Develop Reference

Unrecognized option access_token under security.firewalls.main

I've switched recently to Symfony 6.2 and want to use the newly introduces AccessTokenHandler for Bearer Authentication.
So all the cache is cleared after updating and I'm following the guide at https://symfony.com/doc/current/security/access_token.html.
This is part of my security.yaml:
security:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
access_token:
token_handler: App\Security\AccessTokenHandler
token_extractors: header
lazy: true
provider: app_user_provider
form_login:
login_path: app_login
check_path: app_login
logout:
path: app_logout
But when I make some requests to my page, it says
Unrecognized option "access_token" under "security.firewalls.main".
Available options are "access_denied_handler", "access_denied_url",
"context", "custom_authenticators", "entry_point", "form_login",
"form_login_ldap", "host", "http_basic", "http_basic_ldap",
"json_login", "json_login_ldap", "lazy", "login_link",
"login_throttling", "logout", "methods", "pattern", "provider",
"remember_me", "remote_user", "request_matcher", "required_badges",
"security", "stateless", "switch_user", "user_checker", "x509".
So this looks like the changes to symfony 6.2 are not working. Or am I missing something?

Symfony 5 - Multiple authenticators in firewall. I need to set the "entry_point

I don't know if what I'm trying to do is possible but I have the following configuration in my security.yaml and it shows me the following error:
Because you have multiple authenticators in firewall "administrator_secured_area", you need to set the "entry_point" key to one of your authenticators ("App\Security\AdministratorAuthenticator", "form_login") or a service ID implementing "Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface". The "entry_point" determines what should happen (e.g. redirect to "/login") when an anonymous user tries to access a protected page.
I have searched various solutions but none suits my current setup
security:
enable_authenticator_manager: true
# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
App\Entity\Administrator:
algorithm: auto
App\Entity\Instructor:
algorithm: auto
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
providers:
# used to reload user from session & other features (e.g. switch_user)
app_administrator_provider:
entity:
class: App\Entity\Administrator
property: email
app_instructor_provider:
entity:
class: App\Entity\Instructor
property: email
# used to reload user from session & other features (e.g. switch_user)
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
administrator_secured_area:
lazy: true
provider: app_administrator_provider
custom_authenticator: App\Security\AdministratorAuthenticator
form_login:
login_path: /login/administrator
check_path: /app_login_administrator
default_target_path: /login/administrator
logout:
path: app_logout
# where to redirect after logout
target: app_login_administrator
instructor_secured_area:
lazy: true
provider: app_instructor_provider
custom_authenticator: App\Security\InstructorAuthenticator
form_login:
login_path: /login/instructor
check_path: /app_login_instructor
default_target_path: /login/instructor
logout:
path: app_logout
# where to redirect after logout
target: app_login_instructor
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#the-firewall
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
# - { path: ^/admin, roles: ROLE_ADMIN }
# - { path: ^/profile, roles: ROLE_USER }
when#test:
security:
password_hashers:
# By default, password hashers are resource intensive and take time. This is
# important to generate secure password hashes. In tests however, secure hashes
# are not important, waste resources and increase test times. The following
# reduces the work factor to the lowest possible values.
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
algorithm: auto
cost: 4 # Lowest possible value for bcrypt
time_cost: 3 # Lowest possible value for argon
memory_cost: 10 # Lowest possible value for argon

As the error message suggests you should set the entry_point key to one of your authenticators, here is an example, you could choose to set in one of them, or you could try to set it in both:
administrator_secured_area:
lazy: true
provider: app_administrator_provider
custom_authenticator: App\Security\AdministratorAuthenticator
form_login:
login_path: /login/administrator
check_path: /app_login_administrator
default_target_path: /login/administrator
logout:
path: app_logout
# where to redirect after logout
target: app_login_administrator
entry_point: 'form_login'
instructor_secured_area:
lazy: true
provider: app_instructor_provider
custom_authenticator: App\Security\InstructorAuthenticator
form_login:
login_path: /login/instructor
check_path: /app_login_instructor
default_target_path: /login/instructor
logout:
path: app_logout
# where to redirect after logout
target: app_login_instructor

Timeout Facebook Login with hwioauth bundle : Timeout Gateway 504

Hi!
I am becoming mad with the following error, found into the prod log, with Facebook Login, by HWIOAuthBundle. I have never encountered this bug on our localhosts. It occurred (and continues to occur) several times on prod, sporadically. I tried to set verify_peer to false inside config.yml, put off ipv6 on the nginx server, etc. Nothing had solved this problem.
Here is the exact error :
[2017-09-05 17:48:16] request.CRITICAL: Uncaught PHP Exception
HWI\Bundle\OAuthBundle\OAuth\Exception\HttpTransportException:
"Error while sending HTTP request" at
/home/keywinf/htdocs/www/vendor/hwi/oauth-bundle/OAuth/ResourceOwner/AbstractResourceOwner.php line 255
{"exception":"[object] (HWI\\Bundle\\OAuthBundle\\OAuth\\Exception\\HttpTransportException(code: 28):
Error while sending HTTP request at /home/keywinf/htdocs/www/vendor/hwi/oauth-bundle/OAuth/ResourceOwner/AbstractResourceOwner.php:255, Buzz\\Exception\\RequestException(code: 28):
Connection timed out after 60000 milliseconds at /home/keywinf/htdocs/www/vendor/kriswallsmith/buzz/lib/Buzz/Client/Curl.php:29)"} []
config.yml
hwi_oauth:
firewall_names: [main]
use_referer: true
fosub:
username_iterations: 30
properties:
facebook: facebookId
resource_owners:
facebook:
type: facebook
client_id: "%facebook_id%"
client_secret: "%facebook_secret%"
infos_url: 'https://graph.facebook.com/me?fields=id,name,first_name,last_name,picture.type(large),email,gender,birthday,location,age_range'
scope: "email,user_friends"
http_client:
timeout: 60
security.yml
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
api:
pattern: ^/api/[a-z0-9](-[a-z0-9])+/
stateless: true
simple_preauth:
authenticator: api_key_authenticator
provider: api
main:
pattern: ^/
anonymous: true
provider: main
switch_user: true
form_login:
login_path: fos_user_security_login
check_path: fos_user_security_check
success_handler: acme.security.authentication_handler
failure_handler: acme.security.authentication_handler
always_use_default_target_path: false
default_target_path: /
oauth:
resource_owners:
facebook: /login/check-facebook
login_path: /login
failure_path: /login
success_handler: acme.security.authentication_handler
always_use_default_target_path: false
default_target_path: /
oauth_user_provider:
service: dm.user_provider
logout:
path: fos_user_security_logout
target: /
remember_me:
secret: %secret%
If one knows what could be causing it.. Thank you very much

Ok, I got it, for anyone who have been encountering the same storm.
Be careful with ipv6 stuff on your server. PHP curl was trying to do its job through it, but the server was not ipv6-ready, and it eventually found it more cool to step back to ipv4 (but after a long time). My solution was to activate ipv6 completely (DNS, conf, etc.). You've plenty of useful (and short) examples for it on the web.
Have fun!

Symfony access_control not applied 'per-host' rule

Morning folks,
mainly i want to secure all call against a url that starts with /api/internal.
All endpoints that start with this path are only for internal calls, e.g. in a ajax-search box. So right me when i am wrong but i thought it would be a good idea to secure this via host definition in access_roles
I tried it with the following security.yml
security:
role_hierarchy:
ROLE_myproject_USER: ROLE_USER
ROLE_TEAMMANAGER: ROLE_USER
ROLE_ADMIN: [ROLE_TEAMMANAGER]
providers:
dashboard_users:
ldap:
service: myproject.ldap
# my ldap config
custom_user_provider:
id: myproject.factory.scale_user
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
api_internal:
pattern: ^/api/internal
security: true
host: myproject.dev
api_doc:
pattern: ^/api/doc
security: false
api_login:
pattern: ^/api/login
stateless: true
anonymous: true
api:
pattern: ^/api
stateless: true
provider: custom_user_provider
guard:
authenticators:
- myproject.api_login_authenticator
main:
anonymous: ~
form_login_ldap:
login_path: myproject_login
check_path: myproject_login
service: myproject.ldap
dn_string: 'Verbund\{username}'
logout:
path: myproject_logout
target: /
access_control:
- { path: ^/api/internal, host: myproject.dev }
But i get this error:
InvalidConfigurationException in SecurityExtension.php line 481:
No authentication listener registered for firewall "api_internal".
Side information: In this project there a 3 different sections:
/api/internal/**** - should only be accessible from the website itself
/api/ - should be accessible via REST, is secured via JWTToken
the Website itself - is secured via form login and LDAP
Thankful for any help you can provide.
Max

In order to have hosts secured, use access_control
access_control:
# require ROLE_ADMIN for /admin*
- { path: ^/admin, roles: ROLE_ADMIN }
where the path is your desired host.
In order to have everything for a subhost secured use
- { path: ^/admin/*, roles: ROLE_ADMIN }
remove other firewalls than main and dev!
Please refer to http://symfony.com/doc/2.8/security.html for more information

Symfony 3 Use 2 guards authenticator

I am using authentication with guard in my application. I have 2 different way to login with 2 distinct guard authenticator.
my security looks like this :
firewalls:
login:
pattern: /(login|api.*)$
anonymous: ~
autolog:
pattern: /(autolog.*)$
anonymous: ~
guard:
authenticators:
- app.autolog_authenticator
main:
logout:
invalidate_session: true
path: /%locale%/logout
target: /%locale%/login
guard:
authenticators:
- app.token_authenticator
The token_authenticator works perfectly. But when I use autolog, the user is perfectly log with the autolog_authenticator, but then it goes in the token_authenticator that refuse the connection.
How can I tell the application to only use the autolog_authenticator and dont go to the token_authenticator?

this does not look optimal
pattern: /(login|api.*)$
try to protect your api area with token only
Have a look at this implementation example here https://github.com/knpuniversity/guard-presentation/blob/finished/app/config/security.yml
Another keyword you might need is entrypoint which defines, what authentication has a higher priority

I finally find how I can do.
I just used the same context for each guard. I use it like this
firewalls:
login:
pattern: /(login|api.*)$
anonymous: ~
autolog:
pattern: /(autolog.*)$
context : primary_auth
anonymous: ~
guard:
authenticators:
- app.autolog_authenticator
main:
context : primary_auth
logout:
invalidate_session: true
path: /%locale%/logout
target: /%locale%/login
guard:
authenticators:
- app.token_authenticator