Add support for authenticator security system

Author: mtarld

.github/workflows/unit-tests.yml

@@ -12,6 +12,7 @@ jobs:
             matrix:
                 symfony-version:
                     - "4.4.*"
+                    - "5.1.*"
                     - "5.2.*"
                 php-version:
                     - "7.2"

.psalm.baseline.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<files psalm-version="4.7.0@d4377c0baf3ffbf0b1ec6998e8d1be2a40971005">
+  <file src="src/Resources/config/services.php">
+    <ImplicitToStringCast occurrences="1">
+      <code>service(GrantConfigurator::class)</code>
+    </ImplicitToStringCast>
+    <MixedInferredReturnType occurrences="1">
+      <code>ReferenceConfigurator</code>
+    </MixedInferredReturnType>
+    <MixedReturnStatement occurrences="1">
+      <code>($fn)($id)</code>
+    </MixedReturnStatement>
+  </file>
+  <file src="src/Security/Authenticator/OAuth2Authenticator.php">
+    <PossiblyInvalidArgument occurrences="1">
+      <code>$this-&gt;getUserBadge($userIdentifier)</code>
+    </PossiblyInvalidArgument>
+  </file>
+</files>

psalm.xml

@@ -11,6 +11,7 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="https://getpsalm.org/schema/config"
         xsi:schemaLocation="https://getpsalm.org/schema/config vendor/vimeo/psalm/config.xsd"
+        errorBaseline=".psalm.baseline.xml"
 >
     <projectFiles>
         <directory name="src"/>
@@ -44,27 +45,6 @@
         <RawObjectIteration errorLevel="error"/>
         <InvalidStringClass errorLevel="error"/>
         <UnresolvableInclude errorLevel="error"/>
-        <ImplicitToStringCast errorLevel="error">
-            <errorLevel type="suppress">
-                <file name="src/Resources/config/services.php" />
-            </errorLevel>
-        </ImplicitToStringCast>
-        <MixedInferredReturnType errorLevel="error">
-            <errorLevel type="suppress">
-                <file name="src/Resources/config/services.php" />
-            </errorLevel>
-        </MixedInferredReturnType>
-        <MixedReturnStatement errorLevel="error">
-            <errorLevel type="suppress">
-                <file name="src/Resources/config/services.php" />
-            </errorLevel>
-        </MixedReturnStatement>
-        <InvalidArgument errorLevel="error">
-            <errorLevel type="suppress">
-                <file name="src/Resources/config/routes.php" />
-                <referencedFunction name="Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator::controller" />
-            </errorLevel>
-        </InvalidArgument>
     </issueHandlers>
 
     <plugins>

src/DependencyInjection/LeagueOAuth2ServerExtension.php

@@ -17,7 +17,8 @@
 use League\Bundle\OAuth2ServerBundle\Manager\Doctrine\RefreshTokenManager;
 use League\Bundle\OAuth2ServerBundle\Manager\ScopeManagerInterface;
 use League\Bundle\OAuth2ServerBundle\Model\Scope as ScopeModel;
-use League\Bundle\OAuth2ServerBundle\Security\Authentication\Token\OAuth2TokenFactory;
+use League\Bundle\OAuth2ServerBundle\Security\Authentication\Token\LegacyOAuth2TokenFactory;
+use League\Bundle\OAuth2ServerBundle\Security\Authenticator\OAuth2Authenticator;
 use League\Bundle\OAuth2ServerBundle\Service\CredentialsRevoker\DoctrineCredentialsRevoker;
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\CryptKey;
@@ -60,9 +61,12 @@ public function load(array $configs, ContainerBuilder $container)
         $this->configureResourceServer($container, $config['resource_server']);
         $this->configureScopes($container, $config['scopes']);
 
-        $container->findDefinition(OAuth2TokenFactory::class)
+        $container->findDefinition(LegacyOAuth2TokenFactory::class)
             ->setArgument(0, $config['role_prefix']);
 
+        $container->findDefinition(OAuth2Authenticator::class)
+            ->setArgument(3, $config['role_prefix']);
+
         $container->findDefinition(ConvertExceptionToResponseListener::class)
             ->addTag('kernel.event_listener', [
                 'event' => KernelEvents::EXCEPTION,

src/DependencyInjection/Security/LegacyOAuth2Factory.php

@@ -0,0 +1,47 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\Bundle\OAuth2ServerBundle\DependencyInjection\Security;
+
+use League\Bundle\OAuth2ServerBundle\Security\Authentication\Provider\OAuth2Provider;
+use League\Bundle\OAuth2ServerBundle\Security\EntryPoint\OAuth2EntryPoint;
+use League\Bundle\OAuth2ServerBundle\Security\Firewall\OAuth2Listener;
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
+use Symfony\Component\Config\Definition\Builder\NodeDefinition;
+use Symfony\Component\DependencyInjection\ChildDefinition;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Reference;
+
+final class LegacyOAuth2Factory implements SecurityFactoryInterface
+{
+    public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint): array
+    {
+        $provider = sprintf('security.authentication.provider.oauth2.%s', $id);
+        $container
+            ->setDefinition($provider, new ChildDefinition(OAuth2Provider::class))
+            ->replaceArgument(0, new Reference($userProvider))
+            ->replaceArgument(3, $id);
+
+        $listener = sprintf('security.authentication.listener.oauth2.%s', $id);
+        $container
+            ->setDefinition($listener, new ChildDefinition(OAuth2Listener::class))
+            ->replaceArgument(4, $id);
+
+        return [$provider, $listener, OAuth2EntryPoint::class];
+    }
+
+    public function getPosition(): string
+    {
+        return 'pre_auth';
+    }
+
+    public function getKey(): string
+    {
+        return 'oauth2';
+    }
+
+    public function addConfiguration(NodeDefinition $builder): void
+    {
+    }
+}

src/DependencyInjection/Security/OAuth2Factory.php

@@ -5,57 +5,56 @@
 namespace League\Bundle\OAuth2ServerBundle\DependencyInjection\Security;
 
 use League\Bundle\OAuth2ServerBundle\Security\Authentication\Provider\OAuth2Provider;
+use League\Bundle\OAuth2ServerBundle\Security\Authenticator\OAuth2Authenticator;
 use League\Bundle\OAuth2ServerBundle\Security\EntryPoint\OAuth2EntryPoint;
 use League\Bundle\OAuth2ServerBundle\Security\Firewall\OAuth2Listener;
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AuthenticatorFactoryInterface;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
 use Symfony\Component\Config\Definition\Builder\NodeDefinition;
 use Symfony\Component\DependencyInjection\ChildDefinition;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Reference;
 
-final class OAuth2Factory implements SecurityFactoryInterface
+/**
+ * @author Mathias Arlaud <[email protected]>
+ */
+final class OAuth2Factory implements SecurityFactoryInterface, AuthenticatorFactoryInterface
 {
-    /**
-     * {@inheritdoc}
-     */
-    public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
+    public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint): array
     {
-        $providerId = 'security.authentication.provider.oauth2.' . $id;
+        $provider = sprintf('security.authentication.provider.oauth2.%s', $id);
         $container
-            ->setDefinition($providerId, new ChildDefinition(OAuth2Provider::class))
+            ->setDefinition($provider, new ChildDefinition(OAuth2Provider::class))
             ->replaceArgument(0, new Reference($userProvider))
             ->replaceArgument(3, $id);
 
-        $listenerId = 'security.authentication.listener.oauth2.' . $id;
+        $listener = sprintf('security.authentication.listener.oauth2.%s', $id);
         $container
-            ->setDefinition($listenerId, new ChildDefinition(OAuth2Listener::class))
+            ->setDefinition($listener, new ChildDefinition(OAuth2Listener::class))
             ->replaceArgument(4, $id);
 
-        return [$providerId, $listenerId, OAuth2EntryPoint::class];
+        return [$provider, $listener, OAuth2EntryPoint::class];
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function getPosition()
+    public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProvider): string
+    {
+        $authenticator = sprintf('security.authenticator.oauth2.%s', $firewallName);
+        $container->setDefinition($authenticator, new ChildDefinition(OAuth2Authenticator::class));
+
+        return $authenticator;
+    }
+
+    public function getPosition(): string
     {
         return 'pre_auth';
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function getKey()
+    public function getKey(): string
     {
         return 'oauth2';
     }
 
-    /**
-     * {@inheritdoc}
-     *
-     * @return void
-     */
-    public function addConfiguration(NodeDefinition $node)
+    public function addConfiguration(NodeDefinition $builder): void
     {
     }
 }

src/EventListener/ConvertExceptionToResponseListener.php

@@ -4,8 +4,7 @@
 
 namespace League\Bundle\OAuth2ServerBundle\EventListener;
 
-use League\Bundle\OAuth2ServerBundle\Security\Exception\InsufficientScopesException;
-use League\Bundle\OAuth2ServerBundle\Security\Exception\Oauth2AuthenticationFailedException;
+use League\Bundle\OAuth2ServerBundle\Security\Exception\OAuth2AuthenticationException;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Event\ExceptionEvent;
 
@@ -17,8 +16,8 @@ final class ConvertExceptionToResponseListener
     public function onKernelException(ExceptionEvent $event): void
     {
         $exception = $event->getThrowable();
-        if ($exception instanceof InsufficientScopesException || $exception instanceof Oauth2AuthenticationFailedException) {
-            $event->setResponse(new Response($exception->getMessage(), (int) $exception->getCode()));
+        if ($exception instanceof OAuth2AuthenticationException) {
+            $event->setResponse(new Response($exception->getMessage(), $exception->getStatusCode(), ['WWW-Authenticate' => 'Bearer']));
         }
     }
 }

src/LeagueOAuth2ServerBundle.php

@@ -6,7 +6,9 @@
 
 use Doctrine\Bundle\DoctrineBundle\DependencyInjection\Compiler\DoctrineOrmMappingsPass;
 use League\Bundle\OAuth2ServerBundle\DependencyInjection\LeagueOAuth2ServerExtension;
+use League\Bundle\OAuth2ServerBundle\DependencyInjection\Security\LegacyOAuth2Factory;
 use League\Bundle\OAuth2ServerBundle\DependencyInjection\Security\OAuth2Factory;
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AuthenticatorFactoryInterface;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\SecurityExtension;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\HttpKernel\Bundle\Bundle;
@@ -38,7 +40,9 @@ private function configureSecurityExtension(ContainerBuilder $container): void
     {
         /** @var SecurityExtension $extension */
         $extension = $container->getExtension('security');
-        $extension->addSecurityListenerFactory(new OAuth2Factory());
+
+        // BC Layer for < 5.1 versions
+        $extension->addSecurityListenerFactory(interface_exists(AuthenticatorFactoryInterface::class) ? new OAuth2Factory() : new LegacyOAuth2Factory());
     }
 
     private function configureDoctrineExtension(ContainerBuilder $container): void

src/Resources/config/services.php

@@ -32,8 +32,10 @@
 use League\Bundle\OAuth2ServerBundle\Manager\ScopeManagerInterface;
 use League\Bundle\OAuth2ServerBundle\OAuth2Events;
 use League\Bundle\OAuth2ServerBundle\Security\Authentication\Provider\OAuth2Provider;
-use League\Bundle\OAuth2ServerBundle\Security\Authentication\Token\OAuth2TokenFactory;
+use League\Bundle\OAuth2ServerBundle\Security\Authentication\Token\LegacyOAuth2TokenFactory;
+use League\Bundle\OAuth2ServerBundle\Security\Authenticator\OAuth2Authenticator;
 use League\Bundle\OAuth2ServerBundle\Security\EntryPoint\OAuth2EntryPoint;
+use League\Bundle\OAuth2ServerBundle\Security\EventListener\CheckScopesListener;
 use League\Bundle\OAuth2ServerBundle\Security\Firewall\OAuth2Listener;
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Grant\AuthCodeGrant;
@@ -128,11 +130,24 @@ function service(string $id): ReferenceConfigurator
         ->alias(AuthCodeRepository::class, 'league.oauth2_server.repository.auth_code')
 
         // Security layer
+        ->set('league.oauth2_server.authenticator.oauth2', OAuth2Authenticator::class)
+            ->args([
+                service('league.oauth2-server.psr_http_factory'),
+                service(ResourceServer::class),
+                service(UserProviderInterface::class),
+                null,
+            ])
+        ->alias(OAuth2Authenticator::class, 'league.oauth2_server.authenticator.oauth2')
+
+        ->set('league.oauth2_server.listener.check_scopes', CheckScopesListener::class)
+            ->tag('kernel.event_subscriber')
+        ->alias(CheckScopesListener::class, 'league.oauth2_server.listener.check_scopes')
+
         ->set('league.oauth2_server.provider.oauth2', OAuth2Provider::class)
             ->args([
                 service(UserProviderInterface::class),
                 service(ResourceServer::class),
-                service(OAuth2TokenFactory::class),
+                service(LegacyOAuth2TokenFactory::class),
                 null,
             ])
         ->alias(OAuth2Provider::class, 'league.oauth2_server.provider.oauth2')
@@ -145,7 +160,7 @@ function service(string $id): ReferenceConfigurator
                 service(TokenStorageInterface::class),
                 service(AuthenticationManagerInterface::class),
                 service('league.oauth2_server.factory.psr_http'),
-                service(OAuth2TokenFactory::class),
+                service(LegacyOAuth2TokenFactory::class),
                 null,
             ])
         ->alias(OAuth2Listener::class, 'league.oauth2_server.security.firewall.oauth2_listener')
@@ -302,8 +317,8 @@ function service(string $id): ReferenceConfigurator
             ])
         ->alias(AuthorizationRequestResolveEventFactory::class, 'league.oauth2_server.factory.authorization_request_resolve_event')
 
-        ->set('league.oauth2_server.factory.oauth2_token', OAuth2TokenFactory::class)
-        ->alias(OAuth2TokenFactory::class, 'league.oauth2_server.factory.oauth2_token')
+        ->set('league.oauth2_server.factory.legacy_oauth2_token', OAuth2TokenFactory::class)
+        ->alias(LegacyOAuth2TokenFactory::class, 'league.oauth2_server.factory.legacy_oauth2_token')
 
         // Storage managers
         ->set('league.oauth2_server.manager.in_memory.scope', ScopeManager::class)

src/Security/Authentication/Provider/OAuth2Provider.php

@@ -4,8 +4,9 @@
 
 namespace League\Bundle\OAuth2ServerBundle\Security\Authentication\Provider;
 
-use League\Bundle\OAuth2ServerBundle\Security\Authentication\Token\OAuth2Token;
-use League\Bundle\OAuth2ServerBundle\Security\Authentication\Token\OAuth2TokenFactory;
+use League\Bundle\OAuth2ServerBundle\Security\Authentication\Token\LegacyOAuth2Token;
+use League\Bundle\OAuth2ServerBundle\Security\Authentication\Token\LegacyOAuth2TokenFactory;
+use League\Bundle\OAuth2ServerBundle\Security\User\NullUser;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\ResourceServer;
 use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
@@ -27,7 +28,7 @@ final class OAuth2Provider implements AuthenticationProviderInterface
     private $resourceServer;
 
     /**
-     * @var OAuth2TokenFactory
+     * @var LegacyOAuth2TokenFactory
      */
     private $oauth2TokenFactory;
 
@@ -39,7 +40,7 @@ final class OAuth2Provider implements AuthenticationProviderInterface
     public function __construct(
         UserProviderInterface $userProvider,
         ResourceServer $resourceServer,
-        OAuth2TokenFactory $oauth2TokenFactory,
+        LegacyOAuth2TokenFactory $oauth2TokenFactory,
         string $providerKey
     ) {
         $this->userProvider = $userProvider;
@@ -54,7 +55,7 @@ public function __construct(
     public function authenticate(TokenInterface $token)
     {
         if (!$this->supports($token)) {
-            throw new \RuntimeException(sprintf('This authentication provider can only handle tokes of type \'%s\'.', OAuth2Token::class));
+            throw new \RuntimeException(sprintf('This authentication provider can only handle tokens of type \'%s\'.', LegacyOAuth2Token::class));
         }
 
         try {
@@ -78,21 +79,21 @@ public function authenticate(TokenInterface $token)
     /**
      * {@inheritdoc}
      *
-     * @psalm-assert-if-true OAuth2Token $token
+     * @psalm-assert-if-true LegacyOAuth2Token $token
      */
     public function supports(TokenInterface $token)
     {
-        return $token instanceof OAuth2Token && $this->providerKey === $token->getProviderKey();
+        return $token instanceof LegacyOAuth2Token && $this->providerKey === $token->getProviderKey();
     }
 
-    private function getAuthenticatedUser(string $userIdentifier): ?UserInterface
+    private function getAuthenticatedUser(string $userIdentifier): UserInterface
     {
         if ('' === $userIdentifier) {
             /*
              * If the identifier is an empty string, that means that the
              * access token isn't bound to a user defined in the system.
              */
-            return null;
+            return new NullUser();
         }
 
         return $this->userProvider->loadUserByUsername($userIdentifier);