/**
* {@inheritdoc}
*/
public function authenticate(TokenInterface $token)
{
if (!$this->supports($token)) {
return;
}
try {
$tokenString = $token->getToken();
if ($accessToken = $this->serverService->verifyAccessToken($tokenString)) {
$scope = $accessToken->getScope();
$user = $accessToken->getUser();
if (null !== $user) {
try {
$this->userChecker->checkPreAuth($user);
} catch (AccountStatusException $e) {
throw new OAuth2AuthenticateException(OAuth2::HTTP_UNAUTHORIZED, OAuth2::TOKEN_TYPE_BEARER, $this->serverService->getVariable(OAuth2::CONFIG_WWW_REALM), 'access_denied', $e->getMessage());
}
$token->setUser($user);
}
$roles = null !== $user ? $user->getRoles() : array();
/*
* This is the only modification from the base class.
* We only add scopes if we're not connected as user.
* Otherwise, if we support the scope admin, everyone will be admin if no scope are requested because fos-oauth2-lib
* doesn't support different scope by clients (https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/issues/201)
* This way, we can bypass this by creating 2 clients: 1 wich grant the password (and refresh) types
* (and will require a user authentication)
* One that grant pretty much all the rest.
*/
if (!$user) {
if (!empty($scope)) {
foreach (explode(' ', $scope) as $role) {
$roles[] = 'ROLE_' . strtoupper($role);
}
}
}
$roles = array_unique($roles, SORT_REGULAR);
$token = new OAuthToken($roles);
$token->setAuthenticated(true);
$token->setToken($tokenString);
if (null !== $user) {
try {
$this->userChecker->checkPostAuth($user);
} catch (AccountStatusException $e) {
throw new OAuth2AuthenticateException(OAuth2::HTTP_UNAUTHORIZED, OAuth2::TOKEN_TYPE_BEARER, $this->serverService->getVariable(OAuth2::CONFIG_WWW_REALM), 'access_denied', $e->getMessage());
}
$token->setUser($user);
}
return $token;
}
} catch (OAuth2ServerException $e) {
if (!method_exists('Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException', 'setToken')) {
// Symfony 2.1
throw new AuthenticationException('OAuth2 authentication failed', null, 0, $e);
}
throw new AuthenticationException('OAuth2 authentication failed', 0, $e);
}
throw new AuthenticationException('OAuth2 authentication failed');
}
/**
* {@inheritdoc}
*/
public function authenticate(TokenInterface $token)
{
if (!$this->supports($token)) {
return;
}
try {
$tokenString = $token->getToken();
if ($accessToken = $this->serverService->verifyAccessToken($tokenString)) {
$scope = $accessToken->getScope();
$user = $accessToken->getUser();
if (null !== $user) {
try {
$this->userChecker->checkPreAuth($user);
} catch (AccountStatusException $e) {
throw new OAuth2AuthenticateException(OAuth2::HTTP_UNAUTHORIZED, OAuth2::TOKEN_TYPE_BEARER, $this->serverService->getVariable(OAuth2::CONFIG_WWW_REALM), 'access_denied', $e->getMessage());
}
$token->setUser($user);
}
$roles = null !== $user ? $user->getRoles() : array();
if (!empty($scope)) {
foreach (explode(' ', $scope) as $role) {
$roles[] = 'ROLE_' . strtoupper($role);
}
}
$roles = array_unique($roles);
$token = new OAuthToken($roles);
$token->setAuthenticated(true);
$token->setToken($tokenString);
if (null !== $user) {
try {
$this->userChecker->checkPostAuth($user);
} catch (AccountStatusException $e) {
throw new OAuth2AuthenticateException(OAuth2::HTTP_UNAUTHORIZED, OAuth2::TOKEN_TYPE_BEARER, $this->serverService->getVariable(OAuth2::CONFIG_WWW_REALM), 'access_denied', $e->getMessage());
}
$token->setUser($user);
}
return $token;
}
} catch (OAuth2ServerException $e) {
if (!method_exists('Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException', 'setToken')) {
// Symfony 2.1
throw new AuthenticationException('OAuth2 authentication failed', null, 0, $e);
}
throw new AuthenticationException('OAuth2 authentication failed', 0, $e);
}
throw new AuthenticationException('OAuth2 authentication failed');
}