API Authentication with JSON:API in Drupal

Some interactions (like CRUD operations) require prior authorization. By using the contributed Simple OAuth module, Drupal can securely authenticate and authorize API requests in a decoupled Drupal environment.

This course covers the installation and configuration of the Simple OAuth module, obtaining and using OAuth 2 tokens, and making authenticated requests to create, update, and delete entities. Additionally, learners will explore handling cross-origin resource sharing (CORS) to ensure secure and efficient communication between the client and server. By the end of the course, you will be equipped to implement robust authentication mechanisms for your Drupal APIs.

Key topics

  • Learn how to install and set up the Simple OAuth module to enable OAuth authentication in Drupal
  • Obtaining OAuth tokens via the API
  • Using OAuth tokens to authenticate API requests for creating, updating, and deleting entities
  • Principles of API authentication and authorization, focusing on securing API endpoints
  • Configure CORS to allow secure cross-origin requests from the browser to the Drupal backend
  • Best practices for handling errors and securing your API endpoints to prevent unauthorized access
Tutorials in this course
More information

In a monolithic architecture (non-decoupled) there is an implicit proof that the user in the front-end is the same one in the back-end. This empowers the front-end to offload all the authentication and authorization to the back-end, typically using a session cookie. In a decoupled architecture there will be multiple consumers, and some of them will not support using cookies. There are several alternatives to session cookies to authenticate our requests in a decoupled project.

In this tutorial we will:

  • Learn about authorization versus authentication
  • The impact on a decoupled project of having logged in users
  • Learn about the available options for authentication when using a Drupal back-end.

By the end of this tutorial you should be able to explain the difference between authentication and authorization and know how to get started implementing both in a Drupal-backed web services API.

More information

The Simple OAuth module can be used to configure Drupal as an OAuth 2 authentication provider. Doing so will allow third-party applications to authenticate users using any of the OAuth flows, and validate their roles and permissions.

If you're creating applications that access Drupal's data and need to act like a logged-in user you'll want to use OAuth for authentication. There are 2 steps to accomplishing this: first, you'll need to set up Drupal to act as an authentication provider (this tutorial). Second, you'll need to make the appropriate HTTP requests to obtain an access token, which is covered in the next tutorial, Make an Authenticated Request Using OAuth 2.

In this tutorial we will:

  • Learn how to install the Simple OAuth Drupal module
  • Configure the Simple OAuth module so we can generate tokens that can authenticate users in Drupal
  • Demonstrate what the responses generated by the Simple OAuth module look like

By the end of this tutorial you should know how to install and configure the Simple OAuth module.

More information

In order to authenticate a request against the API server, we need to send an authentication token along with the request. For that we need to first obtain the token from the server. The various ways we can get a token from the server are called grants. Using one of them, we will obtain an access token and a refresh token.

In this tutorial we will:

  • Learn how OAuth 2 grants work
  • Learn how to generate and request authentication tokens
  • Learn how to generate and request refresh tokens

By the end of this tutorial you should be able to exchange a user name and password for OAuth 2 authentication and refresh tokens so that your API client can make authenticated requests.

More information

In the previous tutorials, we learned to install and configure the Simple OAuth module. We also learned how to generate authentication tokens using different grants. In this tutorial, we will learn how to use a token to authenticate a request for a given Drupal user, and:

  • Check if a particular route supports a specific type of authentication, oauth2 in particular
  • Send an authentication token, like the ones we acquired in the previous tutorial in order to prove to Drupal that the request is made by a specific user

By the end of this tutorial you should be able to make authenticated requests, as a specific user, to your API.

More information

JavaScript applications are the most common type of consumers. They are commonly used to create a website that runs in a web browser. Running decoupled applications in the browser will involve Cross-Origin Resource Sharing (CORS), which requires some setup on the Drupal side in order to work.

In this tutorial we'll:

  • Learn about what CORS is and when/why we need to care about it
  • Configure Drupal to return an appropriate CORS header, enabling browser-based consumers access to our API

By the end of this tutorial you will have a better understanding of CORS, and how to configure Drupal to serve an API that works with CORS.

More information

Often, web services require the user to create content. Votes on content, ratings, comments, and user-submitted stories are good examples of this. The JSON:API module supports the creation of entities by sending data in POST requests.

In this tutorial we will:

  • Add an appropriate set of HTTP headers to a request that generates a new entity
  • Construct a JSON object for the entity we want to create
  • Issue a POST request that creates a new article node in Drupal

By the end of this tutorial you should be able to create a POST request that creates a new entity of any type via the JSON:API.

More information

Whenever we need our consumer application to change the contents of an entity we will need to issue a PATCH request. The JSON:API module will process that request and update the entity with the provided values.

In this tutorial, we'll:

  • Define the appropriate HTTP headers for a PATCH request
  • Construct the JSON object used to update an entity
  • Issue a PATCH request that will update an entity in our Drupal backend

By the end of this tutorial, you should know how to update content via the JSON:API.

More information

Occasionally we need to remove entities from the backend using the API. REST APIs, and in particular JSON:API, use the HTTP DELETE method to accomplish this.

In this tutorial we'll create a request for deleting a single entity. By the end of this tutorial you should be able to issue requests that can delete any entity via JSON:API.

This course appears in the following guides:
Module Development
Use web services modules like JSON:API to build an API for your decoupled Drupal site.

Decoupled Headless Drupal