When I authenticate in my app1, I get authenticate in my app2 too.
Exemple.
I login at localhost/app1/web/app_dev.pho/login as "foo_user".
When I check my localhost/app2/web/app_dev.php/ I am also authenticated as "foo_user" when I was anon. just before.
Do you know how can I fix that ?
You must use in your function something like this
public function toDo()
{
$user = $this->getUser();
.....
return ['user' => $user];
}
And than in your template use user how you want.
It's only one of few examples, how you can do it
Related
in my web api application I get the acess token from http:applicationpath/connect/token with some parameters (this endpoint is from Identity I think, since we dont create it neither can see it).
But now I need to generate the token from a specific controller but cant see how to do this.
Someone knows how this can be made? Or even if it's possible?
Thanks
Some more info:
My application is an integrator (is this the word?) between an android app(app1) and other web application(app2).
1- The app1 user will send the login and password to my application .
2- Then my application will send then to the app2 who will, if everything goes well, return the app2 token .
3- Then I have to save this token in my db.
4- Then verify if the user exists in my db, and if not, save it.
5- And finally generate an token for my application and return it to the user.
Based on your comment:
But can I, instead of change de default endpoint, make another
endpoint that do the same (generate the token)?
it seems that you are rather looking for Extending discovery. This is quite easy actually.
Add a custom entry in the configuration of startup:
services.AddIdentityServer(options =>
{
options.Discovery.CustomEntries.Add("custom_token", "~/customtoken");
});
And add a controller that handles the request:
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
// In case a token is required for login, like the UserInfo endpoint:
//[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[ApiController]
public class CustomTokenController : ControllerBase
{
[Route("customtoken")]
public IActionResult CustomTokenEndpoint()
{
return Ok();
}
}
Update
You can 'replace' the endpoint by disabling the default authorization endpoint and adding a custom endpoint as described above.
Disable the endpoint:
services
.AddIdentityServer(options =>
{
options.Endpoints.EnableAuthorizeEndpoint = false;
})
You may want to use the Authorize path constant.
public const string Authorize = ConnectPathPrefix + "/authorize";
Add the new endpoint:
services.AddIdentityServer(options =>
{
options.Discovery.CustomEntries.Add("authorization_endpoint", $"~/{Authorize}");
});
Please note, I didn't test it, but I think this should work.
Based on this question: Automatic post-registration user authentication
$token = new UsernamePasswordToken($userEntity, null, 'main', array('ROLE_USER'));
$this->get('security.context')->setToken($token);
This worked fine on Symfony 2, but in the actual release of Symfony 2.1 this seams to do not work any more, im trying the same code but with no success (and no errors). The idea is to authenticate my user over ajax without using the login form. This because Im using this schema:
if(user_on_data_base) {
if(user_fb_linked_with_us) { // authenticate him and redirect to /home }
}
This is executed over ajax.
EDIT:
The most strange thing is that if I execute this code from my user controller it works! but executing it from my ajax controller dont.
Looking at how the HWIOAuthBundle does this, it looks like you need to throw the security.interactive_login event.
Here's how you can do it:
$this->get('event_dispatcher')->dispatch(
SecurityEvents::INTERACTIVE_LOGIN,
new InteractiveLoginEvent($this->container->get('request'), $token)
);
I developed an application using symfony2, I want to know how to write preExecute() function symfony2 for following case:
when I log-in into the system; it redirect me on user profile section when I log-out from same screen, It killed session and redirect me on login screen, but when I hit browser's back button then it will redirect me on profile screen, which shows me all user information but when I click for next process from same screen then I redirect me on login page.
I just want to add preExecute function like symfony1.4 for this case, so I checked session and if it is null then it will redirect me on login page if I hit browser's back button when I alrady log-out from the system.
I already added following code in profileController.php files,
public function indexAction() {
$session = $this->get('request')->getSession();
$userId = $session->get('id');
if ($userId == 0 || $userId == '') {
return $this->redirect($this->generateUrl('_security_login'));
} else {
//my code
}
}
//logout action
public function dologoutAction(){
$this->get('security.context')->setToken(null);
$this->get('request')->getSession()->invalidate();
$this->container->get('request')->getSession('session')->clear();
return $this->redirect($this->generateUrl('_security_login'));
}
if there is any other way to handle this case then please help me for the same.
Thank you.
Just require the ROLE_USER role on the profile action and the firewall will do the redirect-to-the-login-form-and-then-redirect-back stuff:
/**
* #Secure("ROLE_USER")
*/
public function profileAction()
{
// ...
}
For more information read the Security chapter of the Symfony book.
I have the folowing snippet of code to check use role however it returns me with a
The security context contains no authentication token. One possible reason may be that there is no firewall configured for this URL.
public function loginAction(){
$request = $this->getRequest();
$session = $request->getSession();
var_dump($this->get("security.context")->isGranted('ROLE_ADMIN'));
$response = new Response();
$response -> setContent("login facebook");
$response->send();
return array('name'=>'login facebook');
}
Why I am getting this error and how do I fix this ?
The exception message is pretty clear: One possible reason may be that there is no firewall configured for this URL. To check user role, you need a token which contains a user (anonymous or not). By default, if you don't configure a authentication provider for a given path, you won't get any security context.
The solution here is to add an authentication provider.
i would like to do something like that in controller to log user out:
$user = $this->get('security.context')->getToken()->getUser();
$user->logOut();
Logout in Symfony2 is handled by so called logout handler which is just a lister that is executed when URL match pattern from security configuration, ie. if URL is let's say /logout then this listener is executed. There are two build-in logout handlers:
CookieClearingLogoutHandler which simply clears all cookies.
SessionLogoutHandler which invalidates the session
All you have to do is the very same the last one does. You can achieve it by simply calling:
Legacy Symfony
$this->get('security.context')->setToken(null);
$this->get('request')->getSession()->invalidate();
Symfony 2.6
$this->get('security.token_storage')->setToken(null);
$this->get('request')->getSession()->invalidate();
Warning
This will only work when remember me functionality is disabled. In other case, user will be logged in back again by means of a remember me cookie with the next request.
Please consider the extended solution if you are using remember me functionality: https://stackoverflow.com/a/28828377/1056679
Invalidating the user's session might cause some unwanted results. Symfony's firewall has a listener that always checks and refreshes the user's token. You could just do a redirect to the default logout route that you have specified in your firewall.yml (or security.yaml)
In Controller you can do this:
$this->redirect($this->generateUrl('your_logout_url'));
If you don't know the name of the logout route (your_logout_url), you can get it from the Symfony console by using this command:
app/console router:match /logout
Or newer Symfony versions:
bin/console router:match /logout
:)
We have to set user as an anonymous user when logging out. Then we can use
$token->getUser()->getRoles(); in controller or {% if is_granted('ROLE_USER') %} in the twig template.
use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
...
//$providerKey = $this->container->getParameter('fos_user.firewall_name');
$token = new AnonymousToken($providerKey, 'anon.');
$this->get('security.context')->setToken($token);
$this->get('request')->getSession()->invalidate();
If rememberme functionality is enabled for your site you should also clean rememberme cookie:
$this->get('security.context')->setToken(null);
$this->get('request')->getSession()->invalidate();
$response = new RedirectResponse($this->generateUrl('dn_send_me_the_bundle_confirm', array(
'token' => $token
)));
// Clearing the cookies.
$cookieNames = [
$this->container->getParameter('session.name'),
$this->container->getParameter('session.remember_me.name'),
];
foreach ($cookieNames as $cookieName) {
$response->headers->clearCookie($cookieName);
}
In Symfony 4/5 this is just enough to remove user:
/**
* #var TokenStorageInterface $token_storage
*/
private TokenStorageInterface $token_storage;
/**
* Will force logout from system
*/
public function logoutCurrentlyLoggedInUser()
{
$this->token_storage->setToken(null);
}
Now You can create a method to use it later to check if user is logged in:
class Application extends AbstractController {...
/**
* Returns currently logged in user
* #return object|UserInterface|null
*/
public function getCurrentlyLoggedInUser()
{
return $this->getUser();
}
In case you are using symfony 4.x (I haven't tested other versions, so it still might work), you may want to use the internal logout handler of symfony (highly recommended, as it will take care of everything for you in a clean way, cookies and all). You don't need to write too much code for that either, you can simply emulate a logout request:
... // Some code, that leads you to force logout the user
// Emulating logout request
$logoutPath = $this->container->get('router')->generate('app_logout');
$logoutRequest = Request::create($logoutPath);
$logoutResponse = $this->container->get('http_kernel')->handle($logoutRequest);
// User is logged out now
... // Stuff to do after logging out, eg returning response
This will make symfony do the request response flow, thus it will call the logout handler internally. This method allows you to proceed to further custom code. Otherwise, if you invoked only the logout listener here, you would have to return the usual logout response, that now is in $logoutResponse. Optionally, if you want to return it, you would also simply:
return $logoutResponse;
The proposed solutions didn't work for me in Symfony 5.3.
It should be something as basic as
session_start();
session_destroy();
So I did this way:
$this->get('session')->start();
$this->get('session')->invalidate();
This will terminate the PHP Session, which is the way most of sessions work in Symfony.