All geek questions in one place

How to work with the ROLES and FOSOAuthServerBundle areas

I have a basic api that authenticates users using FOSOAuthServerBundle. Users can have the roles ROLE_USER and ROLE_ADMIN. Based on the FOSOAuthServerBundle docs, the default behavior is to use scopes as roles, so I thought that when I have a regular user, the package will return scope: user in response, and when it becomes an administrator user, scope: admin will return. But this is not so. The package returns everything that is configured in the supported_scopes entry. Below is my config.yml .

 fos_oauth_server: service: options: supported_scopes: user admin

My access_control section in security.yml empty, and my firewalls section is below:

 firewalls: users_create: pattern: ^/v1/users methods: [POST] security: false api: pattern: ^/ security: true fos_oauth: true stateless: true access_control: # You can omit this if /api can be accessed both authenticated and anonymously

Thus, the bundle always returns user admin as the scope even if the user does not have the ROLE_ADMIN role.

 { "access_token": "ZGQ2ODE5ZjAzNTZkOWY0OWMyNmZmODE4MjcwZTJmYjExNzY0NzQxOTRmMzk4NzA2Mjc2NjIyZmY1ZDgwMzk4NA" "expires_in": 3600 "token_type": "bearer" "scope": "user admin" "refresh_token": "NmM5ZGFmNzBiNTNjYmQzMTQ1MTk0ODJjOTAxMWU0YWIwMzM1MzgyODg4ZTAzNTI5ZTk2MDc3OGU2MTg0MWZiMA" }

What am I missing? Isn't the user role associated with the token scope? Is there a better way to find out if my user is an administrator or not?

+5
source share
3 answers

From doc , the default behavior is to display areas with roles. In your case, the roles will be ROLE_USER and ROLE_ADMIN.

Now, to limit your use, you will edit the security.yml file like this:

 # app/config/security.yml security: access_control: - { path: ^/api/super/secured, role: ROLE_ADMIN } - { path: ^/api/general, role: ROLE_USER }

To restrict access to the controller, you can use this:

 if ($this->get('security.context')->isGranted('ROLE_ADMIN')) { // the user has the ROLE_ADMIN role, so act accordingly }

Again from the doc ,

Clients will now be able to pass an area parameter when they request an access token.

Hope this helps.

UPDATE:

Look at this answer here for a similar question, and this article is setting up FOSOAuthServerBundle. Pay particular attention to part of the configuration.

+2
source

FOSOAuthServerBundle authenticate your user based on the token, so you don’t need to worry about the clouds, otherwise it's roles. Inside your controller, you can get $this->getUser() to get the current authenticated user. If this works, check if isGranted .

http://symfony.com/doc/current/book/security.html

 public function helloAction($name) { // The second parameter is used to specify on what object the role is tested. $this->denyAccessUnlessGranted('ROLE_ADMIN', null, 'Unable to access this page!'); // Old way : // if (false === $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN')) { // throw $this->createAccessDeniedException('Unable to access this page!'); // } // ... }

In the case of $this->getUser() does not work, you need to set fetch to EAGER for the AccessToken object.

 class AccessToken extends BaseAccessToken { /** * @ORM\Id * @ORM\Column(type="integer") * @ORM\GeneratedValue(strategy="AUTO") */ protected $id; /** * @ORM\ManyToOne(targetEntity="AppBundle\Entity\Client") * @ORM\JoinColumn(nullable=false) */ protected $client; /** * @ORM\ManyToOne(targetEntity="AppBundle\Entity\User", fetch="EAGER") */ protected $user; }
+1
source

There is a problem on github that dates back to 2013 for this . If you read this problem and follow the links, you will end up with a Spomky user creating his own library and Symfony package and being offered as an maintainer for FOSAuthServerBundle. It seems that the FOS organization will integrate Spomky's work into the next major version of FOSOAuthServerBundle when it is stable.

+1
source

Source: https://habr.com/ru/post/1240556/

More articles:


All Articles