Login using a remote API


I’m creating a website using Yii2 and have a remote API offered by an internal program that my client is using. I’m creating a website that will act kind of a proxy, as I won’t have any data on my server, everything will be stored in the remote API.

So, the client will login into the site I’m developing, and will send an API request to the remote server to check if the login is successful or not. If the login is successful, the remote API will return my an access token.

I have experience with Yii1, but this is going to be my first Yii2 project. I’m a bit lost with the authentication system used in Yii2, and I’m not completely sure about this point.

Can anyone please give an insight or an example to keep me moving?

Thank you very much in advance.

What’s remote authentication? OAuth2? If yes, there’s a handy extension: https://github.com/yiisoft/yii2-authclient

Authentication itself is described well in the guide.

hey @samdark, thanks for the reply.

The authentication is an endpoint that will give me a token that i will need to use in the subsequents calls. I think is old and custom made, so no oauth.

I ended up calling the API and if authenticated, I store the access_token in a session. I’m not quite sure if that’s a security issue (i think it is) but i needed to keep moving, but I will have to take a closer look at it before pushing to production.

The problem with the guide is that it assumes that we have the users to check the credentials, and in this particular (and weird, I know) case I don’t.

Thanks again id advance.

Then I’d fetch token by client application and pass it to the server with each request (there’s no session concept in REST). Server would validate and cache token so there will be no constant requests to a third party server.

But the access_token will be per user, so i need to know which user has which access token. I don’t see any other way to do that than using sessions.

For example, lets pretend I’ve been provided with an endpoint called login and another called invoices.

You browse my site, try to log into my site, my site calls the login endpoint and it returns an access token (for your user).

Then, when you browse to invoices, my website makes a call to the invoices endpoint sending your access_token.

I don’t know if I’m being very clear.

I very appreciate the time you are putting in this, Sam

You should obtain user <-> token binding info from the authentication server, cache it and use it.

Hey @chux

Did you find a resolution to this issue?
I have exactly the same issue in that I am building a webapp that relies soley on a backend REST API for its content.
As such the authorisation is done through the api login call and an access_token and refresh token are returned on successful login.
How and where to cache these tokens for use in the current web session to make valid api calls to the backend is really confusing me ;(

I cannot seem to work out how to use the IdentityInterface calls (findIdentity, etc) to return an identity as there is no actual identity as such.

Any pointers or samples would be greatly appreciated


@circulon yes, but I’m not in the project anymore. What I did was:

  • User login method makes a request to the remote api
  • If succeded, remote api returns the at.
  • At is stored and used as a session
  • Everytime I need to access the remote api, i have the AT in the session.

Keep in mind my project did not expose an API that acted as a proxy, my yii2 project was an actual website that consumed the remote api.

1 Like

Thanks for the info.
I kind of thought that was how to do it, but was not sure.
Now I just have to do it :wink:

My webapp is a consumer of a remote api too.

Appreciate the reply