Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Simple OAuth is an implementation of the OAuth 2.0 Authorization Framework: Bearer Token specification.
Using OAuth 2.0 Bearer Token is very easy. See how you can get the basics working in less than a minute!
This project is focused in simplicity of use and flexibility. When deciding which project to use, also consider other projects like OAuth, an OAuth 1 implementation that doesn't rely on you having https in your production server.
Quick demo
The following animation shows the steps you need to do in order to authorize a REST request with a token.
- Install the Simple Oauth module.
- Go to REST UI and enable the token bearer authentication in your resource.
- (Not shown) Permissions are set to only allow to view nodes via REST with the authenticated user.
- Go to your user's profile and create a token:
- Select the user you want to identify.
- Select the token expiration date.
- Select the resource. You can create your own token resources or use the default Global. A token resource is a collection of permissions. The user authenticated via a bearer token will have access denied for any permission outside of the token resource. For permissions inside of the token resource, regular Drupal permission checks will apply.
- Request a node via REST without authentication and watch it fail.
- Request a node via REST with the header
Authorization: Bearer {YOUR_TOKEN}and watch it succeed.
Video tutorials
Watch a detailed explanation on how to use this module in the video tutorials:
My token has expired!
First, that is a good thing. Tokens are like cash, if you have it you can use it. You don't need to prove that token belongs to you, so don't let anyone steal your token. In order to lower the risk tokens should expire fairly quickly. If your token expires in 120s then it will be only usable during that window.
What do I do if my token was expired?
Along with your access token, an authentication token is created. It's called the refresh token . It's a longer lived token, that it's associated to an access token and can be used to create a replica of your expired access token. You can then use that new access token normally.
To use your refresh token you will need to make a request against /simple-oauth/refresh providing the header Authorization: Bearer {YOUR REFRESH TOKEN}. That will return a JSON document with the new token. That URL can only be accessed with your refresh token, even if your access token is still valid.
What do I do if my refresh token was also expired?
Then you will need to log into Drupal and go to your profile page to generate a new token from scratch. You can avoid this by refreshing your access token before your refresh token expires. This way you avoid the need to require the user to go to Drupal to create a new token.
Another way to mitigate this is to use longer expiration times in your tokens. This will work, but the the recommendation is to refresh your token in time.
Recommendation
Check the official documentation on the Bearer Token Usage. And turn on SSL!.
| Attachment | Size |
|---|---|
| 2015-12-10 09-04-11.png | 620.52 KB |
Comments
REST ?
I went thr' your details. But there slight more information needed.
e.g. Clarification 1)* Every user can able register with oauth. and then using REST api how will you create secured way to get Access token ? how will you use to make user authenticated in drupal.
Clarification 2). Let say if I used 3rd party authorization where I get token from FB / Google but I want their token value should be used to create new user. This information is also missing.