As per the Bearer spec (draft 8, section 2) - there are three ways for a client
to specify the bearer token, in order of preference: Authorization Header,
POST and GET.
NB: Resource servers MUST accept tokens via the Authorization scheme
(http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2).
/** * @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event The event. */ public function handle(GetResponseEvent $event) { $request = $event->getRequest(); if (null === ($oauthToken = $this->serverService->getBearerToken($event->getRequest(), true))) { //if it's null, then we try to regular authentication... $token = $this->handleCookie($event); if ($token) { $this->securityContext->setToken($token); return; } } $token = new OAuthToken(); $token->setToken($oauthToken); $returnValue = $this->authenticationManager->authenticate($token); try { $returnValue = $this->authenticationManager->authenticate($token); if ($returnValue instanceof TokenInterface) { return $this->securityContext->setToken($returnValue); } if ($returnValue instanceof Response) { return $event->setResponse($returnValue); } } catch (AuthenticationException $e) { if (null !== ($p = $e->getPrevious())) { $event->setResponse($p->getHttpResponse()); } } }
/** * @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event The event. */ public function handle(GetResponseEvent $event) { $request = $event->getRequest(); if (null === ($oauthToken = $this->serverService->getBearerToken($event->getRequest(), true))) { if ($this->tryCookieAuth($event)) { return; } if ($this->tryHTTPAuth($event)) { return; } $this->authenticateAnonymous(); } else { $this->tryOauthAuth($event, $oauthToken); } }
/** * @dataProvider getTestGetBearerTokenData */ public function testGetBearerToken(Request $request, $token, $remove = false, $exception = null, $exceptionMessage = null, $headers = null, $body = null) { $mock = $this->getMock('OAuth2\\IOAuth2Storage'); $oauth2 = new OAuth2($mock); try { $this->assertSame($token, $oauth2->getBearerToken($request, $remove)); if ($exception) { $this->fail('The expected exception OAuth2ServerException was not thrown'); } if ($remove) { $this->assertNull($request->headers->get('AUTHORIZATION')); $this->assertNull($request->query->get('access_token')); $this->assertNull($request->request->get('access_token')); } } catch (\Exception $e) { if (!$exception || !$e instanceof $exception) { throw $e; } $this->assertSame($headers, $e->getResponseHeaders()); $this->assertSame($body, $e->getResponseBody()); } }
<?php /** * @file * Sample protected resource. * * Obviously not production-ready code, just simple and to the point. * * In reality, you'd probably use a nifty framework to handle most of the crud for you. */ use OAuth2\OAuth2; use OAuth2\OAuth2ServerException; require 'lib/bootstrap.php'; $oauth = new OAuth2(new OAuth2StoragePDO(newPDO())); try { $token = $oauth->getBearerToken(); $oauth->verifyAccessToken($token); } catch (OAuth2ServerException $oauthError) { $oauthError->sendHttpResponse(); } // With a particular scope, you'd do: // $oauth->verifyAccessToken("scope_name"); ?> <html> <head> <title>Hello!</title> </head> <body> <p>This is a secret.</p> </body>