Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.I think adding new authentication methods would be crucial to the success of this module, since the current methods (basic auth or cookies) may not work for certain applications.
One method I'd like to implement is OAuth. Klausi and I discussed how it could work, but we arn't certaint what the best ways is.
Our implementation is that, for each user that whishes to authenticate using OAuth, RestWS should create a new meta user with restricted permission. However we I'm not sure if I like the idea of having a lot of "virtual" users just for that use case?
What do you think, RestWS Community, is this the way to implement OAuth, or is there another better way? Or is there even other authentication methods you would prefer?
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | 1494132-additional-authentication-oauth.patch | 5.66 KB | sepgil |
Comments
Comment #1
klausiComment #2
sepgil commentedI've been playing with the OAuth module which was a little bit hard to understand, since there is basically no documentation for it, neither for end-users nor for developers. But the services oauth integration did help though.
To integrate OAuth into RestWS we would simply need to call
oauth_common_verify_request();which returns if the request was signed, the consumer and the access token. RestWS then has to check if the request is singed, the consumer and the token are valid (depending on which OAutch security level we are using) and if the context and authorization level are the right ones.Therefore we would need a user interface(which restws currently doesn't has) to let the users set all the settings for oauth.
The real problem currently is however, how to implement the permissions. Since RestWS uses Drupals permission system, our OAuth integration would need to login a user.
Creating an user for each consumer won't work because of the workflow:
Each user has to create a consumer for himself and each client/consumer has to request authorization for that consumer. The user than can grant him more or less permissions(3-legged OAuth). Because of this, we can't simply create users with the right permissions and besides, since authorizations normally only last for a certain time, we would have a lot of dummy users after some time.
A simpler way to integrate OAuth would be to log in the user to which the consumer belongs. I've tried it using the hook_init() and user_load(), but for unknown reasons, I always need to do the request a couple of times before it worked.
Besides that we loose one of the key aspects of OAuth: that you can limit the access for an OAuth client.
So to conclude, I'm not sure if and how we should integrate OAuth. I feel like RestWS would loose simplicity and that currently there is no correct way to implement it. The only clean way to integrate it, would be to introduce a security layer to RestWS...
Comment #3
sepgil commentedI finally manged to login the user properly. So I'm posting this patch, in case any one wants to try out OAuth with restws. Currently the new module simply logs a user in if the OAuth is successful and therefore ignores authentication levels.
I added some tips on how to try it out in the readme.
Comment #4
duvalbruno commentedI am more than interested by this as Service commerce is lacking dev support, and your RESTservice seems t handle all entities.
Hence I guess the Drupal Commerce entities as well, Right ?
Comment #5
sepgil commentedyes, it works with drupal commerce entities as well. used it for my restws screencast.
Comment #6
duvalbruno commentedthanks, i will try to get the licence info with this module as Service or Service Commerce are not up to the task.
thanks
EDIT: Is the screencast public ? an I/we get access to it ?
EDIT2: I just applied the patch to get OAuth and I got those notice all over the place.
Notice: Undefined index: Auth in OAuthUtil::get_headers() (line 843 of /home/admin/public_html/sites/all/modules/oauth/lib/OAuth.php). Backtrace:
OAuthUtil::get_headers() OAuth.php:284
OAuthRequest::from_request(NULL, NULL, NULL) DrupalOAuthRequest.inc:47
DrupalOAuthRequest::from_request() oauth_common.inc:56
oauth_common_verify_request() restws_oauth.module:96
restws_oauth_init()
call_user_func_array('restws_oauth_init', Array) module.inc:850
module_invoke_all('init') common.inc:5050
_drupal_bootstrap_full() bootstrap.inc:2201
drupal_bootstrap(7) index.php:20
Comment #7
duvalbruno commentedI will try to find out which module interaction is giving this message as I have a couple installed and activated....
EDIT:
Just deactivated all modules related to Service, OAuth, REST, XML-RPC
Activated only RESTws, OAuth and RestWS OAuth
Error comes back
Deactivate RestWS OAuth
Flush cache
Error is gone
Reactivate RestWS OAuth
Error comes back (obviously)
Comment #8
sepgil commentedyou can find it on youtube
Comment #9
duvalbruno commentedGreat screencast !
Now I got all I need...mostly, still have the OAuth patch that breaks on my box. But I will go without for now.
Thanks for the good work.
EDIT: After I deactivated Service, XMLRPC/REST server, and Service OAuth, the OAuth patch do not generate error anymore.
Trying to get a C# client to connect, but keep having 403 forbidden (tried with webrequest, hammock) no luck.
Comment #10
bojanz commentedThe authentication should be pluggable like it is with Services, no reason why I shouldn't be able to plug in OAuth2 (from my oauth2_server module), etc