PHP REST API with Okta authentication

Purpose

This work is the implementation of a CRUD system with REST API created in PHP without a framework. The basis for this is the Okta article Build a Simple REST API in PHP. An account in Okta is necessary for the authentication portion.

Architecture

It has a database and a server-side PHP application to provide a REST API functionality to clients written in PHP, Bash, Python, Node, HTML/JavaScript (with a proxy written in PHP) and HTML/JavaScript with Oauth2 / OpenID Connect.
Authentication is done with the use of bearer tokens provided by Okta. For a version of the REST API without authentication, please refer to this project.
This system simulates the registering of persons on a database.

The following diagram shows all the clients on top, the server-side on the bottom part and Okta authentication above the clients.

REST API Architecture diagram

Authentication

The front controller authenticates the clients using the authenticate function. It will strip the client's Authorization request header and extract the bearer token. The token is of type JSON Web Token (JWT) and it will contain the client ID inside (in the payload portion of the token). That will be also saved to verify the token. The reason is that this REST API server may authenticate different types of clients, including "machine-to-machine" and "Single Page Applications (SPA)" authentication, which have distinct client IDs.

The authentication function will then use Okta's JwtVerifier object to verify the token. Once verified, the front controller will process the request. In case verification fails the client will get back a 401 Unauthorized HTTP response.

Components

The server is composed of four parts:

• FrontController: implemented in the index.php, it validates and authenticates the request. Then, the FrontController processes it by calling the PersonController's processRequest method.
• DatabaseConnector: implemented in DatabaseConnector.php and called by bootstrap.php, which will be imported (required) by index.php, it opens the connection to the database. The database parameters are located in the .env local file, and are loaded by phpdotenv.
• PersonController: implemented in PersonController.php, it instantiates the PersonGateway to handle the database processes. It also implements the method verification, data validation/sanitization. Depending on the HTTP method a different method from PersonGateway is invoked.
• PersonGateway: implemented in PersonGateway.php, it is the "model" that handles database activities. It implements the methods with PDO prepare to protect the database from SQL injection.

How to use it

• Be sure to have PHP installed.
• Clone this repository, enter in the root folder and run php -S 127.0.0.1:8000 -t public (it can be run as well with any Web server, or in the background by forking with & or nohup).
• If using the test with proxy (check the client section to verify which client needs it), the proxy code must be run with php -S 127.0.0.1:8001 src/Proxy/proxy.php.

Clients

Six types of clients are available to work as an API client. As for the clients, please go to the client section to see examples and how to use them.