Adding OAuth 2.0 authentication to a RESTful API –

Application program interface (API) Problem:

I have an API that requires OAuth 2.0 authentication. Originally I planned to use the HWIOAuthBundle, but the research focuses more on connecting third parties to Symfony’s security/authentication mechanism, and does not provide the necessary mechanism to verify the OAuth 2.0 consent heads.

I then found some information about the FOSOAuthServerBundle, which allows the application to become its own OAuth 2.0 provider and which also provides the necessary security mechanisms to check the authorisation headers.

However, the problem is that I want to integrate an OAuth 2.0 provider (authorization server) into an external application (which contains a user base) instead of including it in the API. This is a mechanism to perform token checks against this external application using the RESTful API.


I think I should use the implicit grant and call the authorisation server every time I make a request to confirm that the token is correct.

Is my reasoning correct?

How do I solve my API problem?

Decision No 1:

If I do not meet your requirements, you will need to verify your APIs through the upstream OAuth authorization server:

  • The customer must provide the access mark obtained in step
    together with the request for access to the protected resource. The access token
    is sent as an authorization parameter in the request header.
  • The server authenticates the request based on the token.
  • If the token is valid, the customer has access to the protected resource, otherwise access will be denied.

Here’s an example that can help you meet your needs. Consult this document .

Or you could just go with Jersey and Owt…

You can also take a look at Apache Oltu and find out how to meet your needs.

Decision No 2:

Many large companies, such as Google, Facebook, etc., have an authorisation server that is separate from the server API. Check the Google OAuth authorization feed on

You can also see the details in the OAuth documentation from Google.

You only need to set up one OAuth provider to authenticate to that provider. The list of libraries is available on OAuth’s website: You can view it here; there is an example of how the OAuth Service provider works on Java.

Decision No 3:

oAuth can certainly be a different server than your application server. Here is a picture of what the authentication sequence will look like:

Fill in the image description here

– If a forum cannot decode or verify a token, it will of course return the status code 401 instead of the status code 200.

As long as your oAuth server and your forum have the same public key, you are more than willing to separate your oAuth server and your application.

Look at Place the marker you receive from the oAuth server. He should be able to decipher the chip immediately. You can then secretly enter your public key in the text field to check if the badge has been verified.

Your request (in this example, the forum) should be able to do the same:

1) Take a token from the head of the application.

2) Deciphering the badge

3) Check the expiration date

4) Verify the token with the public verification key.

5) Returning the successful or failed status code

Good luck!

You May Also Like