The MVP of our product is almost finished. Due to the nature of the architecture chosen, we have an exposed API. As we don't want people to mess around with our data and users, we need to protect it somehow, and to accomplish that we can implement different mechanisms to authenticate clients, but in this chapter we will implement a simple version of OAuth 2.0. Later on, with a few modifications, we can extend the code that we are going to put in place to allow third-party apps to use our API.
By the end of this chapter we will know how to implement the two-legged OAuth 2.0 variant in a Zend Framework 2 application and secure our APIs.
Most of the work is going to be done at the API level. The client will just implement a few calls to the API to get the corresponding access token, and then we will be able to query our API.
In ZF2 you can find an OAuth 2.0 component, but unfortunately the component only acts as a client for APIs that support OAuth 2.0. There is nothing done yet on the other side of the problem. If you want to protect your API, nothing on ZF2 is going to help you now.
To accomplish the objective of this chapter, we are going to integrate a fabulous OAuth 2.0 server component developed by Brent Shaffer under the MIT License. This component will allow us to forget about all the implementations of the OAuth 2.0 protocol and make it work without too much effort.