As the name implies, I'm going to use Facebook, Google, and GitHub authentication with the JWT authenticator (LexikJWT).
Before I start, I want to know how I can use them? can both of them be used to protect the API?
If so, in what configurations should my safety be? Assuming I'm using default configurations.
here is the current security.yml :
security: encoders: FOS\UserBundle\Model\UserInterface: sha512 acl: connection: default access_decision_manager: strategy: affirmative role_hierarchy: ROLE_SALES_NOTIFICATIONS: [ ROLE_SALES_NOTIFICATIONS ] # FULL CONTROL ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN] ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH] providers: fos_userbundle: id: fos_user.user_provider.username_email firewalls: # Disabling the security for the web debug toolbar, the profiler and Assetic. dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false # -> custom firewall for the admin area of the URL admin: pattern: /admin(.*) context: user form_login: provider: fos_userbundle login_path: /admin/login use_forward: false check_path: /admin/login_check failure_path: null success_handler: admin_success_handler logout: path: /admin/logout anonymous: true # Custom firewall for api area api_login: pattern: ^/api/auth stateless: true anonymous: true provider: fos_userbundle form_login: check_path: /api/auth/check success_handler: lexik_jwt_authentication.handler.authentication_success failure_handler: lexik_jwt_authentication.handler.authentication_failure require_previous_session: false api: pattern: ^/api/v\d+\.\d+/ methods: [ POST, PUT ] stateless: true guard: authenticators: - lexik_jwt_authentication.jwt_token_authenticator api_doc: pattern: ^/api/doc stateless: true anonymous: true # -> end custom configuration # default login area for standard users # This firewall is used to handle the public login area # This part is handled by the FOS User Bundle main: pattern: .* context: user form_login: provider: fos_userbundle login_path: /login use_forward: false check_path: /login_check failure_path: null logout: true anonymous: true access_control: # URL of FOSUserBundle which need to be available to anonymous users - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } # Admin login page needs to be access without credential - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY } # Secured part of the site # This config requires being logged for the whole site and having the admin role for the admin part. # Change these rules to adapt them to your needs - { path: ^/assets/, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/uploads/, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/admin/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] } - { path: ^/user/, role: [ROLE_USER] } - { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/api/auth, roles: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/api/auth/me, roles: IS_AUTHENTICATED_FULLY } - { path: ^/api/v\d+\.\d+/, roles: IS_AUTHENTICATED_FULLY }
I think using both of them as a security provider will lead to errors. it is right?
source share