Create your own REST API Using OAuth Authentication

Create your own REST API Using OAuth Authentication

Get paid for original Dev tips!


What is the OAuth REST API?

As a result of more and more information being available online, information sharing between Web sites has become widespread. Web sites usually communicate via Web services — OAuth REST API is one of the technologies that can be used to create a web service. OAuth is an open standard for authorization that provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair). For example, OAuth is used when you allow a Facebook or Twitter application to use your information. In this tutorial, you will learn how to use both technologies in order to create a secure web service using REST API.

How REST API Works

An API built in REST architecture should have URLs for its resources, where the operation executed on a resource is invoked via an HTTP method. For example, an API could have the following URL for user object:

If an HTTP GET request is sent, the API would return user data in JSON or XML format. If a POST request is send, user data would be updated. If a POST request is sent (and the user id is not passed to the server as a parameter), a new user would be created. Finally, if a DELETE request is sent, the user with the id specified would be deleted.

Another important characteristic of the REST API architecture is to return HTTP status codes. Some of the most common codes are: 404 not found, 200 OK, 400 bad request, 401 unauthorized. See the full list of HTTP status codes here.

However, note that the following architecture is not a strict standard and that you might find slightly different implementations on the web.

How OAuth Works

OAuth is a 3-legged authorization standard that works the following way:

  1. The consumer requests a request token (usually by passing an application key and application secret)
  2. The user is then redirected to a login page, passing the request token to that page
  3. User logs in and is redirected back to the consumer, passing the request token to the consumer’s page
  4. The consumer exchanges the request token for an access token
  5. If the previous request was valid, the server will return an access token to the consumer. The access token is used for API requests

During this process, the authorization is processed using multiple predefined URLs, called endpoints. There are 3 endpoints:

  1. Request URI (this endpoint passes the request token)
  2. Access URI (exchanges request token for an access token)
  3. Authorize URI (confirms that the access token is valid)

How to Implement REST API Architecture

Creating a REST API from scratch is not an easy job. Fortunately, there are many REST API frameworks available that can be used to quickly develop your API. The simplest option is Flight framework, which is very easy to install and use. Download it and extract the files to Add the .htaccess to that folder with the following code:

RewriteEngine OnRewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-dRewriteRule ^(.*)$ index.php [QSA,L] 

All REST API routes will be created in an index.php file. For example, the following code would be executed if someone requests :

Flight::route('/user', function(){    echo 'This is api/user';// Do something here});

There are many other features and options, which you can read about in their documentation.

How to Implement OAuth Authorization Standard

For this task we will use OAuth-php library to make the development process quicker and easier. The first thing you will need to do is to allow user registration on the website. You need to generate an application key and application secret during this process. Include the following code at the end of your registration process (when the user has already been stored into the database and you can retrieve the user’s id):

lastInsertId();$consumer = array(    // These two are required    'requester_name' => $_POST['name'],    'requester_email' => $_POST['email'],    // These are all optional    'callback_uri' => '',    'application_uri' => '',    'application_title' => 'My first application,    'application_descr' => 'My first application dessription',    'application_notes' => '',    'application_type' => 'website',    'application_commercial' => 0);// Register the consumer (application) and generate application key and application secret$store = OAuthStore::instance(); $key   = $store->updateConsumer($consumer, $user_id);// Get the complete consumer from the store$consumer = $store->getConsumer($key);$consumer_id = $consumer['id'];$consumer_key = $consumer['consumer_key'];$consumer_secret = $consumer['consumer_secret'];?> 

Now, let’s create the first endpoint, the one that will generate a request token and pass it to the consumer. The PHP file will be request_token.php:


The requestToken() method would validate a request for request token — it will check whether or not the user has provided a valid application key and application secret. If the request is valid, a request token will be generated and passed to the user.

The next step is to redirect the user to the login page. Let’s call it authorize.php:

authorizeVerify();    if ($_SERVER['REQUEST_METHOD'] == 'POST')    {        // See if the user clicked the 'allow' submit button (or whatever you choose)        $authorized = array_key_exists('allow', $_POST);        // Set the request token to be authorized or not authorized        // When there was a OAuth_callback then this will redirect to the consumer        $server->authorizeFinish($authorized, $user_id);        // No OAuth_callback, show the user the result of the authorization        // ** your code here **   }}catch (OAuthException $e){    // No token to be verified in the request, show a page where the user can enter the token to be verified    // **your code here**}?> 

How to Connect OAuth Authorization to a REST API

Now that we know how to create a REST API and to implement OAuth authorization, let’s see how to connect the two. First, we will create a function that will check if the user is authorized:

function is_authorized() {if (OAuthRequestVerifier::requestIsSigned()){        try        {                $req = new OAuthRequestVerifier();                $user_id = $req->verify();                // If we have an user_id, then login as that user (for this request)                if ($user_id)                {                        return true;                }        }        catch (OAuthException $e)        {                // The request was signed, but failed verification                header('HTTP/1.1 401 Unauthorized');                header('WWW-Authenticate: OAuth realm=""');                header('Content-Type: text/plain; charset=utf8');                                                        echo $e->getMessage();                exit();        }}}

Then we will add the following function to the REST API:

Flight::route('/user', function() {    if(is_authorized()) {       // User is authorized       // Do something here    }});

It is good practice to place all API functions inside an PHP class, and call the authorized() function inside class constructor.

Share the Post:
XDR solutions

The Benefits of Using XDR Solutions

Cybercriminals constantly adapt their strategies, developing newer, more powerful, and intelligent ways to attack your network. Since security professionals must innovate as well, more conventional endpoint detection solutions have evolved

AI is revolutionizing fraud detection

How AI is Revolutionizing Fraud Detection

Artificial intelligence – commonly known as AI – means a form of technology with multiple uses. As a result, it has become extremely valuable to a number of businesses across

AI innovation

Companies Leading AI Innovation in 2023

Artificial intelligence (AI) has been transforming industries and revolutionizing business operations. AI’s potential to enhance efficiency and productivity has become crucial to many businesses. As we move into 2023, several

data fivetran pricing

Fivetran Pricing Explained

One of the biggest trends of the 21st century is the massive surge in analytics. Analytics is the process of utilizing data to drive future decision-making. With so much of

kubernetes logging

Kubernetes Logging: What You Need to Know

Kubernetes from Google is one of the most popular open-source and free container management solutions made to make managing and deploying applications easier. It has a solid architecture that makes

ransomware cyber attack

Why Is Ransomware Such a Major Threat?

One of the most significant cyber threats faced by modern organizations is a ransomware attack. Ransomware attacks have grown in both sophistication and frequency over the past few years, forcing

data dictionary

Tools You Need to Make a Data Dictionary

Data dictionaries are crucial for organizations of all sizes that deal with large amounts of data. they are centralized repositories of all the data in organizations, including metadata such as