1

I'm trying to create REST API application with token-based authentication. Calling

/ouath2/v2/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=client_credentials

returns access_token, it's ok.
However, when I'm trying to use it in the next api requests server raises exception with 'Full authentication is required to access this resource.' message. I tried several ways to use access_token: in the query (/api/action?access_token=ACCESS_TOKEN), in the header (Authorization: Bearer ACCESS_TOKEN) but all of them doesn't work.

Could you tell me what's wrong with my configuration?

part of my config.yml with FOSOAuthServerBundle && FOSUserBundle:

fos_user:
    db_driver: orm
    firewall_name: main
    user_class: AppBundle\Entity\User

fos_oauth_server:
    db_driver: orm
    client_class:        AppBundle\Entity\Client
    access_token_class:  AppBundle\Entity\AccessToken
    refresh_token_class: AppBundle\Entity\RefreshToken
    auth_code_class:     AppBundle\Entity\AuthCode
    service:
        user_provider: testApp.user.provider
        options:
            supported_scopes: user

security.yml:

    main:
        anonymous: ~
    oauth_token:
        pattern:    ^/oauth/v2/token
        security:   false

    api:
        pattern:    ^/api
        fos_oauth:  true
        stateless:  true
        anonymous:  false # can be omitted as its default value

access_control:
    - { path: ^/api, roles: [ IS_AUTHENTICATED_FULLY ] }
Nate Barbettini
  • 51,256
  • 26
  • 134
  • 147
igoodwin
  • 41
  • 2
  • 6
  • I solve this issue with next approach: 1. remove access_control: and next lines from security.yml 2. Append access_token to api calling. API Controller action checks if access_token exists and looking for client with this token. 3. Set status code unauthorized If client not found and exit or continue action execution. – igoodwin Sep 30 '15 at 06:15

0 Answers0