Symfony Rest Api + OAuth2

Updated 16 December 2021

Facebook Linkedin

In this Article we will continue our journey with api development of the use of Oauth2 as Authorization Protocol.

Our Previous Api development articles are below:

  1. Soap VS Rest
  2. Rest Api

Understand OAuth2:

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, the name of a resource owner.

here are a few links that I found useful:


OAuth2 with Symfony::

Symfony offers FOSOAuthServerBundle, which can be used for server-side implementation of OAuth2.

instructions can be found here.

Authorize and token routes “@FOSOAuthServerBundle/Resources/config/routing/authorize.xml” & “@FOSOAuthServerBundle/Resources/config/routing/token.xml”, defined in the routing.yml will be used for access token generation.

An OAuth Server has 3 end points. Each endpoint performs a distinct function in the OAuth process.

Authorize Endpoint – The user is redirected here by the client to authorize the request.
the Token Endpoint
The client makes a request to this endpoint to obtain an Access Token. This is the same as token URL defined in routing.yml.
the Source Endpoint(s)
The client provides a valid access token for the requests of a resource(s) on this endpoint, such as and/or users.json.

Grant in OAuth2:

OAuth2 provides several different Grant types. These Grant Types allow you to expose multiple ways for a customer to generate an Access Token.

1. The Authorization Code:

The authorization code grant type is used when the client wants to request access to protected resources on behalf of another user (i.e. a 3rd party). Read more about the authorization code
Example Request
Authorization codes are retrieved using the Authorize Controller. The client sends the user to the OAuth server Authorize URL.

Step 1: First of all, redirect the user to the Authorize URL:

A successful request will automatically pass the client the authorization code in the URL (the supplied redirect_uri URL) as

Step 2: after a token can be requested using the authorization code token url,

A successful token request will return a standard access token in JSON format:

2. Password (Resource owner Grant)

Resource Owner of the username and password provided in the request, and a token is awarded after a successful authentication.

Successful Authentication will result in an access token,

3. The client Credentials Grant

The client uses the credentials to retrieve an access token directly to access to resources in the context of the client’s control

Note: Access token generated by the client credentials grant can be used only for the reading of the source. since such an access token is not authenticated by a user.

4. Refresh Token Grant

Access token(s) has a limited life span. so, we must refresh token expires the refresh token access tokens.

Result on a successful request:

the Request to a resource endpoint:

If you have any questions Protected resource endpoint in secure api firewall (fos_oauth: true) without an access token. then it will result in,

to request a secure resource, add Authorization header in request


return data from symfony controller:

In the corresponding controller for the resource.json data back


  1. Return suitable status code along with the response.
  2. Instead of relying on HTTP status code as integer in your code, use constants from Response class.
  3. If you are using json response, then use JsonResponse Class instead of Response Class.



Now, you have the platform for the development of Api. so go on and develop.

Since the Api is platform-independent, so it can be used by any suitable Api Client.

Category(s) API UVdesk
. . .

Leave a Comment

Your email address will not be published. Required fields are marked*

Be the first to comment.