Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to restrict api method based on grant type (or should I not)? #609

Open
peteclark3 opened this issue Jun 24, 2015 · 1 comment
Open

How to restrict api method based on grant type (or should I not)? #609

peteclark3 opened this issue Jun 24, 2015 · 1 comment

Comments

@peteclark3
Copy link

Hi there. Just a quick question I hope.. I am using your library for the server side of our Apis which at this time are only going to be accessed by our mobile app running on users devices, but at some point down the road we do want to support third parties accessing our users' data which is one reason we went the oauth2 route.

In the meantime, we basically just have a need to have some methods accessible to "anonymous" users - like a registration call, or a login call, or some basic public data calls, and some methods only accessible to those users that are logged in (we were going to use the password grant type for this)

My question is, is there a way with this library to restrict a method based on grant type? Or the bigger question, am I going about this in the right way? Defining scopes didn't feel right for this (eg defining user or non user scopes) because like I said, at some point we do want to support "actual" scopes tied to specific resources in our system and I figured doing user and non user scopes would cause problems for us down the road.

So I guess my question is, do I use one of the methods in this library to check "password token vs client credentials token" or do I write my own code to inspect the token and see if there is a user id associated with it? I ask because it felt like this is something the oauth2 server would handle because it is an authorization check, but being new to this in general, I wasn't sure. Again if there is a better way to do this (eg I am using the wrong grant types for this scenario), I am all ears.

Finally I need to compliment you on your level of documentation and support for your project. The cookbook in your documentation is why I scrapped another oauth2 php library and went with yours.. Your commitment and responsiveness is unprecedented in my opinion and I'm a 19 year software developer. So, thank you!
@activatedgeek
Copy link

Such kind of access restriction can be achieved via scopes. I don't think grant_type would be recommended here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peteclark3 @activatedgeek