Creating new clients in OAuth2 implementation about api-tools HOT 4 OPEN

I think this thread can be closed. Apigility is not what I'm looking for, it'll be better to have more granular control over what's going on behind the stage, Laravel will do the job very well. Thanks!

Originally posted by @manuelro at zfcampus/zf-apigility#159 (comment)

from api-tools.

A User has Clients. The Client table has a reference to User.

This allows one User to have multiple Clients; one per application which implements your API. This diagram may help but it uses a disconnected User so the relationships to User are not mapped.

Originally posted by @TomHAnderson at zfcampus/zf-apigility#159 (comment)

from api-tools.

I think I haven't got this straight. Users can be a simple service under my API. How do I connect the users with the clients? Is it done manually? Do Apigility has a faster way for doing this?

Originally posted by @manuelro at zfcampus/zf-apigility#159 (comment)

from api-tools.

You want specific users to have access to a specific client. That's not what OAuth2 does. You will need to authenticate your users against a list of permissioned clients in order to issue an access token.

Look at it this way: At Facebook if I create a client for my app how do I filter the people that can use my app? I believe the correct answer is: "I don't". The Client entity is owned by a user and there is no other security about who can use a client as long as the authorization code handshake can be performed.

A user is connected to a Client through an Authorization Code, Access Token, or Refresh Token. The user USING the app is linked from one or all of these Tokens. So given a Client A owned by user 1 where users 2 and 3 are authenticated using the Client A credentials user 1 is the client owner and users 2 and 3 are authorized for Client A.

Originally posted by @TomHAnderson at zfcampus/zf-apigility#159 (comment)

from api-tools.