Symfony2 FOSOAuthServerBundle authenticated but anonymous

Question

I'm trying to use FOSOAuthServerBundle.

From my ios application, I correctly get the token from /oauth/v2/token, I can see in my database the entry in AccessToken and RefreshToken with the correct user_id.

Opening the _profile, I can see I'm authenticated but I'm logged in as anonymous... why this is happening?

When trying to access /secured/api/me, I'm redirected to /login path...

Can somebody help me?

Here my security.yml

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_USER

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        oauth_token:
            pattern:    ^/oauth/v2/token
            security:   false
        oauth_authorize:
            pattern:    ^/oauth/v2/auth
#            form_login:
#                provider: fos_userbundle
#                check_path: /oauth/v2/auth_login_check
#                login_path: /oauth/v2/auth_login
            anonymous: true
        api:
            pattern:    ^/api
            fos_oauth:  true
            stateless:  true
            anonymous:    true

        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
                login_path: /login
                check_path: /login_check
            oauth:
                resource_owners:
                    facebook:           "/login/check-facebook"
                    google:             "/login/check-google"
                login_path:        /login
                use_forward:       false
                failure_path:      /login

                oauth_user_provider:
                    #this is my custom user provider, created from FOSUBUserProvider - will manage the
                    #automatic user registration on your site, with data from the provider (facebook. google, etc.)
                    service: my_user_provider
            logout:       true
            anonymous:    true

        login:
            pattern:  ^/login$
            security: false

            remember_me:
                key: "%secret%"
                lifetime: 31536000 # 365 days in seconds
                path: /
                domain: ~ # Defaults to the current domain from $_SERVER

    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: ROLE_ADMIN }
        - { path: ^/oauth/v2/auth, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/secured, role: [ IS_AUTHENTICATED_FULLY ] }

.

The path for your API firewall is set to ^/api and your access control is using ^/secured. — ggioffreda, Jun 28 '14 at 15:29

score 0 · Answer 1 · answered Apr 25 '15 at 11:56

I think you have in your security.yml, under the firewall 'api ' :

//...

    api :

    // ...

       stateless : true

    // ...

You have to send the access_token on every request.

Furthermore, if you want to get an authenticated access_token, you have to get it by a request with de parameter "grant_type=password". With this access_token, your server will recognize the user in each request.

Something like: PROVIDER_HOST/oauth/v2/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=password&username=USERNAME&password=PASSWORD

(source: OAuth2 Explained: Part 3 - Using OAuth2 With Your Bare Hands)

Symfony2 FOSOAuthServerBundle authenticated but anonymous

1 Answers1