OAuth access token for internal calls

Question

I'm currently tyring to build an API driven symfony2 web applicaiton.Just a basic application to learn symfony2 and REST.

It would be based on a RESTful api. Calls to the API will be authenticated using OAuth.

For e.g.: if a client application wants to get data (information about all the fruits) through API it will need to make a GET request to the url and pass the access token as a parameter.So the url will look something like this.

http://www.mysite.com/api/fruits.json?=<access token>

Now the problem is that i would be needing the same data in one of my actions as well.

I need some help here.In order to get get data from above url in one of my actions i will also need to send an access token in the url.

How do i get this access token??

Should there be a fixed token which will be used for all such calls within my application??

Answer 1

You basic application project will grow manifold if you try to do what you want here.

Basically, you need to implement an Authentication Server for this. i) First, the app should be registered for a scope;
ii) Using the app the user logs in to the authentication/authorization server.
iii) The server verifies if the app has access to the scope and if the user is registered in your system.
iv) Server creates an access token (which is a HMAC signed string) and returns to your app.
v) The app then hits the endpoint (restful API) with the token.
vi) The RESTful service then internally sends the token to the server and fetches the customerID for which the call is made and performs the actions that it's supposed to.

I wrote an answer once on how to create a OAuth Service/Provider - How would an efficient OAuth2.0 server / provider work?

Also, OAuth was designed such that client apps/3rd party software can access a user's resources on his behalf. A very simple example is = An app posting something on your facebook wall on your behalf. It is actually accessing a resource that you own (the wall) and posting to it. You do not need OAuth just to get some data - there are other ways to secure the API.