I want to create a oauth2 server for my websites (3 websites, 1 login). I created the server, I used FOSUserBundle and FOSOAuthServerBundle, I followed the instructions.
But I have 1 problem. I can create token through /oauth/v2/token this is fine.
I can go to /oauth/v2/oauth, but when I'm redirected to the website, I have examle.com?error=invalid_request&error_description=Invalid+response+type.
And if I login at /login, I will be logged in, but no token is created. This would be fine if I only had 1 website, but I would like to make something more like Google (if you are on maps, youtube... if you want to log in, you are redirected to accounts.google.com, login, then back to the website), but I can't see how to do that right now. I guess I need to do more work, but where exactly ?
My security.yml right now:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
oauth_token:
pattern: ^/oauth/v2/token
security: false
oauth_authorize:
pattern: ^/oauth/v2/auth
anonymous: true
api:
pattern: ^/api
fos_oauth: true
stateless: true
anonymous: false # can be omitted as its default value
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/api, roles: [ IS_AUTHENTICATED_FULLY ] }
Should I create a new login page, or user provider? Thanks :)
You didn't specify a response type. You should use this request :
PROVIDER_HOST/oauth/v2/auth?client_id=CLIENT_ID&response_type=code&redirect_uri=CLIENT_HOST
Then get access with code :
CLIENT_HOST/?code=Yjk2MWU5YjVhODBiN2I0ZDRkYmQ1OGM0NGY4MmUyOGM2NDQ2MmY2ZDg2YjUxYjRiMzAwZTY2MDQxZmUzODg2YQ
Then ask for the token :
PROVIDER_HOST/oauth/v2/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=authorization_code&redirect_uri=http%3A%2F%2Fclinet.local%2F&code=CODE
More info here : http://blog.tankist.de/blog/2013/07/18/oauth2-explained-part-3-using-oauth2-with-your-bare-hands/
Related
My website is running with Symfony 3.4 and I just install the FOSUserBundle to manage login/authentification. I followed this tutorial but all isn't working perfectly. For the record I can access my homepage view (/app_dev.php/) and my login page view (/app_dev.php/login) but in my security.yml :
In the "main" firewall if "anonymous" is set to "true" : everybody can access all the pages.
In the "main" firewall if "anonymous" is set to "false" :
I don't figure out why this path is making a infinite loop.
Below is my security yaml config :
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
providers:
fos_userbundle:
id: fos_user.user_provider.username
role_hierarchy:
ROLE_ADMIN: ROLE_USER
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
logout: true
anonymous: false
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
And in my dev.log, these lines are looped :
[2018-01-15 10:54:24] request.INFO: Matched route
"fos_user_security_login".
{"route":"fos_user_security_login","route_parameters":{"_controller":"FOS\UserBundle\Controller\SecurityController::loginAction","_route":"fos_user_security_login"},"request_uri":"http://www.mycompany.com/app_dev.php/login","method":"GET"}
[] [2018-01-15 10:54:24] security.INFO: An AuthenticationException was
thrown; redirecting to authentication entry point.
{"exception":"[object]
(Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException(code:
0): A Token was not found in the TokenStorage. at
/var/www/custom_pim/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/AccessListener.php:51)"}
[] [2018-01-15 10:54:24] security.DEBUG: Calling Authentication entry
point. [] []
You have to change anonymous:
anonymous: true
I solved my problem with the following code :
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
default_target_path: /
csrf_token_generator: security.csrf.token_manager
logout:
target: fos_user_security_login
anonymous: true
access_control:
- { path: ^/$, role: ROLE_USER }
I have checked my settings with yours, and the only thing you have different is
anonymous: false
which I have set to true (which is the default I think). Maybe try changing that and report back, I have a pretty fresh FOSUserBundle project on my hand to check
As the title suggests, I'm going to use Facebook,Google and GitHub authentication alongside JWT authenticator (LexikJWT).
Before starting, I want to know how can I use them? is it possible to use both of them to protect APIs?
If yes, what sort of configurations should my security have? Assuming that I'm using the default configurations.
here is the current security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
acl:
connection: default
access_decision_manager:
strategy: affirmative
role_hierarchy:
ROLE_SALES_NOTIFICATIONS: [ ROLE_SALES_NOTIFICATIONS ]
# FULL CONTROL
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
# Disabling the security for the web debug toolbar, the profiler and Assetic.
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# -> custom firewall for the admin area of the URL
admin:
pattern: /admin(.*)
context: user
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
success_handler: admin_success_handler
logout:
path: /admin/logout
anonymous: true
# Custom firewall for api area
api_login:
pattern: ^/api/auth
stateless: true
anonymous: true
provider: fos_userbundle
form_login:
check_path: /api/auth/check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
api:
pattern: ^/api/v\d+\.\d+/
methods: [ POST, PUT ]
stateless: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
api_doc:
pattern: ^/api/doc
stateless: true
anonymous: true
# -> end custom configuration
# default login area for standard users
# This firewall is used to handle the public login area
# This part is handled by the FOS User Bundle
main:
pattern: .*
context: user
form_login:
provider: fos_userbundle
login_path: /login
use_forward: false
check_path: /login_check
failure_path: null
logout: true
anonymous: true
access_control:
# URL of FOSUserBundle which need to be available to anonymous users
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Admin login page needs to be access without credential
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
- { path: ^/assets/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/uploads/, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
- { path: ^/user/, role: [ROLE_USER] }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/auth, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/auth/me, roles: IS_AUTHENTICATED_FULLY }
- { path: ^/api/v\d+\.\d+/, roles: IS_AUTHENTICATED_FULLY }
I'm thinking, using both of them as a security provider will lead to errors. is it right?
I don't think using HWIOAuthBundle and LexikJWTBundle on the same project will lead to errors.
You api_login firewall will authenticate your api users while your admin firewall will authenticate your backoffice users.
Since your URL patterns are correctly congigured you should not encounter problems.
I am using FOSUserbundle with the SonataUserbundle. I am not sure, which bundle this error belongs to, but I will try here first. Everytime I login and logout I get redirected:
After logging in, I get redirected to /app_dev.php///dashboard (3 leading slashes)
After logging out, I get redirected to /app_dev.php//login (2 leading slashes)
Here us my security.yml
security:
acl:
connection: default
providers:
fos_userbundle:
id: fos_user.user_provider.username
encoders:
FOS\UserBundle\Model\UserInterface: sha512
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/.*
context: user
form_login:
provider: fos_userbundle
login_path: sonata_user_admin_security_login
use_forward: false
check_path: /login_check
failure_path: null
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: [ROLE_USER] }
access_decision_manager:
strategy: unanimous
Can anybody hint me, what I might be missing?
#stof Owner stof commented 39 minutes ago
The redirection after login is handled by the SecurityBundle, not by
FOSUserBundle (we don't handle the login itself) #stof stof closed
this 39 minutes ago
You have to change target path:
# app/config/security.yml
security:
firewalls:
main:
form_login:
# ...
default_target_path: you_target_path
Read more
My entire webpage has to be private with only authenticated users accepted. I'm using FOSUserBundle and have this as setting:
security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
When I set anonymous as false or get rid of it, I get a "problem loading page" error where the page will just crash. Also, when anonymous is true, when I login with the right credentials it logs me in but does not redirect to the main index page, instead it stays on /login and gives me "Logged in as user | Logout".
So the behavior I need it to be is:
1) On homepage, it will redirect to /login page if user is not authenticated (no anonymous users)
2) After login authenticated, redirects to homepage
It is all done in firewall settings
1) add firewall rule:
access_control:
- { path: ^/$, role: ROLE_USER }
2) add default_target_path:
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
default_target_path: /
I have FOS UserBundle installed in my symfony2 project. Login/logout works, only problem is, the system doesn't redirect/close parts that i want closed.
The whole site should only be accessable by loged in users.
Yet i can call any route.
I filled in the data in the access control section of my security yml, yet it doesn't work. I can call mydomain/de_CH/anything/i/want/ and access that content.
This is my security.yml:
security:
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
encoders:
FOS\UserBundle\Model\UserInterface: sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
login_path: fos_user_security_login
check_path: fos_user_security_check
csrf_provider: form.csrf_provider
logout:
path: fos_user_security_logout
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/my-admin/, role: ROLE_ADMIN }
- { path: ^/$, role: ROLE_USER }
#- { path: ^/$, role: ROLE_USER }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Change
- { path: ^/$, role: ROLE_USER }
to
- { path: ^/.*, role: ROLE_USER }
This is because, first regex tell you allow ROLE_USER to path with that pattern /
So, patterns like /foo /foo/bar and so on aren't catched from your firewall.
Second pattern cover the latter case
Remove the anonymous: true part and put /login to it's own firewall so users can log in.
The anonymous part allowed anonymous user to access that firewall.
firewalls:
login_firewall:
pattern: ^/login$
anonymous: ~
main:
pattern: ^/
form_login:
# ...
logout:
path: fos_user_security_logout
EDIT: Since we denied anonymous users access to the page, we need to create separate firewall for /login otherwise they wouldn't be able to log in.
See section "Avoid Common Pitfalls" in the official documentation:
http://symfony.com/doc/current/book/security.html for more info on the subject.