For me, OAuth is still confusing, what i really need is the equivalent of the 2-legged OAuth-1.1a version but to work with OAuth2. From my understandings, the equivalent of 2-legged is actually the JWT grant type. Has anyone been able to do that with Yii ?
As a little background, i am working on a Yii REST api that will eventually talk with my web application(website) , a few third party partners, and also with a few mobile applications, that is, trying to create an API-CENTRIC application.
For now i am not interested in users allowing third party apps to act in their behalf(that is 3 legged oauth).
If anyone here has knowledge about all these things, please let me know, we can debate the subject further.
here is a oauth1.x implement api-module , the oauth2 is too complicated for mobile app. api can be public and private ,if you just want develop mobile app for your own site then the private api fit it .
I saw some friends implement the api centric project with restful method . they apply their own auth way (between oauth1.x and oauth2.x they call that xauth ).and implent the session strategy using database or redis . because the rest architecture is stateless so you must mimic something like the "session_id" sent with cookie .
use curl to connect the api center , every request should take with the app_id . app_key used to
encrypt the request . for user auth use the username and password to change a user_token . and after you have the user_token(wich can be saved or cached for later request) you should add it to next request . the app_id + user_token can be treated as the session_id go together with the cookie . in server end if there not exist user_token we think it as “guest” ,may be you should implement the ApiUser similar to CWebUser
As i said, i am not really interested in OAuth1 but OAuth2, and also i would like to avoid writing custom auth (i did so for another project of mine) because i need to really understand this all OAuth2 provider thing.
However, i’ll leave this topic as it is right now and i’ll come back to it later after i am doing my homework as it should and also after i implement the oauth2 server.