Reputation: 175
How to check for oAuth2 scopes in Apigility?
I am creating an apigility project where we will be hosting all of our APIs. We need to be able to use OAuth2 for authentication but we cannot figure out how to control access to certain APIs, it seems like once a client authenticates, they can use any of our APIs but we want to limit them to use only specific ones that we define. After reading about the OAuth2 library that apigility uses, I saw that there are scopes that can be defined but I have not found any documentation about how to check a user's scope to see if they have access. I want to find out if this is the best way to restrict access to certain APIs and how to set it up if it is, or is there a better way to control access?
Upvotes: 4
Views: 934
Answers (1)
Reputation: 3568
Just implemented this functionality using the following recipe ...
https://github.com/remiq/apigility-zfc-rbac-recipe
It worked really well and only took a few hours to get it all working.
Alternatively you can just do the checking in the Controller Action (Resource method)
$identity = $this->getIdentity()->getAuthenticationIdentity();
$scope = $identity["scope"]
if (! in_array('admin', $scope)) {
return new ApiProblem(Response::STATUS_CODE_401, 'No Auth');
}
The above code is untested but should get you on the right path if you wanted to do it that way
Upvotes: 4
Related Questions
- Apigility and oAuth for users
- Apgigility OAuth2, link between User and Client/AuthorizationCode
- Get current user information in Apigility Resource
- Apigility Custom Db Filter Based on oAuth Request
- Implementing Two-Legged Oauth2 in ZendFramework 2 with Apigility
- Correct Way to use returned ApiGility Implicit Token
- How to get the Basic HTTP Authentication working for an Apigility application?
- Making Apigility usable for logged in users only, with Zend Framework 2
- (Why) Does Apigility only work in the development mode?
- How to use Apigility with an existing ZF2 application?