web-servicesauthenticationwebservice-clientuser-managementuser-identification

webservice authentication and user identity management


My team and me are currently working on quite a large project. We are working on an online game, which will be accessible (for the moment), in two ways: -Via a web browser, an application full JavaScript(client-side), full Ajax (basically meaning that the UI will be managed in JS client side). -Via an iPhone application (the UI will be managed by the application itself).

Between the two different applications, the core logic remains the same, so I believe (I could be wrong), that the best solution would be to create a web service (if possible using standards such as RESTful or Rest) capable of perming all necessary operations.

Following this logic, I have encountered a problem: the authentication and identity management of the user. This poses problem as the applications users need to be authenticated to preform certain operations.

I’ve looked into WS-security, but this obviously requires passwords to be stored, unencrypted on the server, which is not acceptable! I then looked into Oauth, but at first glance this seemed like a lot of work to set up and not particularly suited to my needs (the way that applications have to be accepted does not please me since it will be my application and my application only using the web service, not any external application). I’ve read and heard about a lot of other ways to do what I want, but to be honest, I’m a little confused and I don’t know what information is reliable and what isn’t.

I would like to note that I’m using symfony2 for the backend and jquery for the client side JavaScript. Furthermore, I would like a detailed, step-by-step response, because I really am confused with all that I have read and heard.

Thank you for your time, and I hope someone can help me as it’s quite urgent.

Good evening


Solution

  • I'm not entirely sure if this answers your request, but since the UI will always be handled on the client side, I think you could use stateless HTTP authentication:

    This is the firewall in security.yml:

    security:
        firewalls:
            api:
                pattern: ^/api/ # or whatever path you want
                http_basic: ~
                stateless: true
    

    And then the idea basically is that on the server, you use your normal user providers, encoders and whatnot to achieve maximal security, and on the client, you send the HTTP authentication headers, for example, in jQuery:

    $.ajax("...", {
        username: "Foo",
        password: "bar"
    });
    

    Please note that since the authentication is stateless (no cookie is ever created), the headers have to be sent with every request, but, I figure, since the application is almost entirely client-side, this isn't a problem.

    You can also check the Symfony2 security manual for further information on how to setup HTTP authentication. Also be sure to force HTTPS access in your ACL, so the requests containing the credentials are secured (requires_channel: https in your ACL definitions).