years ago

michalbundyra commented 4 years ago

I've been playing around with Apigility, the framework does a great job. However, I've been trying to figure out how to implement OAuth2 in a mobile application.

After following the OAuth2 implementation guide, I'm now wondering how to create new clients. I have a workflow I think could work well in my mobile app:

User creates a new account (system creates a new client with client_id, password, username, etc - based on OAuth2 example)
User signs in
System returns token
Client uses the token to access the protected API

I would be using the Username and password access for Public Clients (based on the OAuth2 guide in Apigility's website).

The issue here is how to create a new user in the OAuth2 client table, I was expecting a POST request to mydomain.com/oauth/clients but of course that doesn't work.

Whats the right workflow to achieve this in Apigility?

Originally posted by @manuelro at https://github.com/zfcampus/zf-apigility/issues/159

michalbundyra commented 4 years ago

A User has Clients. The Client table has a reference to User.

This allows one User to have multiple Clients; one per application which implements your API. This diagram may help but it uses a disconnected User so the relationships to User are not mapped.

Entity Relationship Diagram

Originally posted by @TomHAnderson at https://github.com/zfcampus/zf-apigility/issues/159#issuecomment-208066278

michalbundyra commented 4 years ago

I think I haven't got this straight. Users can be a simple service under my API. How do I connect the users with the clients? Is it done manually? Do Apigility has a faster way for doing this?

Originally posted by @manuelro at https://github.com/zfcampus/zf-apigility/issues/159#issuecomment-208069634

michalbundyra commented 4 years ago

You want specific users to have access to a specific client. That's not what OAuth2 does. You will need to authenticate your users against a list of permissioned clients in order to issue an access token.

Look at it this way: At Facebook if I create a client for my app how do I filter the people that can use my app? I believe the correct answer is: "I don't". The Client entity is owned by a user and there is no other security about who can use a client as long as the authorization code handshake can be performed.

A user is connected to a Client through an Authorization Code, Access Token, or Refresh Token. The user USING the app is linked from one or all of these Tokens. So given a Client A owned by user 1 where users 2 and 3 are authenticated using the Client A credentials user 1 is the client owner and users 2 and 3 are authorized for Client A.

Originally posted by @TomHAnderson at https://github.com/zfcampus/zf-apigility/issues/159#issuecomment-208081724

michalbundyra commented 4 years ago

I think this thread can be closed. Apigility is not what I'm looking for, it'll be better to have more granular control over what's going on behind the stage, Laravel will do the job very well. Thanks!

Originally posted by @manuelro at https://github.com/zfcampus/zf-apigility/issues/159#issuecomment-208082949