0

I', working on a rest api with Symfony2 (FOSRestBundle, FOSOauthBundle, JMSBundle) and I do not understand (and don't find) how I'm supposed to setup my angularjs app to access my api resources. I'm a bit confused about the security part and have a lot of question.

1- I prepared the oauth client. since angular code is exposed I'm pretty sure that I can't add my secret and client id inside the code for authentication so I'm stack. H

2- I'm having (No 'Access-Control-Allow-Origin') error when I try to access the resources. How can I simply allow my app to access the resources (CORS! nelmio/cors-bundle?) but then I'm getting confused about the role of oauth and CORS authorization of my app.

Any help will be appreciate. Thanks

Improve this question
1
  • CORS is not a function of authentication - that's just a way to relax the same origin policy. So don't let that confuse you - CORS and OAuth are doing different, mutually exclusive things. en.wikipedia.org/wiki/Same-origin_policy Commented Apr 30, 2015 at 12:12

1 Answer 1

Reset to default
1

  1. You can expose. It's not fully authorization. It's only a client auth, not a user.

  2. NelmioCorsBundle is a good choice. You need a config like this:

    nelmio_cors:
    defaults:
        allow_credentials: false
        allow_origin: []
        allow_headers: []
        allow_methods: []
        expose_headers: []
        max_age: 0
        hosts: []
    paths:
        '^/':
            allow_origin: ['*']
            allow_headers: ['origin', 'x-requested-with', 'content-type', 'authorization']
            allow_methods: ['POST', 'PUT', 'GET', 'DELETE', 'OPTIONS']
            max_age: 0

There is allow_origin, you should set it to my.frontend.domain.com. This will open your API for example for your AngularJS frontend. If you are building API as a service (open for everyone), than open to all origins "*".

CORS is not authorization. Treat it as firewall. Than you still need authorization (OAuth).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.