0

I want to connect my angular2 frontend app with symfony backend. So I'm using FOSOAuthServerBundle (https://github.com/FriendsOfSymfony/FOSOAuthServerBundle) to authorize my frontend app, but I don't understand clearly how to implement this.

  1. I tried "token" endpoint method, but there I had to send client_id and client_secret, from my angular2 app. And I think it's bad to store client_secret in public.

  2. "Authorize" endpoint don't use client_secret, but is demanding login form, what is not good for my case.

  3. I tried custom grant extension, but FOSOAuthServerBundle also requires to validate client with client_secret.

What is best practice authorize angular2 with symfony? It's ok to store client_secret in frontend? Or should I extend FOSOAuthServerBundle and remove client_secret checking?

Emptyhand
  • 41
  • 5
  • Need more information. Code Snippet if possible. – Partha Sarathi Ghosh Mar 20 '17 at 07:56
  • In case that FOSOAuthServeBundle dos not fit SPA requirements, I desided to search for another bundle, and found pretty good solution for SPA authentication with Symfony: https://github.com/lexik/LexikJWTAuthenticationBundle – Emptyhand Mar 25 '17 at 09:32

2 Answers2

1

You're correct about client_secret. It's not valid practice to publish secret key more widely.

Unfortunately at this moment FOSOAuthBundle is not suitable to your needs. This bundle focus only about backend OAuth clients. They have open issue on github to add support of public clients: https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/issues/266

One thing to clarify regarding token & authorize endpoints - token and authorize endpoints have to be mixed in process of access to your resource. I suggest you to read whole RFC to understand process of authorization with OAuth: https://www.rfc-editor.org/rfc/rfc6749

Community
  • 1
  • 1
michail_w
  • 4,318
  • 4
  • 26
  • 43
  • Thanks for the answer! Could you suggest me what symfony bundle I should use for my case authentification (public client/ javascript)? – Emptyhand Mar 20 '17 at 08:28
  • Unfortunately there is not many bundles which provides OAuth server. From my experience, there is not any bundle dedicated for Symfony which allows use public clients. I am using this bundle for my apps https://packagist.org/packages/bshaffer/oauth2-server-php with little tuning. – michail_w Mar 20 '17 at 08:31
  • What about solution if I extend FOSOAuthServerBundle and skip client_secret validation? Would it be wrong? :) – Emptyhand Mar 20 '17 at 08:49
  • If you do it proper way (fork, change, public changes as packagist), it can be solution for you. – michail_w Mar 20 '17 at 09:30
  • @michail_w is right: at the moment the FOS bundle is not suitable for public clients. A new bundle is in development and should fix that: https://github.com/OAuth2-Framework/server-bundle – IZio Mar 22 '17 at 09:18
0

Hacky solution: in src/Entity/OAuth2/Client.php you can overwrite the checkSecret method like this:

public function checkSecret($secret)
    {
        if (in_array("authorization_code", $this->getAllowedGrantTypes())) {
            return true;
        }
        return parent::checkSecret($secret);
    }
Phreno
  • 1
  • 1