I've set up OAuth [ using FOSOauthServerBudle ]. I'm working on setting up a password type flow.
I can get an access token with client type, but using password type I get an error.
Error: Call to a member function loadUserByUsername() on a non-object
More specifically
$user = $this->userProvider->loadUserByUsername($username); <-OAuthStorage.php at line 161
/oauth/v2/token?client_id=[CLIENTID]&client_secret=[CLIENTSECRET]&grant_type=password&username=test&password=test
So there's no user provider set for OAuthStorage. I can't find any good documentation on how to set a provider for this.
My security conf
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
user_provider:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(_(profiler|wdt|error)|css|images|js)/
security: false
oauth_token:
pattern: ^/oauth/v2/token
security: false
oauth_authorize:
pattern: ^/oauth/v2/auth
form_login:
provider: user_provider
check_path: _security_check
login_path: _demo_login
anonymous: true
api:
pattern: ^/api
fos_oauth: true
stateless: true
access_control:
# You can omit this if /api can be accessed both authenticated and anonymously
- { path: ^/api, roles: [ IS_AUTHENTICATED_FULLY ] }
What do you think guys. Any ideas?
Eureka!
So apparently the provider is configured in config.yml. I had it set to a previous custom user provider. I set it to the same provider as specified in security.yml and everything works just fine.
Related
When i add a new firewall for use api Authentication , i get this fail:
Invalid firewall "api": user provider "app_user_provider" not found.
how i can fix this fail?
security:
encoders:
App\Entity\User:
algorithm: bcrypt
cost: 4
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
in_memory: { memory: ~ }
proveedor:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: true
form_login:
login_path: login
check_path: login
provider: proveedor
default_target_path: tasks
logout:
path: /logout
target: /
api:
pattern: ^/api
anonymous: lazy
provider: app_user_provider
guard:
authenticators:
- App\Security\TokenAuthenticator
In your firewall named 'api', you specify 'app_user_provider' but in it is not present in the providers list.
In the providers list, you have: in_memory and proveedor.
Try to replace app_user_provider by proveedor.
If the provider allow you to get your user, it should work.
I'm working with ldaptools-bundle, fosuserbundle in an api endpoint.
My security.yaml looks like this
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
LdapTools\Bundle\LdapToolsBundle\Security\User\LdapUser: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
chain_provider:
chain:
providers: [ldap, fos_userbundle]
fos_userbundle:
id: fos_user.user_provider.username_email
ldap:
id: ldap_tools.security.user.ldap_user_provider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/login
stateless: true
anonymous: true
provider: ldap
json_login:
check_path: /login
username_path: username
password_path: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
guard:
authenticators:
- ldap_tools.security.ldap_guard_authenticator
main:
pattern: ^/
provider: fos_userbundle
stateless: true
anonymous: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }
the problem is thath the ldap guard authenticator is not checking the credentials.
When I change the provider to ldap instead fosuser I got a 500 error code in BasePasswordEncoder class, it happens also if I use the chain_provider
Warning: hash_equals(): Expected known_string to be a string, null
given
Is there a miss config or something?
The workflow should be as follow:
The user is authenticated against ldap server
The user is loaded correctly and then lexik takes care of the token generation
Note: The workflow works without ldap and the token is generated.
Thanks in advance!
Before explain why what I need your help, just keep in mind that I am totally new on Symfony 3.4, so please be lenient with me.
What I try to create is a RESTful API.
For the admin section, I'd like my users to log in every day in order to access the application dashboard. I already do that, by using the LexikJWTAuthenticationBundle with a token that expires every 24 hours.
Then, my API will have several client applications that should access my data using an access token, but not using JWT. Those client applications will be mobile apps ( implemented on React Native ) and desktop apps ( implemented on Electron).
The way I thought I should authorize those applications to access my API is by providing them with an Authentication token using the oAuth protocol.
So, the basic question is, if I could config both authorization methods ( JWT + oAuth ) at the same time for the same resources.
So, for example, let's say I have the following endpoint: /api/v1/repository/chocolates.
With the jms_serializer I am able to choose what data I want to display on each group, so for a user has the ROLE_ADMIN I can display all the product information, while for the user has the ROLE_SOME_GRANT will only be possible to see the title and the description.
So is it possible to access the /api/v1/repository/chocolates either by using the JWT token my admins have or by using the oAuth token my client apps will have?
For the moment my app/config/security.yml has the following setup:
# To get started with security, check out the documentation:
# https://symfony.com/doc/current/security.html
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_NUTRITIONIST: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
# https://symfony.com/doc/current/security.html#b-configuring-how-users-are-loaded
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
oauth_token:
pattern: ^/oauth/v2/token
security: false
oauth_authorize:
pattern: ^/oauth/v2/auth
security: false
api_user_management:
pattern: ^/api/v1/user/(login|request\/reset|password\/reset)
anonymous: true
stateless: true
api_user_management_safe:
pattern: ^/api/v1/user/(login|request\/reset|password\/reset)
anonymous: true
stateless: true
api_user_login:
pattern: ^/api/v1/login
stateless: true
anonymous: true
form_login:
check_path: /api/v1/login
require_previous_session: false
username_parameter: username
password_parameter: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
logout: true
#############################################
## HERE IF I CHANGE THE fos_oauth to false
## I CAN ACCESS MY ENDPOINT : /api/v1/register/new/user
## WHILE IF THAT IS TRUE I GET THE ERROR MESSAGE:
##
## {
## "error": "invalid_grant",
## "error_description": "The access token provided is invalid."
## }
#############################################
api_access:
pattern: ^/api/v1
stateless: true
#lexik_jwt: ~
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
fos_oauth: true
access_control:
- { path: ^/api/v1/user/request/reset, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/v1/user/password/reset, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/v1/user/update, role: IS_AUTHENTICATED_FULLY }
- { path: ^/api/v1/user/((?!request)|(?!password)|(?!update)), role: IS_AUTHENTICATED_FULLY }
- { path: ^/api/v1/register/new/user, role: IS_AUTHENTICATED_FULLY }
- { path: ^/api/v1/, role: IS_AUTHENTICATED_FULLY }
So, based on that security setup do you think there's a way to have multiple authorization services in my application?
I'm trying to make an authenticated section called /admin but putting in access_control has broken my API (nothing is returned). I don't need authentication for the API so I've used IS_ANONYMOUS as role. Here is my security.yml, what am I doing wrong?
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
providers:
in_memory:
memory: ~
fos_userbundle:
id: fos_user.user_provider.username # fos_user.user_provider.username_email does not seem to work (OAuth-spec related ("username + password") ?)
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
default:
anonymous: ~
http_basic: ~
oauth_token: # Everyone can access the access token URL.
pattern: ^/api/oauth/v2/token
security: false
api:
pattern: ^/api # All URLs are protected
fos_oauth: true # OAuth2 protected resource
stateless: true # Do no set session cookies
anonymous: true # Anonymous access is not allowed
security: false
access_control:
# require ROLE_ADMIN for /admin*
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/api, roles: IS_ANONYMOUS }
Im trying to create an oauth2 server based on FOSOauthServerBundle, FOSRestBundle and FOSUserBundle. I created a demo application to test the my oauth-server and it failed receiving the data via the GET reguest
(received 401 error ' error="access_denied", error_description="OAuth2
authentication required" '),
in spite the fact that the user was authenticated and the client received an access token properly.
How should I implement the api controllers so the oauth2 will execute the authentication process?
Also, i would like to take a look on real working oauth server example based on those bundles so i would be able to check my application on it.
my security.yml:
jms_security_extra:
secure_all_services: false
expressions: true
security:
acl:
connection: default
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
in_memory:
memory:
users:
user: { password: userpass, roles: [ 'ROLE_USER' ] }
admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
fos_userbundle:
id: fos_user.user_provider.username
encoders:
FOS\UserBundle\Model\UserInterface: sha512
Symfony\Component\Security\Core\User\User: plaintext
firewalls:
api:
pattern: ^/api
fos_oauth: true
stateless: true
oauth_authorize:
pattern: ^/oauth/v2/auth
form_login:
provider: fos_userbundle
check_path: /oauth/v2/auth_login_check
login_path: /oauth/v2/auth_login
use_referer: true
anonymous: true
oauth_token:
pattern: ^/oauth/v2/token
security: false
secured_area:
pattern: ^/
anonymous: ~
form_login:
provider: fos_userbundle
check_path: /login_check
login_path: /login
always_use_default_target_path: true
default_target_path: /
access_control:
- { path: ^/oauth/v2/auth_login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/oauth/v2/auth, role: ROLE_USER }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY}
- { path: ^/, roles: ROLE_USER }
- { path: ^/api, roles: [ IS_AUTHENTICATED_FULLY ] }
Thanks.
Submitting the answer so this will close the open question.
Access denied caused because the request did not contain the access token. Refer to documentation with section titled Creating A Client and Usage.
https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/blob/master/Resources/doc/index.md