Symfony 2-4 OAuth2 Client Bundle
MIT License
OAuth2 Client Bundle for Symfony 2-5.
Allow for the protection of resources via OAuth2. Provides two Symfony firewalls. One for checking bearer access tokens for securing API application. The access tokens can be provided via a header (recommended) or query e.g. Authorization: Bearer {Access Token}
or http://example.com/resource?access_token={Access Token}
. The other firewall is for securing web applications via the authorization code grant type.
Add the bundle to your composer.json:
{
"require": {
"jdelaune/oauth2-client-bundle": "^5.0"
}
}
Now tell composer to download the bundle by running the command:
$ php composer.phar update jdelaune/oauth2-client-bundle
Composer will install the bundle to your project's vendor/jdelaune
directory.
Enable the bundle in the kernel:
<?php
// app/AppKernel.php
public function registerBundles()
{
$bundles = array(
// ...
new OAuth2\ClientBundle\OAuth2ClientBundle(),
);
}
You'll need add your OAuth2 Server URIs as parameters to your parameters.yml
# app/config/parameters.yml
parameters:
oauth2.client.server:
authorize_uri: 'http://example.com/authorize'
token_uri: 'https://example.com/token'
verify_uri: 'https://example.com/verify-token'
validate_ssl: true
The verify uri should verify the access token on your OAuth2 Server and provide a JSON encoded array of:
access_token
client_id
expires_in
user_id
(Optional)scope
(Optional)Access token only firewall is most often used for securing APIs where the end user won't actually be interacting with your Symfony application directly.
You'll need to setup a firewall in your security.yml
# app/config/security.yml
security:
encoders:
OAuth2\ClientBundle\Security\User\OAuth2User: plaintext
providers:
oauth2_client:
id: oauth2.client.user_provider
firewalls:
oauth2_secured:
pattern: ^/secured_area/
oauth2_access_token: true
stateless: true
Authorization code firewall is most often used when the end user is interacting with your Symfony application.
You'll need to setup a firewall in your security.yml
# app/config/security.yml
security:
encoders:
OAuth2\ClientBundle\Security\User\OAuth2User: plaintext
providers:
oauth2_client:
id: oauth2.client.user_provider
firewalls:
oauth2_secured:
pattern: ^/secured_area/
oauth2_authorization_code:
client_id: ~
client_secret: ~
redirect_uri: http://www.example.com/secured_area/authorized
scope: basic
The redirect_uri
needs to be a URI behind the same firewall. You can use all the usual configuration options here as well that one would use for the form firewall like use_referer
and default_target_path
.
We provide default routing for some paths needed when using the authorization code firewall. Add this to your routing.yml
# app/config/routing.yml
oauth2_client:
resource: "@OAuth2ClientBundle/Controller/"
type: annotation
prefix: /
The client bundle will provide an OAuth2Token
object for any secured path in your controllers.
There are additional getters available on the OAuth2User
object:
$token = $this->get('security.context')->getToken();
$token->getAccessToken(); // The access token
$token->getRefreshToken(); // The refresh token
$token->getExpiresAt(); // Expiry datetime object
$token->getExpiresIn(); // Seconds until the access token expires
The client bundle will provide an OAuth2User
object for any secured path in your controllers.
Scopes will be turned into roles automatically, e.g. a scope of email
would result in a role of ROLE_EMAIL
.
There are additional getters available on the OAuth2User
object:
$user = $this->getUser();
$user->getClientId(); // Client ID
$user->getUserId(); // User ID
$user->isUser(); // True if user, false if client only
$user->getUsername(); // Client ID if client only, or User ID if user
$user->getScopes(); // Array of scopes
$user->getAccessToken(); // The access token