Symfony Restful API authentication and OAuth2

Question

I am building a RESTful API application with Symfony2. The app will consist of two parts.

1. JavaScript front-end - everything the user will ever be able to see and do will reside here.

2. Symfony2 back-end API - every resource and data the user will be able to reach from front-end will be served in standard JSON via endpoints.

I have never built a fully RESTful application before. My main concern is how to authenticate users.

I imagine REST authentication like this:

A user enters his credentials in a form generated in the front end, then the request is sent to the server where authentication logic happens and if the user is authenticated, a response with "token" is sent back to user, that he will add that token to every request url or authorization header (I don't know which of these options is preferable).

Then with every request, the server will check if the user token is valid and if the user is authorized to access that data (roles) and if so serves request data. (I don't want to allow users login with Google, Facebook or anything like that. I want my users logging in to other application using my app)

Now this seems quite simple, but then there's OAuth2 that got me confused because I jumped into developing without research. I downloaded FOSOAuthServerBundle and started messing around when I started to get a feeling that something is not right.

What I would like to know is the difference between RESTful authentication and OAuth.

What are the recommendations for implementing the described login mechanism?

Answer 1

You've got it pretty spot on. You use OAuth just for the authentication and all the following requests will have to provide that HTTP-Authorization header. You would need to create your custom authentication provider to handle that. Also use something like FOSRestBundle to create your resources.