OAuthToken with null user is not authenticated anymore since symfony 5.4
4rthem opened this issue · 5 comments
I'm using ->isGranted('ROLE_SCOPE1') to authorize a machine token so there is no user context.
Since Symfony 5.4, AuthorizationChecker relies on getUser() instead of getToken() which make user-less access tokens not authenticated (cf diff).
In some way Symfony introduced a BC break but I think the OAuthToken should fill the user property with a string constant to pass this condition.
What do you think?
@nicolas-grekas what would be the good practice?
I'm also having this issue, specifically when using a client_credentials grant. Is there a workaround for this, perhaps setting the user to the oauth application itself?
In some way Symfony introduced a BC break
I agree, it's very odd, especially for client_credentials grant where technically no user exists.
My quick and dirty solution was to override vendor/friendsofsymfony/oauth-server-bundle/Security/Authentication/Provider/OAuthProvider.php with my own. Actually, I only needed to adjust the authenticate() method, so I could create a "dummy-user" (something which implements UserInterface) on-the-fly and set it to $token
For Example:
src/Security/OAuth/Provider/OAuthProvider.php with fully-qualified namespace of App\Security\OAuth\Provider\OAuthProvider
and then configure it as a "replacement" for fos_oauth_server.security.authentication.provider service.
in your config/services.yaml add the following:
fos_oauth_server.security.authentication.provider:
class: App\Security\OAuth\Provider\OAuthProvider
arguments: [ ~, '@fos_oauth_server.server', ~ ]
public: falseI tried to decorate the original fos_oauth_server.security.authentication.provider service but didn't get it working, so I just copied everything.
In authenticate() method right after verifyAccessToken($tokenString) you can check for $user === null and create one on-the-fly. I decided to create a ClientCredentialsDummyUser model which implements \Symfony\Component\Security\Core\User\UserInterface for that special case.
While its definitely not an ideal solution, and it lacks some things I'd like to do with it, it does at least get around the issue.
+1
+1