-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for the "authorization_code" grant type #18
Add support for the "authorization_code" grant type #18
Conversation
Codecov Report
@@ Coverage Diff @@
## master #18 +/- ##
============================================
- Coverage 90.81% 89.52% -1.29%
- Complexity 280 341 +61
============================================
Files 43 52 +9
Lines 980 1146 +166
============================================
+ Hits 890 1026 +136
- Misses 90 120 +30
Continue to review full report at Codecov.
|
1454e47
to
b4e41c5
Compare
@spideyfusion Could you review this PR?What do you think about the new event to resolve the authorization decision? Thanks in advance! |
Great work thus far @ajgarlag! I definitely like the idea of having an event available where the developer has the chance to take complete control of the authorization process. Could you give me a code example on how would you implement a simple decision page and an event listener which would appropriately approve or deny an authorization request? |
I've written a simple proof of concept (not ready for production) which uses the https://gist.github.com/ajgarlag/1f84d29ee0e1a92c8878f44a902338cd |
Your implementation of authorization controller expects user to be already authenticated. The component demo says that you should first call https://oauth2.thephpleague.com/authorization-server/auth-code-grant/ This allows SSO implementations where client (relying party in oidc terms) sends guests to authorization endpoint. The authorization endpoint validates request (authenticate against client). Then it should either re-use existing session or let user authenticate (could be redirect to route with form_login or any other configured firewall). The authentication on it's own is not in scope of OAuth, but we should be able to configure it. Once logged in, user should be taken back to authorization endpoint to optionally authorize the client (this is where the event kicks in). Finally, user is redirected back with the authorization code and the flow continues on the RP side.... We could fix this easily with following changes:
|
Good catch, but I prefer a different way to fix it. That check with the AuthorizationChecker is there from the first commit, before the Now, I would move the responsibility of checking the user authentication and the responsibility of setting the UserEntity into the event, to two different event listeners. The first one will set the attribute required to process the This will allow to prepend an EventListener from an OIDC implementation that will manage the What do you think? |
Sounds good to me. As long as we are able to plug-in any authentication provided by Symfony Security, I'd be happy :) |
a9c3d9c
to
2e4c9c7
Compare
Finally, I have decided to remove any authorization check from the authorization endpoint. It's not needed at all. It is up to you to decide how to protect the authorization endpoint. Anyway, I have added a recommendation to the README to protect it, so that anonymous users cannot access to the authorization endpoint and cannot approve authorization requests. |
I believe this is not entirely correct. Anonymous users are welcome to authorization endpoint. See https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps |
Yes, I know that, but remember that we are implementing here the authorization_code grant for an oAuth 2.0 server, not for an OIDC provider. In an OIDC provider implementation, the security configuration should allow anonymous access to authorization endpoint, and an EventListener will have to manage the Anyway, the access to authorization endpoint it's not limited by default. If you know what are you doing, you can omit the recommendation and allow anonymous users access. |
👍 @spideyfusion what do you think, ready to merge? |
@spideyfusion The PR is ready to merge for me. |
I've been working with the code in this PR and I dislike how the AuthorizationRequestResolve event in AuthorizationController is tightly coupled to the listener that reacts to it. I've tried to make it a bit more flexible, so I've moved the responsibility to create response or approve authorization request to the listener. Furthermore I've encapsulated the authorization approval bit so that we can employ any other strategy. I've created a PR against @ajgarlag 's feature branch so you could review it separately |
@MichaelKubovic Thanks for your PR, I'll review it after all requested changes by @alenpokos are addressed. |
@alenpokos I've introduced some changes in the the AuthorizationRequestResolveEvent workflow. The The controller checks if the event has a When |
@alenpokos @spideyfusion Is there any pending change? |
ping, what's the state of this issue? |
Any news on this pr ? |
We'll take a look at resolving this PR by the end of the week. Sorry for the lack of communication, we've been extremely busy this past month. |
@spideyfusion before tagging a new major release, I'd like to include #21. I'll rebase it once #18 gets merged. |
Call `Event::stopPropagation` when an event listener sets a response, or resolves the authorization request, so the event listeners with higher priority wins.
51b3ecd
to
1fd1f3e
Compare
* The AUTHORIZATION_REQUEST_RESOLVE event occurrs right before the system | ||
* complete the authorization request. | ||
* | ||
* You could approve or deny the authorization request, or set the uri where |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"or set the uri"
You mean or add a RedirectResponse
to the event?
Question: If I redirect the user to a form where they accept or deny the claim. How do I get back?
Could you add some more documentation about this?
(Im currently testing this PR)
Thank you for you work!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I mean "or set the response, (usually a redirect response), that will be returned to the user to resolve the authorization process"
Regarding your question, you can have a listener which can extract the user decision from the request. See #18 (comment)
All the discussion points have been addressed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did a quick review. But I have tried the implementation and I did not find any issues.
From what I see here, this bundle still misses the part of ps.: I've only tried to implement |
It's completely up to you how you implement the authentication flow for the user. The authorization flow implemented in this bundle relies on the user being set in TokenStorage. That's where |
Well, so this means that also We should be able to receive from Looking at the controller for example https://github.com/trikoder/oauth2-bundle/blob/v2.x/Controller/AuthorizationController.php#L60-L65 It makes sense what I'm stating here? |
What I've done is, that I accept anonymous users on You can take user to 3rd party service if you wish. |
@MichaelKubovic well, so how do you "restore" the user from the redirect? You need to have access to same db and you need to return with some information from the 3rd party (like an id). |
I do authentication within the same Symfony instance. But this bundle does not force you. For the consent flow, I have yet another listener hooked to the same authorization event. It's not the responsibility of this bundle, neither the responsibility of oauth 2 to deal with details of authentication. |
I know this but as long as you need a logged user inside this bundle I suppose that you're assuming that everything is tied togheter: The fact that you're doint authentication inside the same symfony instance maybe don't let you grasp the problem or probably I'm explaining it in the wrong way. |
Take a look at this especially when it says
That's the key aspect as |
I see what confuses you. The interface that this bundle relies on, the Think of If you have authentication implemented elsewhere, you should know how to communicate with it. Do you federate to OIDC provider? Do you share cookie? Do you use some means of one-time access token? Up to you.
Disagree, the User is mentioned in spec many times. See https://tools.ietf.org/html/rfc6749#section-4.1. Spec says that the user should be authenticated through user agent. |
I know the key concepts of symfony, I just only mistaken the interface that's not from Symfony but from league bundle (the symfony one has also the |
Fix #2