Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuthToken with null user is not authenticated anymore since symfony 5.4 #688

Open
4rthem opened this issue Jan 13, 2022 · 5 comments
Open

OAuthToken with null user is not authenticated anymore since symfony 5.4 #688

4rthem opened this issue Jan 13, 2022 · 5 comments

Comments

@4rthem
Copy link

4rthem commented Jan 13, 2022

I'm using ->isGranted('ROLE_SCOPE1') to authorize a machine token so there is no user context.

Since Symfony 5.4, AuthorizationChecker relies on getUser() instead of getToken() which make user-less access tokens not authenticated (cf diff).
In some way Symfony introduced a BC break but I think the OAuthToken should fill the user property with a string constant to pass this condition.

What do you think?

@nicolas-grekas what would be the good practice?
@LeoAdamek
Copy link

I'm also having this issue, specifically when using a client_credentials grant. Is there a workaround for this, perhaps setting the user to the oauth application itself?

@vladimir-light
Copy link

@4rthem , @LeoAdamek

In some way Symfony introduced a BC break

I agree, it's very odd, especially for client_credentials grant where technically no user exists.

My quick and dirty solution was to override vendor/friendsofsymfony/oauth-server-bundle/Security/Authentication/Provider/OAuthProvider.php with my own. Actually, I only needed to adjust the authenticate() method, so I could create a "dummy-user" (something which implements UserInterface) on-the-fly and set it to $token

For Example:

src/Security/OAuth/Provider/OAuthProvider.php with fully-qualified namespace of App\Security\OAuth\Provider\OAuthProvider

and then configure it as a "replacement" for fos_oauth_server.security.authentication.provider service.

in your config/services.yaml add the following:

fos_oauth_server.security.authentication.provider:
        class: App\Security\OAuth\Provider\OAuthProvider
        arguments: [ ~, '@fos_oauth_server.server', ~ ]
        public: false

I tried to decorate the original fos_oauth_server.security.authentication.provider service but didn't get it working, so I just copied everything.

In authenticate() method right after verifyAccessToken($tokenString) you can check for $user === null and create one on-the-fly. I decided to create a ClientCredentialsDummyUser model which implements \Symfony\Component\Security\Core\User\UserInterface for that special case.

@LeoAdamek
Copy link

While its definitely not an ideal solution, and it lacks some things I'd like to do with it, it does at least get around the issue.

@INHack20
Copy link

+1

1 similar comment
@aanair08
Copy link

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@vladimir-light @LeoAdamek @INHack20 @4rthem @aanair08