As per the Bearer spec (draft 8, section 2) - there are three ways for a client
to specify the bearer token, in order of preference: Authorization Header,
POST and GET.
NB: Resource servers MUST accept tokens via the Authorization scheme
(http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08#section-2).
/**
* @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event The event.
*/
public function handle(GetResponseEvent $event)
{
$request = $event->getRequest();
if (null === ($oauthToken = $this->serverService->getBearerToken($event->getRequest(), true))) {
//if it's null, then we try to regular authentication...
$token = $this->handleCookie($event);
if ($token) {
$this->securityContext->setToken($token);
return;
}
}
$token = new OAuthToken();
$token->setToken($oauthToken);
$returnValue = $this->authenticationManager->authenticate($token);
try {
$returnValue = $this->authenticationManager->authenticate($token);
if ($returnValue instanceof TokenInterface) {
return $this->securityContext->setToken($returnValue);
}
if ($returnValue instanceof Response) {
return $event->setResponse($returnValue);
}
} catch (AuthenticationException $e) {
if (null !== ($p = $e->getPrevious())) {
$event->setResponse($p->getHttpResponse());
}
}
}
/**
* @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event The event.
*/
public function handle(GetResponseEvent $event)
{
$request = $event->getRequest();
if (null === ($oauthToken = $this->serverService->getBearerToken($event->getRequest(), true))) {
if ($this->tryCookieAuth($event)) {
return;
}
if ($this->tryHTTPAuth($event)) {
return;
}
$this->authenticateAnonymous();
} else {
$this->tryOauthAuth($event, $oauthToken);
}
}
/**
* @dataProvider getTestGetBearerTokenData
*/
public function testGetBearerToken(Request $request, $token, $remove = false, $exception = null, $exceptionMessage = null, $headers = null, $body = null)
{
$mock = $this->getMock('OAuth2\\IOAuth2Storage');
$oauth2 = new OAuth2($mock);
try {
$this->assertSame($token, $oauth2->getBearerToken($request, $remove));
if ($exception) {
$this->fail('The expected exception OAuth2ServerException was not thrown');
}
if ($remove) {
$this->assertNull($request->headers->get('AUTHORIZATION'));
$this->assertNull($request->query->get('access_token'));
$this->assertNull($request->request->get('access_token'));
}
} catch (\Exception $e) {
if (!$exception || !$e instanceof $exception) {
throw $e;
}
$this->assertSame($headers, $e->getResponseHeaders());
$this->assertSame($body, $e->getResponseBody());
}
}
<?php
/**
* @file
* Sample protected resource.
*
* Obviously not production-ready code, just simple and to the point.
*
* In reality, you'd probably use a nifty framework to handle most of the crud for you.
*/
use OAuth2\OAuth2;
use OAuth2\OAuth2ServerException;
require 'lib/bootstrap.php';
$oauth = new OAuth2(new OAuth2StoragePDO(newPDO()));
try {
$token = $oauth->getBearerToken();
$oauth->verifyAccessToken($token);
} catch (OAuth2ServerException $oauthError) {
$oauthError->sendHttpResponse();
}
// With a particular scope, you'd do:
// $oauth->verifyAccessToken("scope_name");
?>
<html>
<head>
<title>Hello!</title>
</head>
<body>
<p>This is a secret.</p>
</body>
