Search code examples
laraveloauthcartalyst-sentry

Sentry versus OAuth2 server

I used OAuth2 code for my API server from githhub: https://github.com/lucadegasperi/oauth2-server-laravel

Instead using standard Laravel Auth, I want to use Sentry, because Sentry have a lot of features for sending mail, ban, approve registration, ...

I successfully created connection from my client (Laravel with Guzzle plugin) on my API server, but I cannot keep Sentry session. It is OK, or not? How can I know permission, groups or whatever of my user on API server. For each call API I send access_token, but it is enough for OAuth2. I do not have idea how to keep Sentry session, for example:

I logged in with moderator permission user, and I send new request to API for getting some moderator information, I do not know it is moderator or administrator or what, because I do not have Sentry session.

Maybe oauth:scope1,scope2 is enough, and maybe I do not need Sentry, but I do not have Sentry features (look on beginning of this post).

I believe my problem is trivial, but I do not know how to resolve this issue. I do not have any idea :(

Solution

  • Your issue is that your understanding of Oauth2 is flawed. Oauth2 is for authentication not authorization.

    Generally with Oauth2 you will have three servers:

    1. The authentication server (Am I who I say I am?)
    2. The authorization server (What can I do?)
    3. The resource server (Your API)

    Now servers two and three can be (and often are) the same thing in which case it's likely a model that you will query.

    What happens is your user first talks to the authentication server and says, I am this user.
    If the authentication server believes them they are issued with a token to use in the requests to your resource server (there are a couple more steps in between but your question seems to imply you understand those).

    When the request is made to the resource server with the access token the resource server then asks the authentication server "who is this person?" to validate the token.

    (At this point you will have received the linked id to the token from the authentication server which is what the rest of your application will know the user as).

    The resource server then asks the authorization server "what can this person do" or "can this person do action x?"

    The resource server receives a grant or deny response from the authorization server and either serves the response, or throws an access denied response.

    Hopefully this should help you get on track with what the difference is between sentry and oauth2.