-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add compatibility with league/oauth2-server:^9
#186
Conversation
4bbbd6e
to
19817a6
Compare
Would love to see this PR to be released when stable! 🚀 |
@ajgarlag would you appreciate some help finishing this? thanks for the PR! |
I agree. We should also disallow passing |
Is there anything missing actually? I just see WIP in the title but this looks good |
d2ebd4f
to
88fb5e9
Compare
My main concern is with the last commit, but I think this will affect only a minimal number of users. |
I would merge this PR and disallow passing Does Symfony allow an empty string as a user identifier? |
league/oauth2-server:^9
league/oauth2-server:^9
Works for me 👍
No, built-in authenticators forbid it https://github.com/symfony/symfony/blob/dd9fa153d344593c7fe12eb761158558377d98a4/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php#L149 |
@@ -31,6 +32,11 @@ public function getConfigTreeBuilder(): TreeBuilder | |||
->defaultValue('ROLE_OAUTH2_') | |||
->cannotBeEmpty() | |||
->end() | |||
->scalarNode('anonymous_user_identifier') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please remind me under which flow do we expect anonymous
users? Wording-wise the anonymous
concept has been removed in Symfony but I feel like this one is different and specific to this bundle, what's the case I'm missing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The AuthorizationController
does not require authentication (although it is highly recommended), so when the AuthorizationRequestResolveEvent
is dispatched, there is a valid use case where the AuthorizationRequestUserResolvingListener
cannot set the user instance in the event:
oauth2-server-bundle/src/EventListener/AuthorizationRequestUserResolvingListenerTrait.php
Lines 12 to 18 in ec2c2d3
public function onAuthorizationRequest(AuthorizationRequestResolveEvent $event): void | |
{ | |
$user = $this->security->getUser(); | |
if ($user instanceof UserInterface) { | |
$event->setUser($user); | |
} | |
} |
So the $event->getUser()
call can return null with a resolved authorization
$authRequest->setUser($this->userConverter->toLeague($event->getUser())); |
This is the use case I think we should disallow.
But the interface allows it. Maybe a |
|
$accessToken = new AccessTokenEntity(); | ||
$accessToken->setClient($clientEntity); | ||
$accessToken->setUserIdentifier($userIdentifier); | ||
if (null !== $userIdentifier && '' !== $userIdentifier) { | ||
$accessToken->setUserIdentifier($userIdentifier); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given the low potential of breaking people's code as you said + the fact we're still in 0.x version (not for long I think!), I'm fine doing this change although it's a bit aggressive.
88fb5e9
to
5e25146
Compare
Thank you @ajgarlag. |
No description provided.