REST & Authorization

Hello everyone!

Recently I’ve started developing hybrid mobile application (Ionic + AngularJS) in addition to the website powered by Yii2.

For these purposes I have created separate application in Yii2 with REST API controllers, the data is properly returned in JSON format - everything works great!

However now I have faced the need to implement authentication & authorization of user through mobile application using REST and it seems that all docs look somewhat partial and not covering real-life scenarios.

What I would like to achieve:

  1. Implement opportunity to login from mobile application using username/password or couple of AuthClients (Facebook + Google);

  2. Store in mobile application and Yii2 backend access token, refresh token and device id (for additional security);

  3. After the expiry of access token get new access token using refresh token;

  4. Provide users with opportunity for being logged in from multiple devices without issues.

The questions that I am facing:

  1. As I understood there is not much difference between HttpBearerAuth and QueryParamAuth for my case. Is it correct or I’m missing something?

  2. Then I have noticed that there are some people that prefer to implement own Oauth2 server for these purposes (like Is this something really required?

  3. Frankly speaking, I’m confused about proper overall solution for above requirements on Yii2 REST backend side. Could someone kindly advise at least some thoughts on which and how controllers-models should be structured in order to support above requirements?

May be someone has already implemented similar Yii2 service and can share some snippets or repository?

In any case any advices on above are very welcome!


  1. Correct.

  2. No. You’re already getting a token from Facebook / Google SDK.

Hi Alexander!

Thanks a lot for your attention to my topic.

Regarding the second question I primarily mean the case of authentication by username/password. In order for application to authorize further requests backend needs to fully support refresh token functionality in order not to log the user out each time after inactivity or exit.

Yesterday I’ve finally succeeded with setup of yii2-oauth2-server module and now am able to get access/refresh tokens by username/pass and refresh access token.

However it seems that I will need to enrich existing models and controllers with additional fields/logic to support also separate logins with same credentials from different devices and DeviceID verification.

What I frankly speaking don’t understand: what additional security does refresh token provide? I mean it is a kind of non-autoexpiring token which can be used by attacker to get both new valid access token and new refresh token. As we’re talking about mobile application and I’m going to use local storage to keep this information after application exit, then all these tricks don’t seem to be quite safe actually. Do you agree?

Thank you!

Yes. You’ll need to extend your DB a bit. As for tokens refresh, it lowers the chance that old token will get caught/used by attacker.

Which module worked for you?

That’s right, this one!

But be accurate - there is some mess with branches, 2.0.1 branch is the stable version.