1

I have two authentication classes defined.

  1. API Keys (APIKeyAuth)
  2. OAUTH2 (OAUTH2Server)

In my index.php I have the following defined

$r = new Restler();

$r->addAuthenticationClass('APIKeyAuth');
$r->addAuthenticationClass('OAUTH2Server');

I then protect one of the rest methods for APIKeyAuth

/**
 * @access protected
 * @class  APIKeyAuth{@requires apikey}
 */
  public function .......etc

If I debug it , it goes through the first step and $authObj (see code below from restler.php) will be APIKeyAuth. It checks __isAllowed and returns true ... which is good.

It then however goes through OAUTH2Server (which in my opinion it shouldn't as the rest method has been decorated to use APIKeyAuth.

So it goes through and __isAllowed in OAUTH2Server is false so then the user will get a Unauthorzied response.

foreach ($this->authClasses as $authClass) {
    $authObj = Scope::get($authClass);
    if (!method_exists($authObj,
      Defaults::$authenticationMethod)
     ) {
       throw new RestException (
         500, 'Authentication Class ' .
         'should implement iAuthenticate');
      } elseif (
        !$authObj->{Defaults::$authenticationMethod}()
       ) {
         throw new RestException(401);
       }
 }

Do I need to alter the OAUTH2 Server to check if its using an API Key and add logic ? (seems wrong approach).

alexkb
  • 3,216
  • 2
  • 30
  • 30
Madmartigan
  • 260
  • 3
  • 11

1 Answers1

1

Restler upto RC5 handles authentication classes serially, meaning that all the authentication classes must return true to go through the protected api call

Since RC6 this has changed to parallel, meaning that any one of the authentication class can allow access to the protected api

Arul Kumaran
  • 983
  • 7
  • 23