Yii 2 UserIdentity findIdentityByAccessToken not getting called

Question

I am creating a web application in Yii 2 which uses a REST API as the backend. User authentication is carried out using tokens.

During the initial authentication I am doing the following :

$parsedUserDetails = [
    'id' => $userDetails['user_id'],
    'accessToken' => $userDetails['access_token'],
    'email' => $this->email,
    'password' => $this->password,
    'authKey' => 'test'
];
$user = new Users($parsedUserDetails);
return Yii::$app->user->login($user, true ? 3600*24*30 : 0);

The cookies are being created.

The following is my Users class which implements the IdentityInterface

namespace app\models;

class Users extends \yii\base\Object implements \yii\web\IdentityInterface
{
    public $id;
    public $email;
    public $password;
    public $authKey;
    public $accessToken;

    /**
     * @inheritdoc
     */
    public static function findIdentity($id)
    {

    }

    /**
     * @inheritdoc
     */
    public static function findIdentityByAccessToken($token, $type = null)
    {
        exit('findIdentityByAccessToken');
    }

    /**
     * @inheritdoc
     */
    public function getId()
    {
        return $this->id;
    }

    /**
     * @inheritdoc
     */
    public function getAuthKey()
    {
        return $this->authKey;
    }

    /**
     * @inheritdoc
     */
    public function validateAuthKey($authKey)
    {
        return $this->authKey === $authKey;
    }

    /**
     * Validates password
     *
     * @param  string  $password password to validate
     * @return boolean if password provided is valid for current user
     */
    public function validatePassword($password)
    {
        /*return $this->password === $password;*/
    }
}

As per the documentation at : http://www.yiiframework.com/doc-2.0/guide-security-authentication.html I should leave the rest of the functions empty and the findIdentityByAccessToken function will be called automatically. Unfortunately findIdentityByAccessToken is not getting called and instead findIdentity is being called.

Am I doing something wrong here ?

Pls Help

Answer 1

You have to override findIdentityByAccessToken() as below in your User class and pass your token in the headers which will later validated.

public static function findIdentityByAccessToken($token, $type = null)
{
    return static::findOne(['access_token' => $token]);
}

See official doc here http://www.yiiframework.com/doc-2.0/yii-web-identityinterface.html

However, this will search into your user table for the field access_token which is by default not available.

You can create a column named access_token in your user table and create the logic to store a strongly created key(using encryption or salting techniques) which can later identify the user who is requesting resources from your api. But this won't make your RESTful api secure even with SSL.

HTTP Basic Auth: the access token is sent as the username. This should only be used when an access token can be safely stored on the API consumer side. For example, the API consumer is a program running on a server.

You can use Oauth 2.0 which is a far better technique in terms of security. Read more here.

OAuth 2: the access token is obtained by the consumer from an authorization server and sent to the API server via HTTP Bearer Tokens, according to the OAuth2 protocol.

I found this to create powerful and secured RESTful web services using Oauth 2.0. However to configure this extension with your app is a bit tricky task. Check it out and try to implement this. If you find difficulty using it try posting a new question.

Hope it helps someone.