Whats the best / recommended way to authenticate users using rest in Symfony?

Question

I am developing rest apis in symfony application.

Right now my apis are used by my application only on frontend (ajax requests by Angularjs). In future I would like to expose same APIs to third party applications as well.

Also I will be having have Android, IPhone apps etc in future.

I have integrated FOSOAuthServerBundle, and have tried all grant type workflows. Its all working. But I am confused about can these be used by my application or are they for only 3rd party applications who like to integrate with my application ?

I understand how these workflow can be used by 3rd party apps. But really can't understand how can I authenticate my native application users ?

I want to know how to use this bundle to authenticate users on my website through rest apis from my frontend app ?

Currently I am usnig FOSUserBundle and form_long to authenticate user but I am changing frontend to use Angularjs and rest based. So ideally authentication should just work like form_login authentication but it should be rest based.

I did research on it and people suggest to use "Resource Owner Password Credentials" But it needs client secret to be exposed in javascript which may not be secure

It should work e.g. user submits username/password credentials like it works in case of form_login but instead of redirecting it should just return access_token.

Do I need to write my custome authentication provider which uses UsernamePasswordToken and firewall listener like OAuthListener which returns access_token ? Would that be secure to use?

Answer 1

The similiar question with some discussion here: Symfony2 FOSOAuthServerBundle grant type password requires client secret

If you don't want to expose secret, use a proxy beetween your front-end angular code and actual OAuth server. Anyway, if you expose secret it still needs user credentials.

You can set allowed grant types to each OAuth client, so in case you create mobile apps, you'll want to generate a separate pair of client_id & client_secret for the app and for the front-end, with the only allowed grant type of "password" for the front-end app.