While Using FOSOAuthServerBundle as OAuthServer and HWIOAuthBundle as OAuth Client, these both application have FOSUSerBundle integration.
I am facing issue in retrieving access token, which will use in sending user response to client application.
Please anyone can help me out.
<?php
public function userAction(Request $request)
{
$user = $this->get('security.context')->getToken()->getUser();
if($user) {
$user = $this->getDoctrine()->getRepository('EparUserBundle:User')->find(
$this->get('security.context')->getToken()->getUser()
);
return new JsonResponse(array(
'id' => $user->getId(),
'username' => $user->getUsername(),
'email' => $user->getEmail()
));
}
return new JsonResponse(array(
'message' => 'User is not identified'
));
}
FosOAuthServer config.yml and security.yml below:
fos_oauth_server:
db_driver: orm # Driver availables: orm, mongodb, or propel
client_class: Epar\Bundle\UserBundle\Entity\Client
access_token_class: Epar\Bundle\UserBundle\Entity\AccessToken
refresh_token_class: Epar\Bundle\UserBundle\Entity\RefreshToken
auth_code_class: Epar\Bundle\UserBundle\Entity\AuthCode
service:
storage: fos_oauth_server.storage.default
user_provider: fos_user.user_manager
client_manager: fos_oauth_server.client_manager.default
access_token_manager: fos_oauth_server.access_token_manager.default
refresh_token_manager: fos_oauth_server.refresh_token_manager.default
auth_code_manager: fos_oauth_server.auth_code_manager.default
options:
# Prototype
#key: []
# Example
# supported_scopes: string
# Changing tokens and authcode lifetime
access_token_lifetime: 3600
refresh_token_lifetime: 1209600
auth_code_lifetime: 30
supported_scopes: user
# Token type to respond with. Currently only "Bearer" supported.
#token_type: string
#realm:
# Enforce redirect_uri on input for both authorize and token steps.
#enforce_redirect: true or false
# Enforce state to be passed in authorization (see RFC 6749, section 10.12)
#enforce_state: true or false
template:
engine: twig
Security.yml
# app/config/security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
administration:
switch_user: true
context: user
pattern: /administration*
form_login:
provider: fos_userbundle
login_path: /administration/login
check_path: /administration/login_check
failure_path: /administration/login
default_target_path: /administration/
use_forward: false
use_referer: true
always_use_default_target_path: true
logout:
path: /administration/logout
target: /administration/login
anonymous: ~
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
oauth_token:
pattern: ^/oauth/v2/token
security: false
oauth_authorize:
pattern: ^/oauth/v2/auth
form_login:
provider: fos_userbundle
check_path: /oauth/v2/auth_login_check
login_path: /oauth/v2/auth_login
use_referer: true
anonymous: true
context: connect
# Add your favorite authentication process here
api:
pattern: ^/api
fos_oauth: true
stateless: true
anonymous: true # can be omitted as its default value
access_control:
- { path: ^/administration/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/administration/login_check, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: [ IS_AUTHENTICATED_ANONYMOUSLY ] }
- { path: "/administration.*", role: ROLE_ADMIN }
HWIOAuthBundle application config.yml & security.yml
config.yml
hwi_oauth:
http_client:
timeout: 10 # Time in seconds, after library will shutdown request, by default: 5
verify_peer: false # Setting allowing you to turn off SSL verification, by default: true
ignore_errors: false # Setting allowing you to easier debug request errors, by default: true
max_redirects: 1 # Number of HTTP redirection request after which library will shutdown request,
# by default: 5
#this is my custom user provider, created from FOSUBUserProvider - will manage the
#automatic user registration on your site, with data from the provider (facebook. google, etc.)
#and also, the connecting part (get the token and the user_id)
connect:
# confirmation: true
account_connector: my_user_provider
# name of the firewall in which this bundle is active, this setting MUST be set
firewall_name: main
fosub:
username_iterations: 30
properties:
# these properties will be used/redefined later in the custom FOSUBUserProvider service.
github: githubID
atssso: atsssoID
resource_owners:
github:
type: github
client_id: *******
client_secret: ********
scope: "user:email"
atssso:
type: oauth2
client_id : 4_1u2nw1clcdy8o4kk84o004s0000oo0kkkw8ow8sg8koowo0c4c
client_secret: v5sa4t4sylcgsgkg8cosws4400k4s0okg48cgc8ccgk8sg4o4
access_token_url: http://192.168.11.71/atssso/web/app_dev.php/oauth/v2/token
authorization_url: http://192.168.11.71/atssso/web/app_dev.php/oauth/v2/auth
infos_url: http://192.168.11.71/atssso/web/app_dev.php/api/user
user_response_class: HWI\Bundle\OAuthBundle\OAuth\Response\PathUserResponse
scope: "user"
paths:
identifier: id
nickname: username
#realname: ["first_name", "last_name"]
realname: username
email: email
# here you will add one (or more) configurations for resource owners
security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_USER
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /login
check_path: /login_check
oauth:
resource_owners:
github: "/login/check-github"
atssso: "/login/service/atssso"
login_path: /login
failure_path: /login
oauth_user_provider:
#this is my custom user provider, created from FOSUBUserProvider - will manage the
#automatic user registration on your site, with data from the provider (facebook. google, etc.)
service: my_user_provider
logout: true
anonymous: true
login:
pattern: ^/login$
security: false
remember_me:
key: "%secret%"
lifetime: 31536000 # 365 days in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
Related
enter code hereI followed instructions from this url:
https://docs.sonata-project.org/projects/SonataUserBundle/en/4.x/reference/installation/#configuration
I was able to see the admin page but when I tried to add a user, and I got the following error:
No entity manager defined for class "App\Entity\SonataUserUser".
My doctrine.yaml has the following information:
doctrine:
orm:
entity_managers:
default:
mappings:
SonataUserBundle: ~
FOSUserBundle: ~
dbal:
url: '%env(resolve:DATABASE_URL)%'`enter code here`
My framework.yaml has the following information:
framework:
secret: '%env(APP_SECRET)%'
#csrf_protection: true
#http_method_override: true
support.
session:
handler_id: null
cookie_secure: auto
cookie_samesite: lax
#esi: true
#fragments: true
php_errors:
log: true
templating:
engines:
twig
My sonata_user.yaml has the following information:
sonata_user:
class:
user: App\Entity\SonataUserUser
group: App\Entity\SonataUserGroup
#security_acl: true
manager_type: orm # can be orm or mongodb
My security.yaml has the following information:
security:
access_control:
# Admin login page needs to be accessed without credential
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
- { path: ^/admin/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
- { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
SONATA:
- ROLE_SONATA_PAGE_ADMIN_PAGE_EDIT # if you are using acl then this line must be commented
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
# Disabling the security for the web debug toolbar, the profiler and Assetic.
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# -> custom firewall for the admin area of the URL
#admin:
# pattern: /admin(.*)
# context: user
# form_login:
# provider: fos_userbundle
# login_path: /admin/login
# use_forward: false
# check_path: /admin/login_check
# failure_path: null
# logout:
# path: /admin/logout
# target: /admin/login
# anonymous: true
# -> end custom configuration
# default login area for standard users
# This firewall is used to handle the public login area
# This part is handled by the FOS User Bundle
#main:
# pattern: .*
# context: user
# form_login:
# provider: fos_userbundle
# login_path: /login
# use_forward: false
# check_path: /login_check
# failure_path: null
# logout: true
# anonymous: true
I'm using Symfony 4.1.7 in my security.yaml have this access control:
access_control:
# master:
- { path: ^/master, roles: ROLE_MASTER }
# manager:
- { path: ^/.*/manager, roles: ROLE_MANAGER }
# main:
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
when i open the second one url (/foo/manager) and not authorized i will redirected to login path i need to return access denaid not redirect to login.
my last goal is call event listener for append role to authorize user from event listener.
Update:
Here is my security firewall section:
main:
pattern: ^/
user_checker: App\Security\Checker\UserChecker
anonymous: ~
provider: default
context: primary
simple_form:
authenticator: App\Security\Authenticator\UserAuthenticator
check_path: login
login_path: login
username_parameter: phone
password_parameter: password
use_referer: true
logout:
path: logout
remember_me:
secret: '%kernel.secret%'
lifetime: 604800
path: /
remember_me_parameter: remember_me
Yo need to configure the login_path en the security.yml
Example:
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
in_memory: { memory: ~ }
encoders:
FOS\UserBundle\Model\UserInterface: sha512
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: .*
context: user
form_login:
provider: fos_userbundle
login_path: /login
use_forward: false
check_path: /login_check
failure_path: null
Symfony Doc.
You have to allow users to access this path and instead use your controller to check the user role.
$this->denyAccessUnlessGranted('ROLE_MANAGER ', null, 'Unable to access this page!');
or
$this->isGranted('ROLE_MANAGER');
Depending on what you want to do.
I have a knowledge problem I guess.
I thought, secure an area is done by the firewall. So for my understanding, I only have to write the area down inside the "access_control" to secure it by roles, isn't iT?
Actually, my security.yml looks like:
security:
encoders:
FOS\UserBundle\Model\UserInterface: pbkdf2
role_hierarchy:
ROLE_USER: [ROLE_USER]
ROLE_MODERATOR: [ROLE_AUTHOR]
ROLE_ADMIN: [ROLE_MODERATOR]
ROLE_SUPER_ADMIN: [ROLE_ADMIN]
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
# restrict the firewall to specific http methods
methods: [GET, POST]
access_denied_url: /error403
form_login:
check_path: /login_check
# the user is redirected here when they need to log in
login_path: /login
# if true, forward the user to the login form instead of redirecting
use_forward: true
# login success redirecting options (read further below)
always_use_default_target_path: false
default_target_path: /de/dashboard/
target_path_parameter: _target_path
use_referer: false
provider: fos_userbundle
csrf_provider: form.csrf_provider
default_target_path: /login
logout: true
anonymous: true
logout:
path: /logout
target: /login
invalidate_session: false
delete_cookies:
a: { path: null, domain: null }
b: { path: null, domain: null }
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/user, role: ROLE_ADMIN }
- { path: ^/administration, role: ROLE_ADMIN }
But if I login with a "ROLE_USER" account, I can access the "administration path anyway.
Where is my problem? Do I miss somenthing? Do I need a listener or something or will this be handled automatically?
I'm trying to use FOSOAuthServerBundle.
From my ios application, I correctly get the token from /oauth/v2/token, I can see in my database the entry in AccessToken and RefreshToken with the correct user_id.
Opening the _profile, I can see I'm authenticated but I'm logged in as anonymous... why this is happening?
When trying to access /secured/api/me, I'm redirected to /login path...
Can somebody help me?
Here my security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_USER
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
oauth_token:
pattern: ^/oauth/v2/token
security: false
oauth_authorize:
pattern: ^/oauth/v2/auth
# form_login:
# provider: fos_userbundle
# check_path: /oauth/v2/auth_login_check
# login_path: /oauth/v2/auth_login
anonymous: true
api:
pattern: ^/api
fos_oauth: true
stateless: true
anonymous: true
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /login
check_path: /login_check
oauth:
resource_owners:
facebook: "/login/check-facebook"
google: "/login/check-google"
login_path: /login
use_forward: false
failure_path: /login
oauth_user_provider:
#this is my custom user provider, created from FOSUBUserProvider - will manage the
#automatic user registration on your site, with data from the provider (facebook. google, etc.)
service: my_user_provider
logout: true
anonymous: true
login:
pattern: ^/login$
security: false
remember_me:
key: "%secret%"
lifetime: 31536000 # 365 days in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/oauth/v2/auth, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/secured, role: [ IS_AUTHENTICATED_FULLY ] }
.
I think you have in your security.yml, under the firewall 'api ' :
//...
api :
// ...
stateless : true
// ...
You have to send the access_token on every request.
Furthermore, if you want to get an authenticated access_token, you have to get it by a request with de parameter "grant_type=password".
With this access_token, your server will recognize the user in each request.
Something like:
PROVIDER_HOST/oauth/v2/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=password&username=USERNAME&password=PASSWORD
(source: OAuth2 Explained: Part 3 - Using OAuth2 With Your Bare Hands)
Im trying to create an oauth2 server based on FOSOauthServerBundle, FOSRestBundle and FOSUserBundle. I created a demo application to test the my oauth-server and it failed receiving the data via the GET reguest
(received 401 error ' error="access_denied", error_description="OAuth2
authentication required" '),
in spite the fact that the user was authenticated and the client received an access token properly.
How should I implement the api controllers so the oauth2 will execute the authentication process?
Also, i would like to take a look on real working oauth server example based on those bundles so i would be able to check my application on it.
my security.yml:
jms_security_extra:
secure_all_services: false
expressions: true
security:
acl:
connection: default
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
in_memory:
memory:
users:
user: { password: userpass, roles: [ 'ROLE_USER' ] }
admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
fos_userbundle:
id: fos_user.user_provider.username
encoders:
FOS\UserBundle\Model\UserInterface: sha512
Symfony\Component\Security\Core\User\User: plaintext
firewalls:
api:
pattern: ^/api
fos_oauth: true
stateless: true
oauth_authorize:
pattern: ^/oauth/v2/auth
form_login:
provider: fos_userbundle
check_path: /oauth/v2/auth_login_check
login_path: /oauth/v2/auth_login
use_referer: true
anonymous: true
oauth_token:
pattern: ^/oauth/v2/token
security: false
secured_area:
pattern: ^/
anonymous: ~
form_login:
provider: fos_userbundle
check_path: /login_check
login_path: /login
always_use_default_target_path: true
default_target_path: /
access_control:
- { path: ^/oauth/v2/auth_login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/oauth/v2/auth, role: ROLE_USER }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY}
- { path: ^/, roles: ROLE_USER }
- { path: ^/api, roles: [ IS_AUTHENTICATED_FULLY ] }
Thanks.
Submitting the answer so this will close the open question.
Access denied caused because the request did not contain the access token. Refer to documentation with section titled Creating A Client and Usage.
https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/blob/master/Resources/doc/index.md