2

Currently my project (Frontend and Backend both Symfony2) uses the HWIOAuthBundle for authentication via Google, etc.

Since I want to separate the frontend (frontend AngularJS) from the backend. Communication will rely on JSON data (so REST in general).

I'm facing the problem how to achieve this with the HWIOAuthBundle. The symfony documentation says something about stateless: true, but then HWIOAuthBundle doesn't work.

In addition: In the future I'm want to implement FOSUserBundle for new user (who doesn't authenticate via OAuth).

My questions: 1. How can I achieve stateless authentication with HWIOAuthBundle 2. How should I achieve stateless authentication in general (HWIOAuthBundle and FOSUserBundle). The symfony documentation says stateless authentication is done by always sending username / password in each request. I think authentication via token is the better way (since in OAuth context I don't have username / password).

Hope my question is clear!

# app/config/security.yml

security:
encoders:
      AppBundle\Entity\User:
           algorithm:        sha1
           encode_as_base64: false
           iterations:       1
providers:
    my_custom_hwi_provider:
        id: amagin_user.oauth_user_provider
    in_memory:
        memory:
            users:
                user:  { password: userpass, roles: [ 'ROLE_USER' ] }
                admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }

role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_USER

firewalls:
    dev:
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false

    default:
        anonymous: ~
        http_basic: ~
        stateless:        false
        oauth:
            resource_owners:
                google:             "/login/check-google"
            login_path:        /login
            use_forward:       false
            failure_path:      /login

            oauth_user_provider:
                service: amagin_user.oauth_user_provider
        logout:
            path:   /logout
            target: /
access_control:
         #- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/connect, role: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/, role: ROLE_USER }
mcode
  • 534
  • 4
  • 18

1 Answers1

0

I've managed to configure an AngularJS client with Google oauth and a Symfony REST API.

Here is the security.yml:

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_USER

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false

        login:
            pattern: ^/login
            logout: true
            anonymous: ~
            stateless: true
            oauth:
                require_previous_session: false
                success_handler: lexik_jwt_authentication.handler.authentication_success
                failure_handler: lexik_jwt_authentication.handler.authentication_failure
                check_path: /login_check
                resource_owners:
                    google: "/login/check-google"
                login_path: /login
                oauth_user_provider:
                    service: api.user_provider

        main:
            pattern: ^/api
            anonymous: ~
            stateless: true
            lexik_jwt: ~

    access_control:
        - { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/doc, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api, role: IS_AUTHENTICATED_FULLY }

config.yml:

hwi_oauth:
    connect:
        account_connector: api.user_provider
    firewall_names: [login]
    resource_owners:
        google:
            type:                google
            client_id:           "%google_app_id%"
            client_secret:       "%google_app_secret%"
            scope:               "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile"

From the Angular side I'm using satellizer to get an authorizaiton token which is then sent to /login/check-google/ which sents back a JWT.

Notice the use of LexikJWTAuthenticationBundle to generate a JWT and secure the routes based on this token.

There is one unsolved issue though: satellizer does a POST request to get the access_token. It's an unexpected behavior for HWIOAuth (and makes no sense too) so I add to fork it. See the following issue.

DevAntoine
  • 1,932
  • 19
  • 24