API Authentication - OAuth2¶
Our Backend API is secured by OAuth2 authorization and we use Trikoder oauth2-bundle for its implementation.
We use Bearer token authorization and it means that each API call must have Authorization: Bearer TOKEN
header.
Configuration¶
To configure the OAuth2, you have to run backend-api-oauth-keys-generate phing target. This phing target generates private and public keys for OAuth2 and also required parameters. The private key is used to sign tokens and public key is used to verify the signatures.
Client Credentials¶
OAuth2 has it's own users and when you want to use the API, you have to create users first.
Run this SQL command to create a user alan
with secret xxx
INSERT INTO "oauth2_client" ("identifier", "secret", "grants", "active")
VALUES ('alan', 'xxx', 'client_credentials password', '1');
Warning
Never use password xxx
in production, always use secure passwords!
Generate your API token¶
Run following code in bash
curl -X POST \
'http://127.0.0.1:8000/api/token' \
-d 'grant_type=client_credentials' \
-d 'client_id=alan' \
-d 'client_secret=xxx'
When everything goes right, you'll get a similar response with token that is valid for one hour. You will need to generate new token after this one expires.
{"token_type":"Bearer","expires_in":3600,"access_token":"eyJ...lKQ"}
The bearer token is the value of the access_token
, eg. eyJ...lKQ
.
Now you can continue with your first API call