Authorization

This part of documentation is about authorization to Sylius platform through API. In order to check this configuration, please set up your local copy of Sylius platform and change sylius.dev to your address.

OAuth2

Sylius has configured OAuth2 authorization. The authorization process is standard procedure. Authorize as admin and enjoy the API!

Note

User has to have ROLE_API_ACCESS role in order to access /api resources

Create OAuth client

Use Sylius command:

php bin/console sylius:oauth-server:create-client \
    --grant-type="password" \
    --grant-type="refresh_token" \
    --grant-type="token"

You will receive client public id and client secret

Example Result

A new client with public id 3e2iqilq2ygwk0ccgogkcwco8oosckkkk4gkoc0k4s8s044wss, secret 44ectenmudus8g88w4wkws84044ckw0k4w4kg0sokoss84oko8 has been added

Tip

If you use Guzzle check out OAuth2 plugin and use Password Credentials.

Obtain access token

Send the request with the following parameters:

Definition

GET /api/oauth/v2/token
Parameter Parameter type Description
client_id query Client public id generated in the previous step
client_secret query Client secret generated in the previous step
grant_type query We will use ‘password’ to authorize as user. Other available options are token and refresh-token
username query User name
password query User password

Note

This action can be done by POST method as well.

Example

curl http://sylius.dev/api/oauth/v2/token \
    -d "client_id"=demo_client \
    -d "client_secret"=secret_demo_client \
    -d "grant_type"=password \
    -d "username"=api@example.com \
    -d "password"=sylius-api

Tip

In a developer environment there is a default API user and client data. To use this credentials you have to load data fixtures. Otherwise you have to use your user data and replace client id and client secret with data generated in a previous step.

Example Response

{
    "access_token": "NzFiYTM4ZTEwMjcwZTcyZWIzZTA0NmY3NjE3MTIyMjM1Y2NlMmNlNWEyMTAzY2UzYmY0YWIxYmUzNTkyMDcyNQ",
    "expires_in": 3600,
    "token_type": "bearer",
    "scope": null,
    "refresh_token": "MDk2ZmIwODBkYmE3YjNjZWQ4ZTk2NTk2N2JmNjkyZDQ4NzA3YzhiZDQzMjJjODI5MmQ4ZmYxZjlkZmU1ZDNkMQ"
}

Request for resource

Put access token in the request header:

Authorization: Bearer NzFiYTM4ZTEwMjcwZTcyZWIzZTA0NmY3NjE3MTIyMjM1Y2NlMmNlNWEyMTAzY2UzYmY0YWIxYmUzNTkyMDcyNQ

You can now access any resource you want under /api prefix.

Example

curl http://sylius.dev/api/v1/users/
    -H "Authorization: Bearer NzFiYTM4ZTEwMjcwZTcyZWIzZTA0NmY3NjE3MTIyMjM1Y2NlMmNlNWEyMTAzY2UzYmY0YWIxYmUzNTkyMDcyNQ"

Note

You have to refresh your token after it expires.

Refresh Token

Send request with the following parameters

Definition

GET /api/oauth/v2/token
Parameter Parameter type Description
client_id query Public client id
client_secret query Client secret
grant_type query We will use ‘refresh_token’ to authorize as user
refresh_token query Refresh token generated during authorization

Example

curl http://sylius.dev/api/oauth/v2/token \
    -d "client_id"=demo_client \
    -d "client_secret"=secret_demo_client \
    -d "grant_type"=refresh_token \
    -d "refresh_token"=MDk2ZmIwODBkYmE3YjNjZWQ4ZTk2NTk2N2JmNjkyZDQ4NzA3YzhiZDQzMjJjODI5MmQ4ZmYxZjlkZmU1ZDNkMQ

Example Response

You can now use new token to send requests

{
    "access_token": "MWExMWM0NzE1NmUyZDgyZDJiMjEzMmFlMjQ4MzgwMmE4ZTkxYzM0YjdlN2U2YzliNDIyMTk1ZDhlNDYxYWE4Ng",
    "expires_in": 3600,
    "token_type": "bearer",
    "scope": null,
    "refresh_token": "MWI4NzVkNThjZDc2Y2M1N2JiNzBmOTQ0MDFmY2U0YzVjYzllMDE1OTU5OWFiMzJiZTY5NGU4NzYyODU1N2ZjYQ"
}

Default values in dev environment

In a developer environment there are default client id, client secret and default access token provided to allow you to test our API just out-of-the-box. In order to access them, please use the following values:

Parameter Value
client_id demo_client
client_secret secret_demo_client
grant_type password
access_token SampleToken

These values will be used later on to make it easier for you to check, how our API works.