/**
* {@inheritdoc}
*/
public function authenticate(TokenInterface $token)
{
if (!$this->supports($token)) {
return null;
}
try {
$tokenString = $token->getToken();
if ($accessToken = $this->serverService->verifyAccessToken($tokenString)) {
$scope = $accessToken->getScope();
$user = $accessToken->getUser();
$roles = null !== $user ? $user->getRoles() : array();
if (!empty($scope)) {
foreach (explode(' ', $scope) as $role) {
$roles[] = 'ROLE_' . strtoupper($role);
}
}
$token = new OAuthToken($roles);
$token->setAuthenticated(true);
$token->setToken($tokenString);
if (null !== $user) {
$token->setUser($user);
}
return $token;
}
} catch (OAuth2ServerException $e) {
throw new AuthenticationException('OAuth2 authentication failed', null, 0, $e);
}
throw new AuthenticationException('OAuth2 authentication failed');
}
/**
* @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event The event.
*/
public function handle(GetResponseEvent $event)
{
$request = $event->getRequest();
if (null === ($oauthToken = $this->serverService->getBearerToken($event->getRequest(), true))) {
//if it's null, then we try to regular authentication...
$token = $this->handleCookie($event);
if ($token) {
$this->securityContext->setToken($token);
return;
}
}
$token = new OAuthToken();
$token->setToken($oauthToken);
$returnValue = $this->authenticationManager->authenticate($token);
try {
$returnValue = $this->authenticationManager->authenticate($token);
if ($returnValue instanceof TokenInterface) {
return $this->securityContext->setToken($returnValue);
}
if ($returnValue instanceof Response) {
return $event->setResponse($returnValue);
}
} catch (AuthenticationException $e) {
if (null !== ($p = $e->getPrevious())) {
$event->setResponse($p->getHttpResponse());
}
}
}
/**
* {@inheritdoc}
*/
public function authenticate(TokenInterface $token)
{
/** @var OAuthToken $token */
if (!$this->supports($token)) {
return null;
}
try {
$tokenString = $token->getToken();
/** @var AccessToken $accessToken */
if ($accessToken = $this->serverService->verifyAccessToken($tokenString)) {
$userRepository = $this->entityManager->getRepository(ClassPath::USER);
$scope = $accessToken->getScope();
/** @var User $user */
$user = $userRepository->find($accessToken->getUserId());
if (!empty($user)) {
try {
$this->userChecker->checkPreAuth($user);
} catch (AccountStatusException $e) {
throw new OAuth2AuthenticateException(OAuth2::HTTP_UNAUTHORIZED, OAuth2::TOKEN_TYPE_BEARER, $this->serverService->getVariable(OAuth2::CONFIG_WWW_REALM), 'access_denied', $e->getMessage());
}
$token->setUser($user);
}
$roles = null !== $user ? $user->getRoles() : array();
if (!empty($scope)) {
foreach (explode(' ', $scope) as $role) {
$roles[] = 'ROLE_' . strtoupper($role);
}
}
$token = new OAuthToken($roles);
$token->setAuthenticated(true);
$token->setToken($tokenString);
if (null !== $user) {
try {
$this->userChecker->checkPostAuth($user);
} catch (AccountStatusException $e) {
throw new OAuth2AuthenticateException(OAuth2::HTTP_UNAUTHORIZED, OAuth2::TOKEN_TYPE_BEARER, $this->serverService->getVariable(OAuth2::CONFIG_WWW_REALM), 'access_denied', $e->getMessage());
}
$token->setUser($user);
}
return $token;
}
} catch (OAuth2ServerException $e) {
if (!method_exists('Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException', 'setToken')) {
// Symfony 2.1
throw new AuthenticationException('OAuth2 authentication failed', null, 0, $e);
}
throw new AuthenticationException('OAuth2 authentication failed', 0, $e);
}
throw new AuthenticationException('OAuth2 authentication failed');
}
/**
* {@inheritdoc}
*/
public function authenticate(TokenInterface $token)
{
if (!$this->supports($token)) {
return;
}
try {
$tokenString = $token->getToken();
if ($accessToken = $this->serverService->verifyAccessToken($tokenString)) {
$scope = $accessToken->getScope();
$user = $accessToken->getUser();
if (null !== $user) {
try {
$this->userChecker->checkPreAuth($user);
} catch (AccountStatusException $e) {
throw new OAuth2AuthenticateException(OAuth2::HTTP_UNAUTHORIZED, OAuth2::TOKEN_TYPE_BEARER, $this->serverService->getVariable(OAuth2::CONFIG_WWW_REALM), 'access_denied', $e->getMessage());
}
$token->setUser($user);
}
$roles = null !== $user ? $user->getRoles() : array();
/*
* This is the only modification from the base class.
* We only add scopes if we're not connected as user.
* Otherwise, if we support the scope admin, everyone will be admin if no scope are requested because fos-oauth2-lib
* doesn't support different scope by clients (https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/issues/201)
* This way, we can bypass this by creating 2 clients: 1 wich grant the password (and refresh) types
* (and will require a user authentication)
* One that grant pretty much all the rest.
*/
if (!$user) {
if (!empty($scope)) {
foreach (explode(' ', $scope) as $role) {
$roles[] = 'ROLE_' . strtoupper($role);
}
}
}
$roles = array_unique($roles, SORT_REGULAR);
$token = new OAuthToken($roles);
$token->setAuthenticated(true);
$token->setToken($tokenString);
if (null !== $user) {
try {
$this->userChecker->checkPostAuth($user);
} catch (AccountStatusException $e) {
throw new OAuth2AuthenticateException(OAuth2::HTTP_UNAUTHORIZED, OAuth2::TOKEN_TYPE_BEARER, $this->serverService->getVariable(OAuth2::CONFIG_WWW_REALM), 'access_denied', $e->getMessage());
}
$token->setUser($user);
}
return $token;
}
} catch (OAuth2ServerException $e) {
if (!method_exists('Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException', 'setToken')) {
// Symfony 2.1
throw new AuthenticationException('OAuth2 authentication failed', null, 0, $e);
}
throw new AuthenticationException('OAuth2 authentication failed', 0, $e);
}
throw new AuthenticationException('OAuth2 authentication failed');
}
private function tryOauthAuth(GetResponseEvent $event, $oauthToken)
{
$token = new OAuthToken();
$token->setToken($oauthToken);
$returnValue = $this->authenticationManager->authenticate($token);
try {
$returnValue = $this->authenticationManager->authenticate($token);
if ($returnValue instanceof TokenInterface) {
return $this->securityContext->setToken($returnValue);
}
if ($returnValue instanceof Response) {
return $event->setResponse($returnValue);
}
} catch (AuthenticationException $e) {
if (null !== ($p = $e->getPrevious())) {
$event->setResponse($p->getHttpResponse());
}
}
}
public function testAuthenticateWithEmptyScope()
{
$token = new OAuthToken();
$token->setToken('x');
$accessToken = new AccessToken();
$accessToken->setScope('');
$this->serverService->expects($this->once())->method('verifyAccessToken')->with('x')->will($this->returnValue($accessToken));
$result = $this->provider->authenticate($token);
$this->assertNull($result->getUser());
$this->assertTrue($result->isAuthenticated());
$roles = $result->getRoles();
$this->assertCount(0, $roles);
}
