Setup OAuth/Access Token Authentication in Drupal

This Drupal API Authentication method uses the OAuth 2.0 protocol to generate a secure access token. This token is then used to authenticate and requests to your Drupal site’s APIs. With strong encryption, the OAuth method ensures that your APIs remain well-protected and safe from unauthorized access. It is widely regarded as one of the most secure methods for safeguarding Drupal REST and JSON:API endpoints. This module is fully compatible with Drupal 8, 9, 10, and 11.

Download Schedule a Meeting

• Using Composer
• Using Drush
• Manual Installation

• Download the module:

  composer require 'drupal/rest_api_authentication'

• Navigate to Extend menu on your Drupal admin console and search for REST & JSON API Authentication using the search box.
• Enable the module by checking the checkbox and click on the Install button.
• You can configure the module at:

  {BaseURL}/admin/config/people/rest_api_authentication/auth_settings

• Install the module:

  drush en drupal/rest_api_authentication

• Clear the cache:

   drush cr

• You can configure the module at:

  {BaseURL}/admin/config/people/rest_api_authentication/auth_settings

Note: Manual Installation only compatible with Drupal 7, Drupal 8, and Drupal 9.

• Navigate to Extend menu on your Drupal admin console and click on Install new module.
• Install the Drupal miniOrange API Authentication module either by downloading the zip or from the URL of the package (tar/zip).
• Click on Enable newly added modules.
• Enable this module by checking the checkbox and click on install button.
• You can configure the module at:

  {BaseURL}/admin/config/people/rest_api_authentication/auth_settings

Pre-requisites:

• REST UI: This module provides a user-friendly interface to configure the REST module.
• Enable the following Web Services modules from the Extend section (/admin/modules) of your Drupal site:
• JSON:API
• REST UI
• RESTful Web Services
• Serialization

Enable API and Assign Methods:

• The first step is to enable the API and assign the methods and operations allowed for that API. This can be done using the REST UI module, or by directly modifying the Drupal config.
• Click on the Enable API button.
• To enable the API using the REST UI module, click the Configure button (as shown below).

• In our example, we need to enable the /entity/user API. To do this, click the Enable option in front of it.

• Since our goal is to create a user in Drupal, select the following configurations:
• Method: POST
• Format: JSON
• Authentication Provider: rest_api_authentication
• This allows the miniOrange API Authentication module to authenticate the API. Click the Save Configuration button to continue.

Configuration Steps

1. Setup OAuth/Access Token Authentication Method:

• In this step, we will configure OAuth/Access Token as the API authentication method. To do this, go to the API Authentication tab of the module (/admin/config/people/rest_api_authentication/auth_settings).
• Under Basic Configuration, enable the Enable Authentication toggle.
• Enter the Application Name and select OAuth/Access Token from the Authentication Method section.

• Scroll down to the OAuth Configuration section on the same tab.
• Optional: Enter the desired expiry duration (in minutes) under Token Expiry Time.
• Use Access Token Generated By:
• Rest API Authentication: Click the Generate a new Client ID and Secret button. (Keep the Client ID and Secret handy. You’ll need them later to authenticate the create user API.)
• OAuth Server: You can also get an access token from the OAuth Server module (after performing SSO) and use it for authentication.
• Click the Save Configuration button.

• You have successfully configured the OAuth/Access Token Authentication method.


Note: Use the application-specific unique header when authenticating the API.

Grant Role Permissions to Create Users

• If needed, you can allow non-admin Drupal roles to create users. To do this, assign the Administer users permission to the desired roles from the Permissions page (/admin/people/permissions) of your Drupal site.

2. Obtain Token from REST API module:

• Make an API call to get an access token. You’ll then use this token to authenticate the Drupal API and create a user.
• The miniOrange API Authentication module supports two grant types for obtaining an access token:

Password Grant:

• In the Password grant, we can obtain the access token by making a POST request containing the user’s Drupal Username and Password along with the Client ID issued by the REST API Authentication module.

    
HTML Request Format-

Request: POST <your_drupal_base_url>/rest_api/access_token

Body:
       
        grant_type = password

        username   = <drupal_username>

        password   = <drupal_password>

        client_id  = <client_id>

Request in CURL Format-

curl --location --request POST '<your_drupal_base_url>/rest_api/access_token' \

        --header 'Accept: application/json' \

        --header 'Content-Type: application/x-www-form-urlencoded' \

        --data-urlencode 'grant_type=password' \

        --data-urlencode 'client_id= <drupal_client_id>' \

        --data-urlencode 'username=<drupal_username>\

        --data-urlencode 'password=<drupal_password>'

• You can also refer to the Postman request image below.




Client Credentials grant:

• In the Client Credentials grant, we can obtain the access token by making a POST request containing the Client ID and Client Secret issued by the API Authentication module along with the user’s Drupal username.

HTML Request Format-

Request: POST <your_drupal_base_url>/rest_api/access_token 

Body:

        grant_type = client_credentials

        client_id = <client_id>

        client_secret = <client_secret>

        Username = <drupal_username>

CURL Request Format-

curl --location --request POST '/rest_api/access_token' \

        --header 'Accept: application/json' \

        --header 'Content-Type: application/x-www-form-urlencoded' \

        --data-urlencode 'grant_type=client_credentials' \

        --data-urlencode 'client_id=<Client_ID>' \

        --data-urlencode 'username=<drupal_username>>' \

        --data-urlencode 'client_secret=<Client_secret>'




• A successful response returns the Access Token along with token expiry and token type(please refer to the image below)




3. Example:

• Now, let’s create user with an API call using OAuth/Access Token for authentication.
• For better understanding, let’s take an example of adding OAuth/Access Token-based authentication to the create user API in Drupal.


Note: The /entity/user API in Drupal is used to create a new user.



• Using the received Access Token to authorize the Drupal REST APIs:


Note: Any access token, whether generated by the API Authentication module or the OAuth Server module, can be used.



• To authenticate with an access token, add the token as a Bearer token in the Authorization header of your request.
• Sample request to create user using token based authentication:

HTML Request Format-

Request: POST  <your_drupal_base_url>/entity/user?_format=json

Header:      
             AUTH-METHOD: application_id
             Accept: application/json
             Content-Type: application/json
             Authorization: Bearer <received_access_token>

Body: 

                {
                "name": {
                    "value": "<username>"
                },
                "mail": {
                    "value": "<email>"
                },
                "pass": {
                    "value": "<password>"
                },
                "status": {
                    "value": "1"
                }
                }

CURL Request Format-

curl --location --request POST  ‘<your_drupal_base_url>/entity/user?_format=json' \
                --header 'AUTH-METHOD: application_id' \
                --header 'Accept: application/json' \
                --header 'Content-Type: application/json' \
                --header 'Authorization: Bearer <received_access_token>’ \
                --data-raw '  

                {
                "name": [
                    { "value": "Username" }
                ],
                "mail": [
                    { "value": "email" }
                ],
                "pass": [
                    { "value": "Password" }
                ],
                "status": [
                    { "value": "1" }
                ]
                }

• You can also refer to the Postman request image shown below





• A successful response will return the details of the user you created (see the image below).

Congratulations! You have successfully set up the OAuth/Access Token Authentication method using the Drupal API Authentication module.

If the configuration was not successful, please contact us at drupalsupport@xecurify.com. Kindly include a screenshot of the error window, and we will assist you in resolving the issue and guide you through the setup.