I am developing a mobile app that needs to authenticate users with a Joomla 4 site. I want to use the official Joomla REST API to do this, but I couldn’t find any information about how to authenticate a user and get an API Token with the official Joomla REST API. Can anyone provide some guidance on how to do this? I know the API token can be generated in the user profile, but that is not relevant to my question. the API does not have a Login function.
3 Answers
I'm exactly in the same situtation. Mobile app users need to log in with their Joomla credentials. Seems like an obvious feature for a REST api. We used the cAPI plugin which offered this for Joomla 3.x but not Joomla 4.
Could you find a solution?
See the Joomla manual, in particular the "Using the PHP cURL Functions" part (because you probably run it outside the Joomla framework) : https://manual.joomla.org/docs/general-concepts/webservices#using-the-php-curl-functions
An interesting article about using the Web Services API: https://magazine.joomla.org/all-issues/march-2023/playing-with-the-joomla-api-part-1
- 1To use the API (for example, in mobile Apps), the user must register first; after that, the login function must return the API Token. But apparently, this is not possible.Hesam Mohseni– Hesam Mohseni2023-11-20 06:00:29 +00:00Commented Nov 20, 2023 at 6:00
- That's correct. At this moment, the Token functionality for access is limited to Super User accounts.2023-11-20 09:23:40 +00:00Commented Nov 20, 2023 at 9:23
Updated Approach (Joomla Web Login Handoff):
A more secure and robust method for authenticating mobile app users with Joomla's API, which avoids direct API exposure of credentials for token generation, is to use a "Joomla Web Login Handoff":
- Initiate Web Login: The mobile application opens an in-app browser to your standard Joomla website login page.
- User Authenticates via Web: The user logs in using Joomla's normal web login form. This ensures that all standard Joomla web security measures (MFA, login attempt limits, etc.) are applied.
- Redirect to a Custom Handoff Page/Component: After a successful web login, Joomla redirects the user (still within the in-app browser) to a dedicated, simple Joomla component or page (e.g.,
com_customauththat you create). - Token Retrieval & Handoff: This server-side handoff component, now operating within the user's authenticated Joomla web session:
- Verifies the authenticated user.
- Retrieves or ensures an API token exists for this user (interacting with
#__user_profilesin a way compatible with Joomla's coreplg_user_token). - Constructs a redirect URI (preferably a Universal Link/App Link) containing this API token (e.g., in the URL fragment like
yourappscheme://auth#token=THE_API_TOKEN).
- Redirect to App with Token: The in-app browser is redirected to this URI, passing control and the token back to your mobile application.
- App Stores and Uses Token: The mobile app securely stores this token and uses it in the
Authorization: Bearer <TOKEN>orX-Joomla-Token: <TOKEN>header for subsequent API calls to your Joomla webservices. These tokens are then validated by Joomla's core "API Authentication - Web Services Joomla Token" plugin.
This method leverages the security of Joomla's existing web authentication flow and avoids the need for a "helper user" or exposing login credentials directly to an API endpoint for token generation.
Regarding public GET / POST routes for login/registration: While you can make specific API routes public (e.g., for user registration if your API supports it directly), the authentication of an existing user to obtain a token for general API access is best handled via the web login handoff described above to maintain security. Always ensure ACLs are correctly configured for any public API endpoints.
Always follow security best practices, such as those outlined by Nicholas Dionysopoulos regarding API development in Joomla: www.dionysopoulos.me/book/com-api-plugin.html
