I'm trying to use LexikJWTAuthenticationBundle with FOSUserBundle on my Symfony 2.7 application.
Basically, the FOSUserBundle config works fine: I properly load my fixtures and if I try to login via the login form it succeeds.
Getting the token from the login_check also works. Then I put the Authorization header with "Bearer " in the header and try to access to another page. It always result with a 401 response.
Has anyone any leads about what could be the problem or how to proceed to debug?
Here's my config:
# app/config/config.yml
# DunglasJsonLdApi
dunglas_json_ld_api:
title: %api_name%
description: %api_description%
default:
order: DESC
# FOSUserBundle
fos_user:
db_driver: orm
firewall_name: api
user_class: ApiBundle\Bundles\UserBundle\Entity\User
# LewikJWTAuthentificationBundle
lexik_jwt_authentication:
private_key_path: %kernel.root_dir%/config/jwt/private.pem
public_key_path: %kernel.root_dir%/config/jwt/public.pem
pass_phrase: %jwt_pass_phrase%
token_ttl: 86400
# app/config/routing.yml
# DunglasJsonLdBundle
api_doc:
resource: #DunglasJsonLdApiBundle/Resources/config/routing.xml
prefix: /api
api:
resource: .
type: json-ld
prefix: /api
# FOSUserBundle
fos_user_security_login:
path: /login
defaults: { _controller: FOSUserBundle:Security:login }
fos_user_security_check:
path: /api/login_check
defaults: { _controller: FOSUserBundle:Security:check }
fos_user_security_logout:
path: /logout
defaults: { _controller: FOSUserBundle:Security:logout }
# app/config/security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_CA: ROLE_USER
ROLE_SUPER_ADMIN: [ ROLE_CA, ROLE_ALLOWED_TO_SWITCH ]
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(_(profiler|wdt|error)|css|images|js)/
security: false
login:
pattern: ^/login|^/api/login
provider: fos_userbundle
stateless: true
anonymous: true
form_login:
login_path: fos_user_security_login
check_path: fos_user_security_check
username_parameter: username
password_parameter: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
api:
pattern: ^/api
provider: fos_userbundle
stateless: true
anonymous: true
lexik_jwt:
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: IS_AUTHENTICATED_FULLY }
Complete application available here.
It seems it works fine now. I did not change anything since the time I posted my question and before posting I rebooted my machine, restarted MySQL, nginx, PHP5-FPM and deleted Symfony cache, so I really fail to understand what happen...
Related
I'm working on a custom membership website which is based on the Symfony2. This website has two type of the bundles. FOSuserbundle and SamlBundle.
I integrated SamlBundle with FOSuserbundle. Single Sign-On system is working now, but FOSuserbundle login form is not working.
This is my security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface:
id: app.my_password_encoder
PDias\SamlBundle\Security\User\SamlUser: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
backend_samlservice:
id: saml.backend.fosuser.provider
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
require_previous_session: true
login_path: /login
check_path: /login_check
always_use_default_target_path: false
default_target_path: /
use_forward: true
use_referer: false
saml:
provider: backend_samlservice
direct_entry: false
login_path: /login-saml
check_path: /login-check-saml
default_target_path: /
always_use_default_target_path: true
logout:
path: /logout
target: /login
anonymous: true
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
remember_me:
key: '%secret%'
lifetime: 604800 # 1 week
path: /
domain: ~
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/sendemail, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^, role: ROLE_USER }
acl:
connection: default
Even if I was not using Single Sign-On, backend_samlservice will be executed.
When I use ID & Password to login to the website, I will be redirected to the login page.
Do I have to add something?
Thanks for your anwsers.
I've fixed this problem.
The point was SimpleSAML_Session. I had to clean up the session like this.
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_6
$session = SimpleSAML_Session::getSessionFromRequest();
$session->cleanup();
I added this code on the SamlAuth.php(pdias/saml-bundle/PDias/SamlBundle/Saml). Then it started working.
As the title suggests, I'm going to use Facebook,Google and GitHub authentication alongside JWT authenticator (LexikJWT).
Before starting, I want to know how can I use them? is it possible to use both of them to protect APIs?
If yes, what sort of configurations should my security have? Assuming that I'm using the default configurations.
here is the current security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
acl:
connection: default
access_decision_manager:
strategy: affirmative
role_hierarchy:
ROLE_SALES_NOTIFICATIONS: [ ROLE_SALES_NOTIFICATIONS ]
# FULL CONTROL
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
# Disabling the security for the web debug toolbar, the profiler and Assetic.
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# -> custom firewall for the admin area of the URL
admin:
pattern: /admin(.*)
context: user
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
success_handler: admin_success_handler
logout:
path: /admin/logout
anonymous: true
# Custom firewall for api area
api_login:
pattern: ^/api/auth
stateless: true
anonymous: true
provider: fos_userbundle
form_login:
check_path: /api/auth/check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
api:
pattern: ^/api/v\d+\.\d+/
methods: [ POST, PUT ]
stateless: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
api_doc:
pattern: ^/api/doc
stateless: true
anonymous: true
# -> end custom configuration
# default login area for standard users
# This firewall is used to handle the public login area
# This part is handled by the FOS User Bundle
main:
pattern: .*
context: user
form_login:
provider: fos_userbundle
login_path: /login
use_forward: false
check_path: /login_check
failure_path: null
logout: true
anonymous: true
access_control:
# URL of FOSUserBundle which need to be available to anonymous users
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Admin login page needs to be access without credential
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
- { path: ^/assets/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/uploads/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
- { path: ^/user/, role: [ROLE_USER] }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/auth, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/auth/me, roles: IS_AUTHENTICATED_FULLY }
- { path: ^/api/v\d+\.\d+/, roles: IS_AUTHENTICATED_FULLY }
I'm thinking, using both of them as a security provider will lead to errors. is it right?
I don't think using HWIOAuthBundle and LexikJWTBundle on the same project will lead to errors.
You api_login firewall will authenticate your api users while your admin firewall will authenticate your backoffice users.
Since your URL patterns are correctly congigured you should not encounter problems.
I am trying configure HWIOauthBundle in my Symfony2 application with this link.
When I run app/console cache:clear, or composer install I get this message:
[Symfony\Component\DependencyInjection\Exception\ServiceNotFoundException]
The service "security.firewall.map.context.main" has a dependency on a non-
existent service "form.csrf_provider".
My security.yml file:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_USER
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
in_memory:
memory:
users:
restapi: { password: secretpw, roles: [ 'ROLE_API' ] }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /login
check_path: /login_check
oauth:
resource_owners:
facebook: "/login/check-facebook"
login_path: /login
failure_path: /login
oauth_user_provider:
service: my_user_provider
logout: true
anonymous: true
http_basic:
realm: "Demo REST API (username: restapi, password: secretpw)"
stateless: true
login:
pattern: ^/login$
security: false
remember_me:
key: "%secret%"
lifetime: 31536000 # 365 days in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
I was looking for this error in network, but I can't find good solution for me.
I can't look now to hwio bundle but looks like you doesn't have 'form.csrf_provider' provider regisrered like service. search in project if 'form.csrf_provider' exist.
I need to read the value of one parameter of the security.yml file from inside the application.
I tried the following to get the list of all the parameters
$parameters=$this->container->getParameterBag()->all();
Which gives me an interesting list of parameters but I don't see the ones related to security.yml (despite the fact that security.yml is imported properly in the config.yml)
imports:
- { resource: parameters.yml }
- { resource: security.yml }
- { resource: services.yml }
Here is the security.yml. I want to read the value of remember_me lifetime.
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
check_path: /login_check
login_path: /login
always_use_default_target_path: false
default_target_path: /main
provider: fos_userbundle
csrf_provider: form.csrf_provider
remember_me:
key: '%secret%'
lifetime: 60
path: /
domain: ~
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
Thank you!
Make remember_me.lifetime a parameter:
#parameters.yml
parameters:
remember_me.lifetime: 60
And in your security config, use the parameter's value as following:
#security.yml
security:
firewalls:
....
main:
remember_me:
key: '%secret%'
lifetime: '%remember_me.lifetime%'
You'll be then able to access this parameters from the bag or inject it into any service.
I have followed this article and implemented OAuth2 with Github, After successful authentication, I am getting below error.
Unable to find the controller for path "/secure_area/login/check-github". Maybe you forgot to add the matching route in your routing configuration?
config.yml
hwi_oauth:
# name of the firewall in which this bundle is active, this setting MUST be set
firewall_name: secure_area
connect:
confirmation: true
#account_connector: hwi_oauth.user.provider.fosub_bridge
#registration_form_handler: hwi_oauth.registration.form.handler.fosub_bridge
#registration_form: fos_user.registration.form
resource_owners:
github:
type: github
client_id: a8b7e3e35e46271d10a5
client_secret: 6abca3ded9a19d9e2bf52b42f017d23a745bd540
scope: "user:email"
fosub:
# try 30 times to check if a username is available (foo, foo1, foo2 etc)
username_iterations: 30
# mapping between resource owners (see below) and properties
properties:
github: githubID
security.yml
# app/config/security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
secure_area:
pattern: ^/secure_area
oauth:
failure_path: /secure_area/connect
login_path: /secure_area/connect
check_path: /secure_area/connect
provider: fos_userbundle
resource_owners:
github: "/secure_area/login/check-github"
oauth_user_provider:
service: hwi_oauth.user.provider.fosub_bridge
anonymous: true
logout:
path: /secure_area/logout
target: /secure_area/connect #where to go after logout
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/secure_area/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/secure_area/connect, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/secure_area, roles: ROLE_USER }
What do you have in your routing configuration. Do you have a route setup for hwi_github_login?
Another route named hwi_github_login was also added which is same as the callback url given during creation of Github application. This is the url which will be intercepted by the firewall to check authentication.
Your routing.yml should have:
hwi_oauth_redirect:
resource: "#HWIOAuthBundle/Resources/config/routing/redirect.xml"
prefix: /secure_area/connect
hwi_oauth_login:
resource: "#HWIOAuthBundle/Resources/config/routing/login.xml"
prefix: /secure_area/connect
hwi_oauth_connect:
resource: "#HWIOAuthBundle/Resources/config/routing/connect.xml"
prefix: /secure_area/connect
hwi_github_login:
pattern: /secure_area/login/check-github