Drop support for legacy security system

Author: mtarld

docs/basic-setup.md

@@ -95,10 +95,12 @@ Options:
 
 ## Configuring the Security layer
 
-Add two new firewalls in your security configuration:
+Add two new firewalls in your security configuration and enable the authenticator security system:
 
 ```yaml
 security:
+    enable_authenticator_manager: true
+
     firewalls:
         api_token:
             pattern: ^/api/token$

docs/index.md

@@ -13,7 +13,7 @@ For implementation into Symfony projects, please see [bundle documentation](docs
 ## Requirements
 
 * [PHP 7.2](http://php.net/releases/7_2_0.php) or greater
-* [Symfony 4.4](https://symfony.com/roadmap/4.4) or [Symfony 5.x](https://symfony.com/roadmap/5.0)
+* [Symfony 5.2](https://symfony.com/roadmap/5.2) or greater
 
 ## Installation
 
@@ -91,9 +91,6 @@ For implementation into Symfony projects, please see [bundle documentation](docs
                 entity_manager:       default
             in_memory:            ~
 
-        # The priority of the event listener that converts an Exception to a Response
-        exception_event_listener_priority: 10
-
         # Set a custom prefix that replaces the default 'ROLE_OAUTH2_' role prefix
         role_prefix:          ROLE_OAUTH2_
     ```
@@ -110,6 +107,13 @@ For implementation into Symfony projects, please see [bundle documentation](docs
     bin/console doctrine:schema:update --force
     ```
 
+1. Enable the authenticator security system in `config/security.yaml` file:
+
+```yaml
+security:
+    enable_authenticator_manager: true
+```
+
 1. Import the routes inside your `config/routes.yaml` file:
 
     ```yaml
@@ -121,7 +125,7 @@ You can verify that everything is working by issuing a `POST` request to the `/t
 
 **❮ NOTE ❯** It is recommended to control the access to the authorization endpoint
 so that only logged in users can approve authorization requests.
-You should review your `security.yml` file. Here is a sample configuration:
+You should review your `config/security.yaml` file. Here is a sample configuration:
 
 ```yaml
 security:

src/DependencyInjection/Configuration.php

@@ -26,10 +26,6 @@ public function getConfigTreeBuilder(): TreeBuilder
 
         $rootNode
             ->children()
-                ->scalarNode('exception_event_listener_priority')
-                    ->info('The priority of the event listener that converts an Exception to a Response')
-                    ->defaultValue(10)
-                ->end()
                 ->scalarNode('role_prefix')
                     ->info('Set a custom prefix that replaces the default \'ROLE_OAUTH2_\' role prefix')
                     ->defaultValue('ROLE_OAUTH2_')

src/DependencyInjection/LeagueOAuth2ServerExtension.php

@@ -9,15 +9,13 @@
 use League\Bundle\OAuth2ServerBundle\DBAL\Type\Grant as GrantType;
 use League\Bundle\OAuth2ServerBundle\DBAL\Type\RedirectUri as RedirectUriType;
 use League\Bundle\OAuth2ServerBundle\DBAL\Type\Scope as ScopeType;
-use League\Bundle\OAuth2ServerBundle\EventListener\ConvertExceptionToResponseListener;
 use League\Bundle\OAuth2ServerBundle\League\AuthorizationServer\GrantTypeInterface;
 use League\Bundle\OAuth2ServerBundle\Manager\Doctrine\AccessTokenManager;
 use League\Bundle\OAuth2ServerBundle\Manager\Doctrine\AuthorizationCodeManager;
 use League\Bundle\OAuth2ServerBundle\Manager\Doctrine\ClientManager;
 use League\Bundle\OAuth2ServerBundle\Manager\Doctrine\RefreshTokenManager;
 use League\Bundle\OAuth2ServerBundle\Manager\ScopeManagerInterface;
 use League\Bundle\OAuth2ServerBundle\Model\Scope as ScopeModel;
-use League\Bundle\OAuth2ServerBundle\Security\Authentication\Token\LegacyOAuth2TokenFactory;
 use League\Bundle\OAuth2ServerBundle\Security\Authenticator\OAuth2Authenticator;
 use League\Bundle\OAuth2ServerBundle\Service\CredentialsRevoker\DoctrineCredentialsRevoker;
 use League\OAuth2\Server\AuthorizationServer;
@@ -38,7 +36,6 @@
 use Symfony\Component\DependencyInjection\Extension\PrependExtensionInterface;
 use Symfony\Component\DependencyInjection\Loader\PhpFileLoader;
 use Symfony\Component\DependencyInjection\Reference;
-use Symfony\Component\HttpKernel\KernelEvents;
 
 final class LeagueOAuth2ServerExtension extends Extension implements PrependExtensionInterface, CompilerPassInterface
 {
@@ -61,19 +58,9 @@ public function load(array $configs, ContainerBuilder $container)
         $this->configureResourceServer($container, $config['resource_server']);
         $this->configureScopes($container, $config['scopes']);
 
-        $container->findDefinition(LegacyOAuth2TokenFactory::class)
-            ->setArgument(0, $config['role_prefix']);
-
         $container->findDefinition(OAuth2Authenticator::class)
             ->setArgument(3, $config['role_prefix']);
 
-        $container->findDefinition(ConvertExceptionToResponseListener::class)
-            ->addTag('kernel.event_listener', [
-                'event' => KernelEvents::EXCEPTION,
-                'method' => 'onKernelException',
-                'priority' => $config['exception_event_listener_priority'],
-            ]);
-
         $container->registerForAutoconfiguration(GrantTypeInterface::class)
             ->addTag('league.oauth2_server.authorization_server.grant');
     }

src/DependencyInjection/Security/OAuth2Factory.php

@@ -4,16 +4,12 @@
 
 namespace League\Bundle\OAuth2ServerBundle\DependencyInjection\Security;
 
-use League\Bundle\OAuth2ServerBundle\Security\Authentication\Provider\OAuth2Provider;
 use League\Bundle\OAuth2ServerBundle\Security\Authenticator\OAuth2Authenticator;
-use League\Bundle\OAuth2ServerBundle\Security\EntryPoint\OAuth2EntryPoint;
-use League\Bundle\OAuth2ServerBundle\Security\Firewall\OAuth2Listener;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AuthenticatorFactoryInterface;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
 use Symfony\Component\Config\Definition\Builder\NodeDefinition;
 use Symfony\Component\DependencyInjection\ChildDefinition;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
-use Symfony\Component\DependencyInjection\Reference;
 
 /**
  * @author Mathias Arlaud <[email protected]>
@@ -22,18 +18,7 @@ final class OAuth2Factory implements SecurityFactoryInterface, AuthenticatorFact
 {
     public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint): array
     {
-        $provider = sprintf('security.authentication.provider.oauth2.%s', $id);
-        $container
-            ->setDefinition($provider, new ChildDefinition(OAuth2Provider::class))
-            ->replaceArgument(0, new Reference($userProvider))
-            ->replaceArgument(3, $id);
-
-        $listener = sprintf('security.authentication.listener.oauth2.%s', $id);
-        $container
-            ->setDefinition($listener, new ChildDefinition(OAuth2Listener::class))
-            ->replaceArgument(4, $id);
-
-        return [$provider, $listener, OAuth2EntryPoint::class];
+        throw new \LogicException('OAuth2 is not supported when "security.enable_authenticator_manager" is not set to true.');
     }
 
     public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProvider): string

src/EventListener/ConvertExceptionToResponseListener.php

@@ -17,7 +17,6 @@
 use League\Bundle\OAuth2ServerBundle\Converter\UserConverterInterface;
 use League\Bundle\OAuth2ServerBundle\Event\AuthorizationRequestResolveEventFactory;
 use League\Bundle\OAuth2ServerBundle\EventListener\AuthorizationRequestUserResolvingListener;
-use League\Bundle\OAuth2ServerBundle\EventListener\ConvertExceptionToResponseListener;
 use League\Bundle\OAuth2ServerBundle\League\AuthorizationServer\GrantConfigurator;
 use League\Bundle\OAuth2ServerBundle\League\Repository\AccessTokenRepository;
 use League\Bundle\OAuth2ServerBundle\League\Repository\AuthCodeRepository;
@@ -32,12 +31,8 @@
 use League\Bundle\OAuth2ServerBundle\Manager\RefreshTokenManagerInterface;
 use League\Bundle\OAuth2ServerBundle\Manager\ScopeManagerInterface;
 use League\Bundle\OAuth2ServerBundle\OAuth2Events;
-use League\Bundle\OAuth2ServerBundle\Security\Authentication\Provider\OAuth2Provider;
-use League\Bundle\OAuth2ServerBundle\Security\Authentication\Token\LegacyOAuth2TokenFactory;
 use League\Bundle\OAuth2ServerBundle\Security\Authenticator\OAuth2Authenticator;
-use League\Bundle\OAuth2ServerBundle\Security\EntryPoint\OAuth2EntryPoint;
-use League\Bundle\OAuth2ServerBundle\Security\EventListener\CheckScopesListener;
-use League\Bundle\OAuth2ServerBundle\Security\Firewall\OAuth2Listener;
+use League\Bundle\OAuth2ServerBundle\Security\EventListener\CheckScopeListener;
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Grant\AuthCodeGrant;
 use League\OAuth2\Server\Grant\ClientCredentialsGrant;
@@ -56,8 +51,7 @@
 use Symfony\Bridge\PsrHttpMessage\Factory\PsrHttpFactory;
 use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
-use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
-use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 
@@ -127,31 +121,12 @@
             ])
         ->alias(OAuth2Authenticator::class, 'league.oauth2_server.authenticator.oauth2')
 
-        ->set('league.oauth2_server.listener.check_scopes', CheckScopesListener::class)
-            ->tag('kernel.event_subscriber')
-        ->alias(CheckScopesListener::class, 'league.oauth2_server.listener.check_scopes')
-
-        ->set('league.oauth2_server.provider.oauth2', OAuth2Provider::class)
-            ->args([
-                service(UserProviderInterface::class),
-                service(ResourceServer::class),
-                service(LegacyOAuth2TokenFactory::class),
-                null,
-            ])
-        ->alias(OAuth2Provider::class, 'league.oauth2_server.provider.oauth2')
-
-        ->set('league.oauth2_server.security.entrypoint.oauth2', OAuth2EntryPoint::class)
-        ->alias(OAuth2EntryPoint::class, 'league.oauth2_server.security.entrypoint.oauth2')
-
-        ->set('league.oauth2_server.security.firewall.oauth2_listener', OAuth2Listener::class)
+        ->set('league.oauth2_server.listener.check_scope', CheckScopeListener::class)
             ->args([
-                service(TokenStorageInterface::class),
-                service(AuthenticationManagerInterface::class),
-                service('league.oauth2_server.factory.psr_http'),
-                service(LegacyOAuth2TokenFactory::class),
-                null,
+                service(RequestStack::class),
             ])
-        ->alias(OAuth2Listener::class, 'league.oauth2_server.security.firewall.oauth2_listener')
+            ->tag('kernel.event_subscriber')
+        ->alias(CheckScopeListener::class, 'league.oauth2_server.listener.check_scope')
 
         ->set('league.oauth2_server.authorization_server.grant_configurator', GrantConfigurator::class)
             ->args([
@@ -237,9 +212,6 @@
             ])
         ->alias(AuthorizationRequestUserResolvingListener::class, 'league.oauth2_server.listener.authorization_request_user_resolving')
 
-        ->set('league.oauth2_server.listener.convert_exception_to_response', ConvertExceptionToResponseListener::class)
-        ->alias(ConvertExceptionToResponseListener::class, 'league.oauth2_server.listener.convert_exception_to_response')
-
         // Token controller
         ->set('league.oauth2_server.controller.token', TokenController::class)
             ->args([
@@ -305,9 +277,6 @@
             ])
         ->alias(AuthorizationRequestResolveEventFactory::class, 'league.oauth2_server.factory.authorization_request_resolve_event')
 
-        ->set('league.oauth2_server.factory.legacy_oauth2_token', LegacyOAuth2TokenFactory::class)
-        ->alias(LegacyOAuth2TokenFactory::class, 'league.oauth2_server.factory.legacy_oauth2_token')
-
         // Storage managers
         ->set('league.oauth2_server.manager.in_memory.scope', ScopeManager::class)
             ->args([