2

I'm struggling with OAuth2 authorization, authentication and user linking. What I've done so far:

I've created a client and it's secret. All redirects and so on are working. Grant type password works for own native app (e.g. Android and iOS)

But for access token, user_id is NULL if grant type is Authorization code. How can I assign a user to access token or authorization code? Is there a module for Apigility to provide login screen? I only get asked for "allow" or "disallow" application but I'm never asked for a username and password.

Update:
Question is related to provide OAuth2 access third party pages, e.g. IFTTT. They open /oauth/authorize page and somewhere I have guide user to a login?! to determine related user? Is there an existing module for this?

Third party sites, e.g. IFTTT do not use password grant type for security reasons. And compared to other pages the workflow is: Is user authenticated? Yes: Show Accept/Decline button. No: User has to login and will be redirected afterwards to /oauth/authorize page. So is there a common way in apigility to check if user is logged in and if not, redirect to a login mask?

Alexander Lampret
  • 81
  • 1
  • 5

1 Answers1

1

To authenticate with username and password using OAuth2 you should use the grant_type=password.

I'm not sure if there is a login screen in Apigility. But I don't think it should have it, because Apigility already allow this by one or more endpoints through OAuth2, more specifically by OAuth2 Server Library for PHP.

How to do

  1. Add the grant type to client:
    • On your client table (oauth_clients.grant_types column) set "password".
  2. Create a new authentication adapter type=oauth2.

  3. Create a post to the authetication url like below.

    • url=localhost:8080/oauth, where localhost:8080 is where the apigility is running and /oauth is the configured auth adapter url.

    • payload: 

      {
    "username": "USERNAME",
    "password": "PASSWORD",
    "grant_type": "password",
    "client_id": "CLIENT_ID"
}
  4. When login successfully it will return the access token.
Wilt
  • 41,477
  • 12
  • 152
  • 203
Vinícius Fagundes
  • 1,983
  • 14
  • 24
  • Thx for these steps. This works already, but it works only for apps and pages that I'm creating. E.g. if I want to provide access to IFTTT, I'm not able to use grant_type password. Based on documentation: [link](https://apigility.org/documentation/auth/authentication-oauth2) I always get prompt for "allow"/"disallow" without loggin in as a user – Alexander Lampret Jan 15 '17 at 20:48
  • 1
    @AlexanderLampret Why can you not use `grant_type` password? Could you elaborate on that particular aspect of your question. – Wilt Jan 17 '17 at 20:26
  • I've updated my question. I'm providing a service. In my native Android and iOS app, I use grant type password and it works. But third party sites, e.g. IFTTT do not use this type for security reasons. And compared to other pages the workflow is: Is user authentitacted? Yes: Show Accept/Decline button. No: User has to login and will be redirected afterwards to /oauth/authorize page. So is there a common way in apigility to check if user is logged in and if not, redirect to a login mask? – Alexander Lampret Jan 20 '17 at 12:06