As the redirect uri can be a url but also a custom uri path as described here https://developers.google.com/identity/protocols/oauth2/native-app#custom-uri-scheme

We can't only rely on the filter_var to check if the URI is valid.

Hey I got this error on calling token route:

Cannot autowire argument $serverRequest of "trikoder.oauth2.controller.token_controller:indexAction()": it references interface "Psr\Http\Message\ServerRequestInterface" but no such service exists. Did you create a class that implements this interface?

Hello again,

I don't expect this to get merged, but I still wanted to get the pull request going just for reference, in case it helps with the work being done on #118, and also to verify supported versions against your CI.

This time around I'm doing it against master ;)

I've made a number of improvements over my last pull request, by looking at @rbaarsma 's composer.json file:

• Symfony 4.4.* should pass all tests on php 7.2 and php 7.3

• • with: PSR_HTTP_PROVIDER=nyholm
• • with: PSR_HTTP_PROVIDER=zendframework

• Symfony 5.0.* should pass all tests on php 7.2 and php 7.3

• • with: PSR_HTTP_PROVIDER=nyholm
• • with: PSR_HTTP_PROVIDER=zendframework

• This branch contains everything from both master and 2.x along with my own fixes to 2.x to make the tests pass, as submitted in #148

• update: CI passes fully.

Hi,

I am currently integrating the bundle into a brand new symfony 4.4 project. I wish to protect a certain route with two authentication methods, being JWT Token and OAuth2 Token, depending on the requesting party. For the JWT Token Auth I use package 'lexik/jwt-authentication-bundle`, which ships with an integrated Security Guard implementation that makes it very easy to add to a firewall section. Your package does not, but I think it would be a great enhancement.

Hello,

I am trying to implement your library in a project, an I'm unable to get it working. I can get an access token by going to a /token url, but after, when passing this token to my API's routes, I get a 401 unauthorized response.

When going to the symfony profiler, I can see that a AuthenticationCredentialsNotFoundException is thrown.

Here is my configuration :

• Symfony 4.2.3
• php 7.2.15

security.yaml :

security:
    providers:
        app_user_provider:
            entity:
                class: Trikoder\Bundle\OAuth2Bundle\Security\Authentication\Provider\OAuth2Provider
    firewalls:
        api_token:
            pattern: ^/api/token$
            security: false
        api:
            pattern: ^/api
            security: true
            stateless: true
            oauth2: true

        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            anonymous: true

trikoder_oauth2.yaml :

trikoder_oauth2:

    authorization_server:

        # Full path to the private key file.
        # How to generate a private key: https://oauth2.thephpleague.com/installation/#generating-public-and-private-keys
        private_key: "%kernel.root_dir%/../var/oauth/private.key"

        # The string used as an encryption key.
        # How to generate an encryption key: https://oauth2.thephpleague.com/installation/#string-password
        encryption_key: "generated as phpleague doc says"

        # How long the issued access token should be valid for.
        # The value should be a valid interval: http://php.net/manual/en/dateinterval.construct.php#refsect1-dateinterval.construct-parameters
        access_token_ttl: PT1H

        # How long the issued refresh token should be valid for.
        # The value should be a valid interval: http://php.net/manual/en/dateinterval.construct.php#refsect1-dateinterval.construct-parameters
        refresh_token_ttl: P1M

    resource_server:

        # Full path to the public key file
        # How to generate a public key: https://oauth2.thephpleague.com/installation/#generating-public-and-private-keys
        public_key: "%kernel.root_dir%/../var/oauth/public.key"

    # Scopes that you wish to utilize in your application.
    # This should be a simple array of strings.
    scopes: []

    # Configures different persistence methods that can be used by the bundle for saving client and token data.
    # Only one persistence method can be configured at a time.
    persistence:

        doctrine:

            # Name of the entity manager that you wish to use for managing clients and tokens.
            entity_manager: default # Required

        #in_memory: ~

I made a chmod -R a+rwx on my var/oauth folder.

Am I missing something ?

Thanks in advance

v7.3.0 of oauth-server does not seem to introduce breaking changes. Call of finalizedScopes() (see ScopeRepository) was moved, see https://github.com/thephpleague/oauth2-server/blob/master/CHANGELOG.md#730---released-2018-11-13

Adds Symfony 5 support and bumps minimum symfony version to 4.4 (as of January symfony 4.3 is no longer actively maintained, only security fixes and in the master of this bundle I opt to keep up with the times. If anyone uses an older version they will automatically use an older version of this bundle)

I've created a client with grants set to client_credentials password.

I can get a tokens issued with either grant type but requests made with tokens issued via password are rejected.

The resource server rejected the request.

Both tokens look similar in the oauth2_access_token table except the one created via password has a user_identifier that represents the user.

What would cause the password generated token to be rejected, or how can I troubleshoot it?

There's nothing to my controller that I'm getting 2 different results with:

class ExampleController extends AbstractController
{
    /**
     * @Route("/api/example", name="example")
     */
    public function index()
    {
        return $this->json(['status' => 1]);
        ...

I made a misstake in #83. Using --no-scripts will disable flex from running. In current master we are always using latest sf version. I wanted to run --no-scripts to avoid recipes being installed. That would add a bunch of new files that does not comply with our CS guidelines, ie build will always fail.

This PR first installs flex globally. Then install all packages to the correct (lower) version. That means no recipes are installed.

~~I also use environment variable instad.~~

Related to #76

Changes:

• Adding an interface to our 3 events.
• Remove return $this;
• ~~Use EventDispatcherInterface from symfony contracts.~~
• Using the new syntax for EventDispatcherInterface->dispatch() which have the parameter swapped places.

Change to prepare support for php 8 #248

I had add a delta for token expiration checking because this is not really the purpose of integration/acceptance test to check that but the purpose of unit test. This is "mandatory" because league/oauth2-server use DateTimeImmutable object instead of a clock pattern.

I think the delta is the best way to handle that because in production case it can be something that can append so not really a point.

Adding useful hints to README.md to guide other devs to find the replacement of this bundle. The configuation oauth2: true in security.yml leads to errors when using Symfony 5.3 in combination with this bundle.

This project is very useful and well developped. But there is no release since October 2020 and even if a lot of PR have been done.

is this project still maintained ?

This commit https://github.com/trikoder/oauth2-bundle/commit/286cab0903029d17898cc617ae88d26f808c3a9e (committed on 5 Feb 2021 ) remove the dependency of sensio/framework-extra-bundle but has never been released.

Would it be possible to have a new release to avoid conflict in composer due to this dependency please?

Assist other developers in knowing this project's future plans of moving to thephpleague/oauth2-server-bundle. Obviously feel free to update or improve the message.

Return type of Trikoder\Bundle\OAuth2Bundle\League\Entity\Scope::jsonSerialize() should either be compatible with JsonSerializable::jsonSerialize(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice.

Hi,

I need to implement the password grant flow between an angular SPA and symfony api back end. My understanding is that I should use the password grant flow. The SPA will serve 3 different brand sites and we will have 3 different OAuth Clients. The first thing I don't get is since the SPA can't contain the client secret which oauth end point I'll be hitting to get the access token.

Right now we have a two steps registration process and in second step I need to return an access token for the user in order to complete profile. I'm restricting this end point with 'registration' scope and the user will have the role ROLE_USER_INACTIVE + obviously ROLE_OAUTH2_REGISTRATION. So the user can't access anything else. I'm providing the access token like this:

public function getAccessToken(Request $request, Player $player)
    {
        //Auto wired in constructor
        //Nyholm\Psr7\Factory\Psr17Factory $psrHttpFactory,
        //League\OAuth2\Server\AuthorizationServer $authorizationServer,
        //App\Repository\ClientBrandRepository $clientBrandRepository,

        $clientBrand = $this->clientBrandRepository->getOAuthClientByBrand($player->getBrand()->getName());

        $request->request->add([
            'grant_type' => 'password',
            'scope' => 'registration',
            'username' => $player->getUsername(),
            'password' => 'password',
            'client_id' => $clientBrand->getClient()->getIdentifier(),
            'client_secret' => $clientBrand->getClient()->getSecret(),
        ]);

        $psrRequest = $this->psrHttpFactory->createRequest($request);
        $psr17Factory = new Psr17Factory();
        $serverResponse = $psr17Factory->createResponse();

        try {
            $response = $this->authorizationServer->respondToAccessTokenRequest($psrRequest, $serverResponse);
            $responseAsArray = json_decode($response->getBody(), true);

            return $responseAsArray;

        } catch (OAuthServerException $e) {
            return $e->generateHttpResponse($serverResponse);
        }
    }

Here the password sin't taken into account, here is my UserResolveListener

public function onUserResolve(UserResolveEvent $event): void
    {
        $user = $this->userBrandProvider->loadPlayerByUsernameClient($event->getUsername(), $event->getClient()->getIdentifier());

        if (null === $user) {
            return;
        }

        if ($user->isActive()) {
            if (!$this->userPasswordEncoder->isPasswordValid($user, $event->getPassword())) {
                return;
            }
        } else {
            if (!$user->isRegistrationOngoing()) {
                return;
            }
        }

        $event->setUser($user);
    }

Basically in case the user is inactive, I'm checking if the registration is ongoing and without checking the password (since I don't have it) I'm setting the user to the event.

But I'm not using the 2 oauth end points defined in routes/trikoder_oauth2.yaml

oauth2_authorize:
    path: /oauth/v2/authorize
    defaults: { _controller: Trikoder\Bundle\OAuth2Bundle\Controller\AuthorizationController::indexAction, _method: GET }

oauth2_token:
    path: /oauth/v2/token
    defaults: { _controller: Trikoder\Bundle\OAuth2Bundle\Controller\TokenController::indexAction, _method: POST }

My question is am I missing something and how I would implement the login? Also since the SPA can't contain the client secret how it would use the refresh token as well?

Thanks