thephpleague / oauth2-server-bundle Goto Github PK

Symfony bundle for the OAuth2 Server.

License: MIT License

PHP 99.17% Shell 0.22% Dockerfile 0.61%

oauth2-server-bundle's Introduction

OAuth2 Server Bundle

OAuth2ServerBundle is a Symfony bundle integrating the oauth2-server library into Symfony applications.

Replacement of trikoder/oauth2-bundle made in coordination with trikoder and Symfony core team members in order to improve its maintenance, keep it in sync with Symfony developments and reduce the friction that vendor-overdiversification causes to end users.

Quick Start

Require the bundle using Composer:

composer require league/oauth2-server-bundle

Documentation

The docs can be found in the docs/ directory of this repository.

License

See the LICENSE file for copyrights and limitations (MIT).

oauth2-server-bundle's People

Contributors

Stargazers

Watchers

Forkers

chalasr micperr fabienpapet azjezz noglitchyo mtarld orkin lightglitch dotdevlegacy jr-k maxencedupressoir fihovi sukei sydboys yoshz wizhippo ajgarlag sebi007 aymericplanche robotjoosen x-coder264 tcheymol hellodavidedesimone savinnorse ash-m jeffersonsimaogoncalves nicodemuz ittechnic jasonpeltzer va-buka jvengeon theeyes007 xterr mephir jorenvh leonboot ottaviano metaine dsiemensma-move dangaffey michel1011 jury89 etshy fbourigault zawiszaty jaytaph marcriemer natronick heather817 mogilvie develth robertme pistej rgueiahmed jordyk acjbizar bjo3rnf bobvandevijver diegobanos antoinethmr theofidry nerd4ever amunak maxhelias sobrito nattfarinn ibexa tarasikarius fuzulus svenk-ct aurelienpillevesse rapisarda retretx sidanval alpara frankdekker ovrflo n-m wmouwen icanhazstring mrardon tjcdeveloper fruitwasp vincentlanglet

oauth2-server-bundle's Issues

How is client credentials grant supposed to work without knowledge of who is logged in?

How is client credentials grant supposed to work without knowledge of who is logged in?
Currently using trikoder version of bundle, but this one seems to have the same issue.
When I log in using client credentials grant, then I'm logged in as NullUser with no knowledge as which Client I'm.
Might be usefull if Token/Passport contained at least client_id.

get rid of `League` sub-namespace

League\Bundle\OAuth2ServerBundle\League namespace should be removed, everything should be moved to League\Bundle\OAuth2ServerBundle.

Argument 3 of service "league.oauth2_server.authenticator.oauth2" is abstract user provider

Just recently tried to make the move from trikoder over to these packages, have "successfully" gotten v0.1.2 working, but when I try to use v0.2.0 or v0.3.0 I get recipe issues and then when I try to run the application I get the error: "Argument 3 of service "league.oauth2_server.authenticator.oauth2" is abstract user provider".

This seems to be an issue with Symfony 5.3/5.4, and is definitely a blocker to getting Symfony 6 working!

Thanks

ETA first release ?

Hello,
Oh my god, you did it !
Do you have an estimate of a release date (alpha, beta, stable ?)
Thank you.

Doctrine relation mapping fail to validate

Result of running bin/console doctrine:schema:validate:

Mapping
-------

 [FAIL] The entity-class League\Bundle\OAuth2ServerBundle\Model\AccessToken mapping is invalid:
 * The target entity 'League\Bundle\OAuth2ServerBundle\Model\Client' specified on League\Bundle\OAuth2ServerBundle\Model\AccessToken#client is unknown or not an entity.


 [FAIL] The entity-class League\Bundle\OAuth2ServerBundle\Model\AuthorizationCode mapping is invalid:
 * The target entity 'League\Bundle\OAuth2ServerBundle\Model\Client' specified on League\Bundle\OAuth2ServerBundle\Model\AuthorizationCode#client is unknown or not an entity.


 [FAIL] The entity-class League\Bundle\OAuth2ServerBundle\Model\RefreshToken mapping is invalid:
 * The target entity 'League\Bundle\OAuth2ServerBundle\Model\AccessToken' specified on League\Bundle\OAuth2ServerBundle\Model\RefreshToken#accessToken is unknown or not an entity.


Database
--------

                                                                                                                       
 [OK] The database schema is in sync with the mapping files.

I am using doctrine/orm:2.9.4

Cannot load metadata for class Model\Scope

Hi,
I've upgraded to php 8.1 and doctrine/doctrine-bundle:^2.5.
After that upgrade, I am getting following error:

RuntimeException: League\Bundle\OAuth2ServerBundle\Persistence\Mapping\Driver cannot load metadata for class League\Bundle\OAuth2ServerBundle\Model\Scope

Used oauth2-server-bundle version: 0.3.0

Has anyone an advice?

Is there going to be a release any time soon?

It seems like there are many issues trying to move towards Symfony 5.4/6.0. Just wondering as this is an active blocker for doing the upgrades, I can only make v0.1.2 work, attempting to upgrade has been a fruitless effort.

The child config "authorization_server" under "league_oauth2_server" must be configured.

Hello!
I've tried to install this bundle via composer, but at the installation process, it caused this error:

The child config "authorization_server" under "league_oauth2_server" must be configured.

The "authorization_server" and "league_oauth2_server" are found only in vendor, exactly in league dir.

Any help will be great!

Symfony 6.1 oauth2 option doesn't work

Hi I'm using symfony 6.1 and the firewall for oauth2 doesn't seem to be doing anything. So for example I have this setup in secruity.yaml;

firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        api_token:
            pattern: ^/api/token$
            security: false
        api:
            pattern: ^/rest
            security: true
            stateless: true
            oauth2: true // <--- doesn't seem to ask for auth
        main:
            remember_me:
                secret: '%kernel.secret%'
                lifetime: 604800 # 1 week in seconds
                path: /
            lazy: true
            switch_user: { role: CAN_SWITCH_USER }
            provider: app_user_provider
            login_throttling:
                max_attempts: 10
                interval: '10 minutes'
            custom_authenticator:
                - App\Security\LoginFormAuthenticator
            user_checker: App\Security\UserChecker
            logout:
                path: dashboard_logout
                target: dashboard_login

and then I have an api controller as follows;

<?php

namespace App\Controller;

use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;

#[Route('/rest')]
class RestController extends AbstractController
{

    #[Route('', name: 'rest_index', defaults: ["oauth2_scopes"=>["EMAIL", "PREFERENCES"]])]
    public function index(): Response
    {
        return new JsonResponse(['data'=>['a', 'b', 'c']]);
    }

}

When making a request to this endpoint I can do this without passing a bearer token. And the docs say Basically, any firewall which sets the oauth2 parameter to true will make any routes that match the selected pattern go through our OAuth 2.0 security layer. (https://github.com/thephpleague/oauth2-server-bundle/blob/master/docs/basic-setup.md) Has this stopped working on Symfony 6.1?

Roadmap for v1.0

Hello,

Do you know where I can find any roadmap for this bundle ?

Thanks

CONTRIBUTING.md documentation is outdated

If I follow the steps listed in CONTRIBUTING.md file, I get the following error when I execute dev/bin/php composer install:

Your requirements could not be resolved to an installable set of packages.

$ dev/bin/php composer install
Warning from https://repo.packagist.org: Support for Composer 1 is deprecated and some packages will not be available. You should upgrade to Composer 2. See https://blog.packagist.com/deprecating-composer-1-support/
Loading composer repositories with package information
Warning from https://repo.packagist.org: Support for Composer 1 is deprecated and some packages will not be available. You should upgrade to Composer 2. See https://blog.packagist.com/deprecating-composer-1-support/
Updating dependencies (including require-dev)
Restricting packages listed in "symfony/symfony" to "4.4.*"
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - The requested package symfony/framework-bundle ^5.3 exists as symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these are rejected by your constraint.
  Problem 2
    - The requested package symfony/security-bundle ^5.3 exists as symfony/security-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.23, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these are rejected by your constraint.
  Problem 3
    - The requested package symfony/browser-kit ^5.3 exists as symfony/browser-kit[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.22, v4.4.24, v4.4.25, v4.4.27, v4.4.3, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these are rejected by your constraint.
  Problem 4
    - doctrine/doctrine-bundle 2.4.3 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0|^6.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.4.2 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0|^6.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.4.1 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0|^6.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.4.0 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0|^6.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.3.2 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.3.1 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.3.0 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.2.4 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.2.3 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.2.2 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.2.1 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.2.0 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.1.2 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.1.1 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.1.0 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.0.9 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.0.8 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.0.7 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.0.6 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.0.5 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.0.4 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.0.3 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.0.2 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.0.10 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.0.1 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - doctrine/doctrine-bundle 2.0.0 requires symfony/framework-bundle ^3.4.30|^4.3.3|^5.0 -> satisfiable by symfony/framework-bundle[4.4.x-dev, v4.4.0, v4.4.0-BETA1, v4.4.0-BETA2, v4.4.0-RC1, v4.4.1, v4.4.10, v4.4.11, v4.4.12, v4.4.13, v4.4.14, v4.4.15, v4.4.16, v4.4.17, v4.4.18, v4.4.19, v4.4.2, v4.4.20, v4.4.21, v4.4.22, v4.4.24, v4.4.25, v4.4.26, v4.4.27, v4.4.3, v4.4.30, v4.4.31, v4.4.4, v4.4.5, v4.4.6, v4.4.7, v4.4.8, v4.4.9] but these conflict with your requirements or minimum-stability.
    - Installation request for doctrine/doctrine-bundle ^2.0 -> satisfiable by doctrine/doctrine-bundle[2.0.0, 2.0.1, 2.0.10, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.4.3].

On the other hand, the development tools listed are a bit outdated:

COMPOSER_VERSION=1.9.3
FLEX_VERSION=1.6.2
PHP_CS_FIXER_VERSION=2.16.2
XDEBUG_VERSION=2.9.2

So my question is, do you think we must update the Dockerfile to use a more up-to-date environment, or drop the whole dev directory and rewrite the CONTRIBUTING.md file?

Unable to read key from file

PHP 8.1
Symfony 6.1

I got a strange error when trying to access /token api

Unable to read key from file /var/oauth/private.key

I have both public and private key in /var/oauth, and yet it keep prompt unable to read key error.

Stop exposing config options as container parameters

Abstract arguments and Definition::replaceArgument() should be used instead of cluttering the dumped container with such parameters.

The `encryption_key_type` config option should allow for env parameters

Using a scalar node with some info() instead of an enum node should be enough to fix that.
Use case: use a plain key in dev but a defuse one in prod. Should be driven by the .env only.

Is this fork dead or not ?

"Fork of trikoder/oauth2-bundle, for the better."

There are 4 tiny pull requests, if you are too busy let me know, I can handle that kind of repository as a maintainer. I don't wanna fork a fork...

Thanks.

Overriding the default endpoints path

It would be really helpful to be able to override/configure the default path for the endpoints, like going from :

app.oauth2:
    host: "%api_host%"
    resource: '@LeagueOAuth2ServerBundle/Resources/config/routes.php'
    type: php

to :

app.oauth2_token:
    host: "%api_host%"
    path: /oauth/v2/token
    methods: POST
    controller: League\Bundle\OAuth2ServerBundle\Controller\TokenController::indexAction

This example does not currently work as the TokenController is not public (The controller for URI "/oauth/v2/token" is not callable: Controller "League\Bundle\OAuth2ServerBundle\Controller\TokenController" cannot be fetched from the container because it is private. Did you forget to tag the service with "controller.service_arguments"?).

Multiple User Providers

If I create multiple user providers I always get the following error:

The service "security.authenticator.oauth2.api" has a dependency on a non-existent service "Symfony\Component\Security\Core\User\UserProviderInterface".

Even if I explicitly set the user provider in the firewall config:

[...]
    providers:
        app_user_provider:
            entity:
                class: App\Entity\User
        app_user_provider2:
[...]
    firewalls:                
        api:
            pattern: ^/api
            security: true
            stateless: true
            provider: app_user_provider
            oauth2: true
[...]

Argument binding is not working also.
Is it possible to configure the user provider of the authenticator or am I missing something?

Token endpoint in documentation might need correcting?

Basic set up suggests that the token endpoint is /api/token however the default route from the bundle is /token. Does the documentation need updating?

oauth2-server-bundle/docs/basic-setup.md

Lines 97 to 107 in f7108ea

 api_token: 

 pattern: ^/api/token$ 

 security: false 

 api: 

 pattern: ^/api 

 security: true 

 stateless: true 

 oauth2: true 

 ``` 

 * The `api_token` firewall will ensure that anyone can access the `/api/token` endpoint in order to be able to retrieve their access tokens.

The route from the bundle:

oauth2-server-bundle/src/Resources/config/routes.php

Line 12 in f7108ea

->add('oauth2_token', '/token')

I've set my firewall for '/token' instead and this seems to allow tokens to be obtained and refreshed. Although it also seems to work without this configuration also. So I am not clear on when this is needed?

Expose configured client class

Hey,

I'm currently working on a UI to configure the clients.
Unfortunately, I don't want to configure the client class in more than one place.

Could we expose the class from the configuration as a container parameter?

Thanks :)

Unexplained Client authentication failed error

Stack:

php: 8.0.1
symfony: 5.4
api-platform: 2.6
league/oauth2-server-bundle: 0.2.0

installed the package and added to bundle config.

imported the routes inconfig/routes.yaml
I generated a private key like so openssl genrsa -out ./var/oauth/private.key
Then generated a public key like so openssl rsa -in ./var/oauth/private.key -pubout -out ./var/oauth/public.key
created a client like so bin/console league:oauth2-server:create-client FrontEnd --grant-type=password --grant-type=refresh_token

/config/league_oauth2_server.php

<?php

declare(strict_types=1);

use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;

return static function (ContainerConfigurator $containerConfigurator): void {
    $containerConfigurator->extension('league_oauth2_server',
        [
            'authorization_server' => [
                'private_key' => __DIR__ . '/../../var/oauth/private.key',
                'private_key_passphrase' => null,
                'encryption_key' => '%env(OAUTH2_ENCRYPTION_KEY)%',
                'encryption_key_type' => 'plain',
                'access_token_ttl' => 'PT1H',
                'refresh_token_ttl' => 'P1M',
                'auth_code_ttl' => 'PT10M',
                'enable_client_credentials_grant' => true,
                'enable_password_grant' => true,
                'enable_refresh_token_grant' => true,
                'enable_auth_code_grant' => true,
                'require_code_challenge_for_public_clients' => true
            ],
            'resource_server' => ['public_key' => __DIR__ . '/../../var/oauth/public.key'],
            'scopes' => ['available' => ['default_scope'], 'default' => ['default_scope']],
            'persistence' => ['doctrine' => ['entity_manager' => 'default']],
            'role_prefix' => 'ROLE_OAUTH2_',
            'client' => ['classname' => 'League\Bundle\OAuth2ServerBundle\Model\Client']
        ]);
};

/config/packages/security.php

<?php

declare(strict_types=1);

use App\Entity\User;
use App\ValueObject\Role;
use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;

return static function (ContainerConfigurator $containerConfigurator): void {
    $containerConfigurator->extension(
        'security',
        [
            'enable_authenticator_manager' => true,
            'encoders' => [
                User::class => [
                    'algorithm' => 'auto',
                ],
            ],
            'providers' => [
                'api_user_provider' => [
                    'entity' => [
                        'class' => User::class,
                        'property' => 'email'
                    ],
                ]
            ],
            'firewalls' => [
                'api_token' => [
                    'pattern' => '^/api/token$',
                    'security' => false,
                ],
                'register' => [
                    'pattern' => '^/api/users',
                    'security' => false,
                ],
                'api' => [
                    'pattern' => '^/api',
                    'stateless' => true,
                    'provider' => 'api_user_provider',
                    'security' => true,
                    'oauth2' => true,
                ],
            ],
            'access_control' => [
                [
                    'path' => '^/api',
                    'roles' => [Role::IS_AUTHENTICATED_FULLY],
                ],
            ],
        ]
    );
};

Post request to /token
Data in body:

grant_type: password,
client_id: 876b7...,
client_secret: bd108bd7c8...,
username: [email protected],
password: 12345678

Response:

{
    "error": "invalid_grant",
    "error_description": "The user credentials were incorrect.",
    "message": "The user credentials were incorrect."
}

client in the database all other oauth2 tables are empty:

Authenticated `NullUser`

One thing I'm really unsure about is the NullUser.
I know it has been borrowed from trikoder's guard authenticator, but I'm pretty sure such object should never end up in the token storage as part of an authenticated token.
I think the userLoader callable passed to the UserBadge should just return null when it has no valid identifier, letting the UserBadge throw an AuthenticationException. I may miss some cases where we don't want such exception to be thrown, but having an authenticated NullUser in the storage feels wrong anyway.

Apart from that, this is awesome. Really nice work.
Merging now so that we can move forward and iterate.

Originally posted by @chalasr in #24 (comment)

Oauth2ServerBundle Return Invalid token

Hello everybody,

En ----
I post here because I try to connect hwiBundle with thephpleague/oauth2-server-bundle and I have an error Invalid Token. In effect, I test in the bundle by dd and the oauth server return my login page (html) so invalid token.

FR ----
J'écris ici parce que je rencontre des difficultés à connecter le bundle oauth server avec mon client HWI. Mon client dit que mon token est invalid dans les logs symfony. J'ai voulu donc tester via le navigateur puis postman et le serveur me retourne une page html de formulaire login au lieu d'un token. Je suis sous Symfony 5.4. Voici les retours de mon navigateur.

I'm on symfony 5.4.

Header Location My connect : https://portail.test/authorize?response_type=code&client_id=225aea10a3a4f3f050116219d63140aa&scope=SUPER_USER&state=eyJjc3JmX3Rva2VuIjoiMWM1OTBhODAyMWMxNGU2YTkxY2ZiOGRiNmEzZTVjNjIifQ%253D%253D&redirect_uri=https%3A%2F%2Fclientsoauth.test%2Flogin%2Fcheck-custom

Header Location Authorize: https://clientsoauth.test/login/check-custom?code=def5020033892ce12a4a88267418da2413925e1227293da1f6ae9e90f930c1434019097c633bea94b662a53cbd7ef989a7dbcde36c0546d0baa99d5e86987883ef2adc161c7a2a92044e00784f9d2560cfbc184037c5134ddb54a20d9bd5187e974ca4c03715ba68f59dc51a6418948590f15f065d278e6242ba041afcdb693f4dfbcf2a56db29fbf758941efd4fd431887ff6ace4999dc18f8be250e2b8fd87be1b9e393f1c9166812bd8ec9c76d09f1d8affcac8220519031cdb6e7857062124993f9063d75a965d8306ad74d0fc575d0bb66a2ef03273c0647f4173ca46de96e58a2db0bf20456b3ee107e6d0198c01de88d3a2b41d012140c2f8ed8e0caa0655a2b9c90d23c68bc1eb7a75f31aa2d8d9f475b332f6441c6717cde3b3a4ecab1e613fd8ef9539acb1c26f3272c9c87464b187238c280940fbcfd2a0520f897d9f8284846bfe56b1f845a212464217bbadcae63b97626bb197453232d887854144c9dfb30b12dddc88be7ede9ce552549c707837bcf5993d06007141936b9b30d1442cb990b9d11984b90b46b0786b4dc69b8efc1df6850d8f13b4ceb0b5230d434e51aa6f39b39718&state=eyJjc3JmX3Rva2VuIjoiMWM1OTBhODAyMWMxNGU2YTkxY2ZiOGRiNmEzZTVjNjIifQ%253D%253D

Cookie CheckCustom : sf_redirect=%7B%22token%22%3A%22001b98%22%2C%22route%22%3A%22custom_login%22%2C%22method%22%3A%22GET%22%2C%22controller%22%3A%22n%5C%2Fa%22%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; secure; httponly; samesite=lax

En ----
So, I try to dd() in TokenController of the bundle but it seems controller is not used.

FR ----
J'ai essayé de faire des tests dans le TokenController pour voir comment il fonctionne et quelles classes ils utilisent mais il semble qu'il n'est pas utilisé lors des redirections des requêtes.

My yml league_oauth2_server.yml

league_oauth2_server:
  authorization_server: # Required
    private_key: 'D:\apps\toto\toto_Portail\certs\oauthserver.key' # Required, Example: /var/oauth/private.key
    private_key_passphrase: '@3O3E39EHD80'
    encryption_key: 'def00000cc93d67e8f289313a9ea381f7f1860a439f05777ae0b7e30fb7053957fd88adf980d3c0da011560baece72be2f0ea0d22722ea19ac524c905ca7d6c135ab88ba'
    encryption_key_type:  plain # One of "plain"; "defuse"
    access_token_ttl:     PT1H
    refresh_token_ttl:    P1M
    auth_code_ttl:        PT10M
    enable_client_credentials_grant: true
    enable_password_grant: true
    enable_refresh_token_grant: true
    enable_auth_code_grant: true
    require_code_challenge_for_public_clients: true
    enable_implicit_grant: true
    persist_access_token: true

  resource_server:      # Required
    public_key: 'D:\apps\toto\toto_Portail\certs\oauthserver_pub.key' # Required, Example: /var/oauth/public.key
  scopes:
    available: [EMAIL, PREFERENCES,SUPER_USER]
    default: [SUPER_USER]
  persistence:          # Required
    doctrine:
      entity_manager: default
  role_prefix:          ROLE_OAUTH2_
  client:
    classname:        League\Bundle\OAuth2ServerBundle\Model\Client

security.yml (oauth server)

security:
    enable_authenticator_manager: true
    role_hierarchy:
        ROLE_OAUTH2_SUPER_USER: [ROLE_OAUTH2_EMAIL, ROLE_OAUTH2_PREFERENCES]
    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
        App\Entity\User:
            algorithm: auto

    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
    providers:
        # used to reload user from session & other features (e.g. switch_user)
        app_user_provider:
            entity:
                class: App\Entity\User
                property: email
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        api_token:
            pattern: ^/api/token$
            security: false
        api:
            pattern: ^/api
            security: true
            stateless: true
            oauth2: true
        main:
            lazy: true
            provider: app_user_provider
            form_login:
                # "login" is the name of the route created previously
                login_path: login
                check_path: login
                enable_csrf: true

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/authorize, roles: IS_AUTHENTICATED_REMEMBERED }
        - { path: ^/, roles: ROLE_USER }

hwi_oauth :

hwi_oauth:
    firewall_names: [secured_area]
    resource_owners:
        portail:
            type:                oauth2
            class:               \HWI\Bundle\OAuthBundle\OAuth\ResourceOwner\GenericOAuth2ResourceOwner
            client_id:           '%env(resolve:OAUTH_CLIENT_ID)%'
            client_secret:       '%env(resolve:OAUTH_CLIENT_SECRET)%'
            access_token_url:    '%env(resolve:OAUTH_URL)%/token'
            authorization_url:   '%env(resolve:OAUTH_URL)%/authorize'
            infos_url:           '%env(resolve:OAUTH_URL)%/resource'
            scope:               "SUPER_USER"
            user_response_class: HWI\Bundle\OAuthBundle\OAuth\Response\PathUserResponse
            paths:
                identifier: username
                nickname:   nickname
                firstname:  first_name
                lastname:   last_name
                realname:   ["first_name", "last_name"]
                email:      email
            options:
                csrf: true
    http:
        client: httplug.client.hwi_special # Default to httplug.client.default

security.yml

security:
    # https://symfony.com/doc/current/security/experimental_authenticators.html
    # enable_authenticator_manager: false
    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    providers:
        app_user_provider:
            id: portail.user_provider
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        secured_area:
            anonymous: true
            oauth:
                resource_owners:
                    portail: "/login/check-custom"
                login_path:        /connect/portail
                use_forward:       false
                failure_path:      /login
                oauth_user_provider:
                    service: portail.user_provider



    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/connect/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/dialog/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin, role: ROLE_USER}
        - { path: ^/, role: ROLE_USER }

For info, Client works with FOSOAuthServerBundle but I don't want use on S5.4, I prefer League\Bundle\OAuth2ServerBundle.

Could you help me ?

Matthieu.

delegate league events to symfony

League oauth server dispatches multiple events during the process of authenticating clients .. etc, however, symfony users are not able to make use of these events since they are not dispatched from the symfony event dispatcher.

I propose that we create a set of event listeners that will be dispatched by the league event dispatcher, and be used to delegate the events to symfony.

Is this repository not supported by thephpleague?

I know that this repository is under thephpleague group, but it seems, like it is not in fact recommended to use or someone just forgot to tell people about this repository.

For example here https://oauth2.thephpleague.com/framework-integrations/ is recomended tricoder bundle, but no mention of this repository. If people don't know that this repository exists, then there will be a lack of contributors.
Also why did this repository come into existence? Is it because tricoder bundle is abandoned? if so, then people should know that.

Error after upgrading to symfony 5.4

Since symfony/core 5.4: Returning false from "%s()" is deprecated, return null from "getUser()" instead. at /var/www/tgd2_backend/vendor/symfony/security-core/Authorization/AuthorizationChecker.php:83

The error occurs when endpoints are used with token

Support for user_identifier

Hi, is there any way to add user_identifier to bearer token in claim sub attribute?

I would like to get that identifier in my controller easy by just calling $this->getUser() wihick now is null because that user_identifier is not present in token clam and hardcoded to be null on creation and authorization.

Any smart way of overcoming this?

sensio/framework-extra-bundle 6.x support

Can we get sensio/framework-extra-bundle 6.x support added?

No redirect after successful login with authorization_code grant (PKCE) [help wanted]

I'm currenty updating a Symfony app from 5 to 6 and need to change the oauth server bundle from trikoder to this one. The change was pretty easy but now a problem has arisen which I can't solve. I have got a custom LoginFormAuthenticator and at the moment the following process appears:

I start the authorization process (with Postman) at the /authorize route.
/authorize redirect me successful to the /login route.
In the login view I can log in. The profiler shows me under security the logged in user. Afterwards the redirect to /authenticate is successful.
But now the /authenticate request has no logged in user in the profiler and there is no session variable _security.main.target_path for the redirect back to Postman. So /authorize redirects me back to /login (mentioned process step 2)

Is there anybody who can give me an adive how to solve this issue? Many thanks in advance.

My LoginFormAuthenticator:

<?php

namespace Ntrx\UserBundle\Security;

use Doctrine\ORM\EntityManagerInterface;
use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Security;
use Symfony\Component\Security\Http\Authenticator\AbstractLoginFormAuthenticator;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
use Symfony\Component\Security\Http\Util\TargetPathTrait;


class LoginFormAuthenticator extends AbstractLoginFormAuthenticator
{
	use TargetPathTrait;

	public const LOGIN_ROUTE = 'ntrx_userbundle_login';

	private EntityManagerInterface $entityManager;
	private UrlGeneratorInterface $urlGenerator;
	private string $userClass;


	public function __construct(EntityManagerInterface $entityManager, UrlGeneratorInterface $urlGenerator, ParameterBagInterface $params) {
		$this->entityManager = $entityManager;
		$this->urlGenerator = $urlGenerator;
		$this->userClass = $params->get('ntrx_user.user_class');
	}


	protected function getLoginUrl(Request $request): string {
		return $this->urlGenerator->generate(self::LOGIN_ROUTE);
	}


	public function supports(Request $request): bool {
		return $request->isMethod('POST') && $this->getLoginUrl($request) === $request->getPathInfo();
	}


	public function authenticate(Request $request): Passport {
		$credentials = $this->getCredentials($request);

		$passport = new Passport(
			new UserBadge($credentials['email'], function ($userIdentifier) {
				$user = $this->entityManager->getRepository($this->userClass)->findOneBy(['email' => $userIdentifier]);
				return $user;
			}),
			new PasswordCredentials($credentials['password']),
			[new RememberMeBadge(), new CsrfTokenBadge('authenticate', $credentials['csrf_token'])]
		);

		return $passport;
	}


	public function createToken(Passport $passport, string $firewallName): TokenInterface {
		return new UsernamePasswordToken($passport->getUser(), $firewallName, $passport->getUser()->getRoles());
	}


	public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response {
		$targetPath = $this->getTargetPath($request->getSession(), $firewallName);
		if ($targetPath) {
			return new RedirectResponse($targetPath);
		}

		return new RedirectResponse($this->urlGenerator->generate(self::LOGIN_ROUTE));
	}


	public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response {
		dd('failure', $exception);
	}


	public function start(Request $request, AuthenticationException $authException = null): Response {
		$url = $this->getLoginUrl($request);
		return new RedirectResponse($url);
	}


	public function isInteractive(): bool {
		return true;
	}


	/*
	 * Private methods
	 */
	private function getCredentials(Request $request): array {
		$credentials = [
			'email' => $request->request->get('email'),
			'password' => $request->request->get('password'),
			'csrf_token' => $request->request->get('_csrf_token'),
		];

		$request->getSession()->set(Security::LAST_USERNAME, $credentials['email']);

		return $credentials;
	}
}

My LoginController:

<?php

namespace Ntrx\UserBundle\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;


/**
 * Login controller.
 */
class LoginController extends AbstractController
{
	/**
	 * @Route("/login", name="ntrx_userbundle_login", methods={"GET", "POST"})
	 */
	public function login(AuthenticationUtils $authenticationUtils, ParameterBagInterface $params): Response {
		if ($this->getUser()) {
			return $this->redirectToRoute($params->get('ntrx_user.login_redirect'));
		}

		// get the login error if there is one
		$error = $authenticationUtils->getLastAuthenticationError();
		// last username entered by the user
		$lastEmail = $authenticationUtils->getLastUsername();

		return $this->render('@NtrxUser/login/login.html.twig', ['last_email' => $lastEmail, 'error' => $error]);
	}

	/**
	 * @Route("/logout", name="ntrx_userbundle_logout")
	 */
	public function logout() {
		throw new \LogicException('This method can be blank - it will be intercepted by the logout key on your firewall.');
	}
}

My security.yaml:

security:
    password_hashers:
        App\Entity\User:
            algorithm: auto
            cost: 4
        Symfony\Component\Security\Core\User\User: plaintext

    enable_authenticator_manager: true

    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
    providers:
        app_user_provider:
            entity:
                class: App\Entity\User
                property: email

    firewalls:
        // [...]

        api_token:
            pattern: ^/oauth/token
            security: false

        api:
            pattern: ^/api
            security: true
            stateless: true
            provider: app_user_provider
            # custom_authenticators:
            #     - Ntrx\UserBundle\Security\LoginFormAuthenticator
            oauth2: true
            # entry_point: oauth2
            logout:
                path: ntrx_userbundle_logout
                target: application_controller_home
                invalidate_session: true

        main:
            security: true
            stateless: true
            provider: app_user_provider
            custom_authenticators: [Ntrx\UserBundle\Security\LoginFormAuthenticator]
            # oauth2: true
            # entry_point: oauth2
            logout:
                path: ntrx_userbundle_logout
                target: application_controller_home
                invalidate_session: true

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        - { path: ^/oauth/authorize, roles: IS_AUTHENTICATED_REMEMBERED }
        - { path: ^/api, roles: IS_AUTHENTICATED_FULLY }

Unrecognized option "connections" under "doctrine.dbal.connections.default" after composer update

Hi,

There is an issue after upgrading to latest version of Doctrine bundle. I guess, this is the same problem as Trikoder oauth2 package :
trikoder/oauth2-bundle#279

The option "'connections' => null," needs to be removed in Dependency Injection.

Best regards

Logical authorization bug

Hello there!

Please see

oauth2-server-bundle/src/Controller/AuthorizationController.php

Line 106 in 7b25756

$authRequest->setUser($this->userConverter->toLeague($event->getUser()));

This is where we convert the Symfony UserInterface into a League UserEntityInterface

I think it would be more correct to remove this transformation, and in the getUser() and setUser() methods of the AuthorizationRequestResolveEvent event we need to pass only League UserEntityInterface, and the task of transforming the current user into League UserEntityInterface should be passed to the programmer

I should also point out that we do not need to use a Symfony user to release an access_token, because we can also have Telegram users as separate entities in addition to them.

So it would be more correct to assign UserEntityInterface directly to the line I specified, instead of redoing the Symfony UserInterface object

upd. Also within this Issue, in my opinion, it is necessary to detach the AuthorizationRequestUserResolvingListener

Documentation for remote Symfony resource servers

The current library wraps authorization middleware around a resource server. Some specifics on how this is configured by the bundle would help us implement an authorization flow for validating tokens on remote resource servers which use the Symfony framework.

[Help wanted] Access the database from a Symfony API project

I try to write a web interface to create, activate (and so on) clients, but when I try to map my entities on the tables, I can't read the datas because conversion failed. Errors are like :
Could not convert database value "https://some-redirect-uri..." to Doctrine Type json
Doctrine seems to think the values are in json - this is not the case.

I saw in the database comments on fields like (DC2Type:oauth2_redirect_uri) and some others, but I did not find a way to use the types I saw in the configuration like :

  types:
      oauth2_grant:
          class: League\Bundle\OAuth2ServerBundle\DBAL\Type\Grant
      oauth2_redirect_uri:
          class: League\Bundle\OAuth2ServerBundle\DBAL\Type\RedirectUri
      oauth2_scope:
          class: League\Bundle\OAuth2ServerBundle\DBAL\Type\Scope

I think some annotations are needed in my entities, and then some way to convert a space-delimited value to an array back and forth.

Thanks in advance for any help on this subject.

Missing configuration to set parameter revokeRefreshTokens

There is no way to disable refresh token revocation using configuration.

\League\OAuth2\Server\AuthorizationServer::revokeRefreshTokens

I'm actually forced to set the value using compiler pass and calling it before enableGrantType is called.

$authorizationServer = $container->getDefinition('League\OAuth2\Server\AuthorizationServer');
$calls = $authorizationServer->getMethodCalls();
array_unshift($calls, ['revokeRefreshTokens', [false]]);
$authorizationServer->setMethodCalls($calls);

Missing documentation

Hello,

i'm trying to setup this bundle on our project. I successfully managed to configure the bundle, although there were some hiccups nad had to browse the issues here and google

created a client via cli

now i'm trying to move forward but documentation for next steps is missing. could you please fill in the missing steps for the bundle to work? thanks

i found this file in the original bundle docs https://github.com/trikoder/oauth2-bundle/blob/HEAD/docs/password-grant-handling.md which looks like what i need at this stage, but it is completely missing in the new repo

Question because Bad access token with a local client and a remote server oauth

Hello,

I just set up an oauth server and hwi client which works very well in localhost.

However, when I want my client to communicate locally to a remote oauth server, it cannot recover the resources (/api).

The access token seems invalid since it gives me a 401 error.

Have you ever encountered this problem and any solutions to offer me ?

Symfony : 5.4.*
Php : 8.0 on server en 7.4 on client.

Thank you in advance for your return.

Missing documentation on how to implement authorization code grant

The most important thing is documentation on that you need to make event listener that sets authorization resolution to true.
Ideally should have example on how to display page with two buttons to accept or deny authorization.

https://github.com/thephpleague/oauth2-server-bundle/blob/master/src/Controller/AuthorizationController.php#L101

My implementation for inspiration:

<?php

namespace App\EventListener\OAuth2;

use Nyholm\Psr7\Response;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
use Trikoder\Bundle\OAuth2Bundle\Event\AuthorizationRequestResolveEvent;
use Trikoder\Bundle\OAuth2Bundle\OAuth2Events;

class AuthorizationRequestResolverSubscriber implements EventSubscriberInterface
{
	public const SESSION_AUTHORIZATION_RESULT = '_app.oauth2.authorization_result';

	private RequestStack $requestStack;
	private UrlGeneratorInterface $urlGenerator;

	public function __construct(RequestStack $requestStack, UrlGeneratorInterface $urlGenerator)
	{
		$this->requestStack = $requestStack;
		$this->urlGenerator = $urlGenerator;
	}

	public static function getSubscribedEvents(): array
	{
		return [
			OAuth2Events::AUTHORIZATION_REQUEST_RESOLVE => 'resolve',
		];
	}

	public function resolve(AuthorizationRequestResolveEvent $event): void
	{
		$request = $this->requestStack->getCurrentRequest();

		if ($request->getSession()->has(self::SESSION_AUTHORIZATION_RESULT)) {
			$event->resolveAuthorization($request->getSession()->get(self::SESSION_AUTHORIZATION_RESULT));
			$request->getSession()->remove(self::SESSION_AUTHORIZATION_RESULT);

			return;
		}

		$event->setResponse(new Response(302, [
			'Location' => $this->urlGenerator->generate('app_consent', $request->query->all()),
		]));
	}
}

<?php

namespace App\Controller\Frontend;

use App\EventListener\OAuth2\AuthorizationRequestResolverSubscriber;
use App\Form\Type\PSD2\AuthorizationType;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\IsGranted;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;

class OAuth2Controller extends AbstractController
{
	/**
	 * @Route("/consent", name="app_consent")
	 * @IsGranted("IS_AUTHENTICATED_FULLY")
	 */
	public function consent(Request $request): Response
	{
		$form = $this->createForm(AuthorizationType::class);
		$form->handleRequest($request);

		if ($form->isSubmitted() && $form->isValid()) {
			switch (true) {
				case $form->get('accept')->isClicked():
					$request->getSession()->set(AuthorizationRequestResolverSubscriber::SESSION_AUTHORIZATION_RESULT, true);
					break;
				case $form->get('refuse')->isClicked():
					$request->getSession()->set(AuthorizationRequestResolverSubscriber::SESSION_AUTHORIZATION_RESULT, false);
					break;
			}

			return $this->redirectToRoute('oauth2_authorize', $request->query->all());
		}

		return $this->render('oauth2/authorization.html.twig', [
			'form' => $form->createView(),
		]);
	}
}

Help Wanted: Auth flow not directing to login if no user found

Hi,

I am trying to get the authorize flow to direct to the login page if the user has not logged in yet, and then redirect to the Authorize page.

Currently I just get a 403 if the user has not logged in (if the user has already logged in on the browser, it shows the auth page and continues on from there fine).

Is this a config issue or something else?

This is my Security.yaml

security:
    enable_authenticator_manager: true
    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
    providers:
        app_user_provider:
            entity:
                class: Clean\Implementation\Entity\UserOrmEntity
                property: email
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        token:
            pattern: ^/token
            security: false
        api:
            pattern: ^/api/
            security: true
            stateless: true
            oauth2: true
        main:
            form_login:
                login_path: login
                check_path: login
            logout:
                path: logout

            # activate different ways to authenticate
            # https://symfony.com/doc/current/security.html#the-firewall

            # https://symfony.com/doc/current/security/impersonating_user.html
            # switch_user: true

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        - { path: ^/authorize, roles: IS_AUTHENTICATED_REMEMBERED }
        - { path: ^/api, roles: ROLE_USER }
    # Use hierarchy to manage different access levels
    # https://symfony.com/doc/current/security.html#hierarchical-roles
#    role_hierarchy:
#        ROLE_DISTRIBUTOR: ROLE_USER
#        ROLE_ADMIN: [ ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ]
#    role_hierarchy:
#        ROLE_OAUTH2_SUPER_USER: [ROLE_OAUTH2_EMAIL, ROLE_OAUTH2_PREFERENCES]

when@test:
    security:
        password_hashers:
            # By default, password hashers are resource intensive and take time. This is
            # important to generate secure password hashes. In tests however, secure hashes
            # are not important, waste resources and increase test times. The following
            # reduces the work factor to the lowest possible values.
            Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
                algorithm: auto
                cost: 4 # Lowest possible value for bcrypt
                time_cost: 3 # Lowest possible value for argon
                memory_cost: 10 # Lowest possible value for argon

Authorization subscriber (from https://github.com/Kerrialn/oauth2-example-project)

<?php

namespace App\EventSubscriber;

use League\Bundle\OAuth2ServerBundle\Event\AuthorizationRequestResolveEvent;
use League\Bundle\OAuth2ServerBundle\OAuth2Events;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;

class AuthorizationRequestResolverSubscriber implements EventSubscriberInterface
{
    public const SESSION_AUTHORIZATION_RESULT = '_app.oauth2.authorization_result';

    private RequestStack $requestStack;
    private UrlGeneratorInterface $urlGenerator;

    public function __construct(RequestStack $requestStack, UrlGeneratorInterface $urlGenerator)
    {
        $this->requestStack = $requestStack;
        $this->urlGenerator = $urlGenerator;
    }

    public static function getSubscribedEvents(): array
    {
        return [
            OAuth2Events::AUTHORIZATION_REQUEST_RESOLVE => 'onAuthorizationRequestResolve',
        ];
    }

    public function onAuthorizationRequestResolve(AuthorizationRequestResolveEvent $event): void
    {
        $request = $this->requestStack->getCurrentRequest();

        if ($request->getSession()->has(self::SESSION_AUTHORIZATION_RESULT)) {
            $event->resolveAuthorization(
                $request->getSession()->get(self::SESSION_AUTHORIZATION_RESULT)
            );
            $request->getSession()->remove(self::SESSION_AUTHORIZATION_RESULT);

        } else {
            $url = $this->urlGenerator->generate('app_consent', $request->query->all());

            $response = new RedirectResponse($url);
            $event->setResponse($response);
        }

    }
}

Cheers,
Phil

make the default scope(s) configurable

currently, creating a client with no scopes, gives the client access to all the scopes, which is a bad idea in most cases, since the user might forget to specify them when creating a client, resulting in a security vulnerability.

we need to have an event listener that adds default scopes before the client is persisted if the client doesn't have any.

How can I know who made the request?

Let's say someone makes a request to /api/house/643f808d-ea9e-366d-abe6-2c9007ad51fd. I wanna check if that house belongs to an organization that has permissions to view/edit/delete it. I can of course associate the client ID with an organization, but what do I actually check with?

Example code to add Page Logout during installation

Hello,

here is a code to return through the api route the user information but also to allow the logout.

Client side route in js (example for reactjs) :

function logout(evt) { axios.get(routing.oauthuri).then((response)=>{ window.location.href = response.data.oauth_uri+'/api/logout?uri='+window.location.origin }); }

Have a good day.

 `/**
 * @Route("/api", name="app_api")
 * @return Response
 */
public function index(): Response
{
    $user = $this->security->getUser();
    $userInfo = [];
    $userInfo['username'] = $user->getId();
    $userInfo['nickname'] = $user->getUserIdentifier();
    $userInfo['email'] = $user->getEmail();
    $userInfo['realusername'] = $user->getUsername();
    $userInfo['roles'] = $user->getRoles();

    return new JsonResponse($userInfo);
}`

 /**
 * @Route("/api/logout", name="app_api_logout", methods="GET")
 * @param Request $request
 * @return RedirectResponse
 */
public function userLogoutAction(Request $request)
{
    $error = "";
    $user = $this->security->getUser()->getUserIdentifier();
    $uri = $request->query->get('uri').'/logout';

    $tokenObj = $this->em->getRepository(AccessToken::class)->findBy(['userIdentifier' => $user]);

    if(!empty($user)){
        if (!empty($tokenObj)) {
            foreach ($tokenObj as $token) {
                $refreshToken = $this->em->getRepository(RefreshToken::class)->findBy(['accessToken' => $token->getIdentifier()]);

                if (!empty($tokenObj)) {
                    foreach ($refreshToken as $rtoken) {
                        $rtoken->revoke();
                        $this->em->flush();
                    }
                    $token->revoke();
                    $this->em->flush();
                }

            }
        }

    } else {
        $error = "Can't find access token";
    }

    $response = new RedirectResponse($uri);
    $response->headers->clearCookie("PHPSESSID");
    return $response;
}

Consider releasing instead of merging into master

Is it possible for you to tag your releases please ? I got some breaking changes in my project each time you merge into master.

Thanks !

Something wrong with config?

but config is already there

"symfony/framework-bundle": "5.2.*",

Decorate swagger documentation if it exists

Oauth authentication is, to my knowledge, often linked to providing an API. Since Symfony's API package provides Swagger by default, I believe it could be nice to add the routes provided by this package to the Swagger if the said swagger is here.

Even if that might means adding a bit of dependancy it seems like a gain to have automated documentation.

use http foundation response in `AuthorizationRequestResolveEvent`.

currently, AuthorizationRequestResolveEvent::setResponse uses PSR 7 response, later this response gets converted to a symfony response.

oauth2-server-bundle/src/Controller/AuthorizationController.php

Lines 101 to 114 in 93c4078

 /** @var AuthorizationRequestResolveEvent $event */ 

 $event = $this->eventDispatcher->dispatch( 

 $this->eventFactory->fromAuthorizationRequest($authRequest), 

 OAuth2Events::AUTHORIZATION_REQUEST_RESOLVE 

 ); 

 $authRequest->setUser($this->userConverter->toLeague($event->getUser())); 

 if ($event->hasResponse()) { 

 /** @var ResponseInterface $response */ 

 $response = $event->getResponse(); 

 return $this->httpFoundationFactory->createResponse($response); 

 }

since this event is part of the bundle, and most symfony applications use http foundation rather than PSR 7, it makes sense to default to Http Foundation rather than PSR 7.

Only one persistence method can be configured at a time

I am using Symfony 5.2 and I configured thephpleague/oauth2-server-bundle for oauth server and for social media login via APIs. But I am facing an issue while configuring the bundle
My league_oauth2_server file look like

`league_oauth2_server:
authorization_server: # Required

# Full path to the private key file.
# How to generate a private key: https://oauth2.thephpleague.com/installation/#generating-public-and-private-keys
private_key:   "%kernel.project_dir%/../config/oauth/private.key"

# Passphrase of the private key, if any
private_key_passphrase: mypassphrase

# The plain string or the ascii safe string used to create a Defuse\Crypto\Key to be used as an encryption key.
# How to generate an encryption key: https://oauth2.thephpleague.com/installation/#string-password
encryption_key: 3FX/FO/IJD6nXqFp0mcU31uuLPTeA9zNUPazkngXQnk=

# The type of value of 'encryption_key'
encryption_key_type:  plain # One of "plain"; "defuse"

# How long the issued access token should be valid for.
# The value should be a valid interval: http://php.net/manual/en/dateinterval.construct.php#refsect1-dateinterval.construct-parameters
access_token_ttl:     PT1H

# How long the issued refresh token should be valid for.
# The value should be a valid interval: http://php.net/manual/en/dateinterval.construct.php#refsect1-dateinterval.construct-parameters
refresh_token_ttl:    P1M

# How long the issued auth code should be valid for.
# The value should be a valid interval: http://php.net/manual/en/dateinterval.construct.php#refsect1-dateinterval.construct-parameters
auth_code_ttl:        PT10M

# Whether to enable the client credentials grant
enable_client_credentials_grant: true

# Whether to enable the password grant
enable_password_grant: true

# Whether to enable the refresh token grant
enable_refresh_token_grant: true

# Whether to enable the authorization code grant
enable_auth_code_grant: true

# Whether to require code challenge for public clients for the auth code grant
require_code_challenge_for_public_clients: true

resource_server: # Required

# Full path to the public key file
# How to generate a public key: https://oauth2.thephpleague.com/installation/#generating-public-and-private-keys
public_key:  "%kernel.project_dir%/../config/oauth/public.key"

Scopes that you wish to utilize in your application.

This should be a simple array of strings.

scopes: []

Configures different persistence methods that can be used by the bundle for saving client and token data.

Only one persistence method can be configured at a time.

persistence: # Required
doctrine:

  # Name of the entity manager that you wish to use for managing clients and tokens.
  entity_manager:       default
in_memory:            ~

Set a custom prefix that replaces the default 'ROLE_OAUTH2_' role prefix

role_prefix: ROLE_OAUTH2_

client:
# Set a custom client class. Must be a League\Bundle\OAuth2ServerBundle\Model\Client
classname: League\Bundle\OAuth2ServerBundle\Model\Client
`
Please help me out and save my day!. Thanks in advance.

When are you going to release the stable version of the bundle?

I understand that the tricorder repository is abandoned and this one will replace it.
We have implemented it in our project and would like to know when this bundle will be released,
what plans are there for it in the future.

You are doing a great job, guys
Thanks in advance for your answer

Self-Validating vs Opaque Tokens

At the moment, this bundle implements the underlying library using JWTs. The authentication mechanism checks if a token is revoked through an AccessTokenRepositoryInterface and requires a UserInterface for the doAuthenticate() and createToken() methods. Part the of point, as far as I see it, for using JWTs is that their validation is encapsulated within themselves. Anyone with a public key can verify the token. This means that on remote resource servers, one can validate a token without having to proxy the auth server for introspection unless explicitly necessary (this of course makes a short TTL very important).

If your auth and resource servers are one-and-the-same (as the library/bundle appears to have been designed with in mind), then JWTs are just unnecessarily verbose. If you're going to access the Token Repository to check for manual revocation, why not just pass around the opaque token ID from the start?

All in all, I propose the bundle have 2 authenticators: a JWT authenticator without a revocation check and an opaque authenticator with a revocation check.
The bundle could stand to have a default TokenUser that just takes the sub and aud claims. Throw that right next to the NullUser.

Ability to add custom storage to auth data

I found out that there were only two ways to store auth data (doctrine, in_memory). Is it possible to add some other options?

Support for anonymous users

Right now the included BearerTokenValidator throws OAuthServerExceptions if a bearer token isn't passed. This makes it impossible to implement anonymous user support and leads to plaintext output of The resource server rejected the request.. It'd be better if there were support for anonymous users as scopes / roles are an adequate way to gate access rather than requiring a user always be logged in.

My specific use case for this is OAuth2 to gate access to a graphql api. I want the graphql api to always be available while access to specific items requires a logged in user and the appropriate roles. This way tools can access the graphql schema without needing a valid JWT.

Add explenation about RoleVoter prefix

This took me a hot minut to debug why something like a SCOPE_ prefix did not work out of the box.

Symfony's RoleVoter uses a prefix for IsGranted to be able to vote. By default this is ROLE_. The easiest fix would be to add information about this to the documentation in the two places below. Where it is stated that it needs to start with the prefix defined for RoleVoter

A better fix would be to find what this prefix is and add it, if it is not already the prefix.

oauth2-server-bundle/docs/index.md

Lines 102 to 103 in e6eaf34

 # Set a custom prefix that replaces the default 'ROLE_OAUTH2_' role prefix 

 role_prefix: ROLE_OAUTH2_

oauth2-server-bundle/src/DependencyInjection/Configuration.php

Lines 32 to 34 in f9f55a9

 ->scalarNode('role_prefix') 

 ->info('Set a custom prefix that replaces the default \'ROLE_OAUTH2_\' role prefix') 

 ->defaultValue('ROLE_OAUTH2_')

	api_token:
	pattern: ^/api/token$
	security: false
	api:
	pattern: ^/api
	security: true
	stateless: true
	oauth2: true
	```

	* The `api_token` firewall will ensure that anyone can access the `/api/token` endpoint in order to be able to retrieve their access tokens.

	/** @var AuthorizationRequestResolveEvent $event */
	$event = $this->eventDispatcher->dispatch(
	$this->eventFactory->fromAuthorizationRequest($authRequest),
	OAuth2Events::AUTHORIZATION_REQUEST_RESOLVE
	);

	$authRequest->setUser($this->userConverter->toLeague($event->getUser()));

	if ($event->hasResponse()) {
	/** @var ResponseInterface $response */
	$response = $event->getResponse();

	return $this->httpFoundationFactory->createResponse($response);
	}

	# Set a custom prefix that replaces the default 'ROLE_OAUTH2_' role prefix
	role_prefix: ROLE_OAUTH2_

	->scalarNode('role_prefix')
	->info('Set a custom prefix that replaces the default \'ROLE_OAUTH2_\' role prefix')
	->defaultValue('ROLE_OAUTH2_')

thephpleague / oauth2-server-bundle Goto Github PK

oauth2-server-bundle's Introduction

OAuth2 Server Bundle

Quick Start

Documentation

License

oauth2-server-bundle's People

Contributors

Stargazers

Watchers

Forkers

oauth2-server-bundle's Issues

Scopes that you wish to utilize in your application.

This should be a simple array of strings.

Configures different persistence methods that can be used by the bundle for saving client and token data.

Only one persistence method can be configured at a time.

Set a custom prefix that replaces the default 'ROLE_OAUTH2_' role prefix

Recommend Projects

Recommend Topics

Recommend Org