vendor/league/oauth2-server-bundle/src/Security/Authenticator/OAuth2Authenticator.php line 72

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace League\Bundle\OAuth2ServerBundle\Security\Authenticator;
  7. use League\Bundle\OAuth2ServerBundle\Security\Authentication\Token\OAuth2Token;
  8. use League\Bundle\OAuth2ServerBundle\Security\Exception\OAuth2AuthenticationException;
  9. use League\Bundle\OAuth2ServerBundle\Security\Exception\OAuth2AuthenticationFailedException;
  10. use League\Bundle\OAuth2ServerBundle\Security\Passport\Badge\ScopeBadge;
  11. use League\Bundle\OAuth2ServerBundle\Security\User\NullUser;
  12. use League\OAuth2\Server\Exception\OAuthServerException;
  13. use League\OAuth2\Server\ResourceServer;
  14. use Symfony\Bridge\PsrHttpMessage\HttpMessageFactoryInterface;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  18. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  19. use Symfony\Component\Security\Core\User\UserInterface;
  20. use Symfony\Component\Security\Core\User\UserProviderInterface;
  21. use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
  22. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
  23. use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
  24. use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
  25. use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
  26. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  28. /**
  29.  * @author Mathias Arlaud <mathias.arlaud@gmail.com>
  30.  */
  31. final class OAuth2Authenticator implements AuthenticatorInterfaceAuthenticationEntryPointInterface
  32. {
  33.     /**
  34.      * @psalm-suppress UndefinedTrait
  35.      * @psalm-suppress MethodSignatureMismatch
  36.      */
  37.     use ForwardCompatAuthenticatorTrait;
  39.     private HttpMessageFactoryInterface $httpMessageFactory;
  40.     private ResourceServer $resourceServer;
  41.     private UserProviderInterface $userProvider;
  42.     private string $rolePrefix;
  44.     public function __construct(
  45.         HttpMessageFactoryInterface $httpMessageFactory,
  46.         ResourceServer $resourceServer,
  47.         UserProviderInterface $userProvider,
  48.         string $rolePrefix
  49.     ) {
  50.         $this->httpMessageFactory $httpMessageFactory;
  51.         $this->resourceServer $resourceServer;
  52.         $this->userProvider $userProvider;
  53.         $this->rolePrefix $rolePrefix;
  54.     }
  56.     public function supports(Request $request): ?bool
  57.     {
  58.         return str_starts_with($request->headers->get('Authorization'''), 'Bearer ');
  59.     }
  61.     public function start(Request $request, ?AuthenticationException $authException null): Response
  62.     {
  63.         return new Response(''401, ['WWW-Authenticate' => 'Bearer']);
  64.     }
  66.     /**
  67.      * @return Passport
  68.      */
  69.     public function doAuthenticate(Request $request/* : Passport */
  70.     {
  71.         try {
  72.             $psr7Request $this->resourceServer->validateAuthenticatedRequest($this->httpMessageFactory->createRequest($request));
  73.         } catch (OAuthServerException $e) {
  74.             throw OAuth2AuthenticationFailedException::create('The resource server rejected the request.'$e);
  75.         }
  77.         /** @var string $userIdentifier */
  78.         $userIdentifier $psr7Request->getAttribute('oauth_user_id''');
  80.         /** @var string $accessTokenId */
  81.         $accessTokenId $psr7Request->getAttribute('oauth_access_token_id');
  83.         /** @var list<string> $scopes */
  84.         $scopes $psr7Request->getAttribute('oauth_scopes', []);
  86.         /** @var string $oauthClientId */
  87.         $oauthClientId $psr7Request->getAttribute('oauth_client_id''');
  89.         /** @psalm-suppress MixedInferredReturnType */
  90.         $userLoader = function (string $userIdentifier): UserInterface {
  91.             if ('' === $userIdentifier) {
  92.                 return new NullUser();
  93.             }
  94.             if (!method_exists($this->userProvider'loadUserByIdentifier')) {
  95.                 /**
  96.                  * @psalm-suppress DeprecatedMethod
  97.                  * @psalm-suppress MixedReturnStatement
  98.                  */
  99.                 return $this->userProvider->loadUserByUsername($userIdentifier);
  100.             }
  102.             return $this->userProvider->loadUserByIdentifier($userIdentifier);
  103.         };
  105.         $passport = new SelfValidatingPassport(new UserBadge($userIdentifier$userLoader), [
  106.             new ScopeBadge($scopes),
  107.         ]);
  109.         $passport->setAttribute('accessTokenId'$accessTokenId);
  110.         $passport->setAttribute('oauthClientId'$oauthClientId);
  112.         return $passport;
  113.     }
  115.     /**
  116.      * @return OAuth2Token
  117.      *
  118.      * @psalm-suppress DeprecatedInterface
  119.      * @psalm-suppress UndefinedClass
  120.      * @psalm-suppress MixedInferredReturnType
  121.      * @psalm-suppress RedundantCondition
  122.      */
  123.     public function createAuthenticatedToken(PassportInterface $passportstring $firewallName): TokenInterface
  124.     {
  125.         if (!$passport instanceof Passport) {
  126.             throw new \RuntimeException(sprintf('Cannot create a OAuth2 authenticated token. $passport should be a %s'Passport::class));
  127.         }
  129.         $token $this->createToken($passport$firewallName);
  130.         /**
  131.          * @psalm-suppress TooManyArguments
  132.          * @psalm-suppress UndefinedMethod
  133.          */
  134.         $token->setAuthenticated(true);
  136.         return $token;
  137.     }
  139.     /**
  140.      * @return OAuth2Token
  141.      */
  142.     public function createToken(Passport $passportstring $firewallName): TokenInterface
  143.     {
  144.         /** @var string $accessTokenId */
  145.         $accessTokenId $passport->getAttribute('accessTokenId');
  147.         /** @var ScopeBadge $scopeBadge */
  148.         $scopeBadge $passport->getBadge(ScopeBadge::class);
  150.         /** @var string $oauthClientId */
  151.         $oauthClientId $passport->getAttribute('oauthClientId''');
  153.         $token = new OAuth2Token($passport->getUser(), $accessTokenId$oauthClientId$scopeBadge->getScopes(), $this->rolePrefix);
  154.         if (method_exists(AuthenticatorInterface::class, 'createAuthenticatedToken') && !method_exists(AuthenticatorInterface::class, 'createToken')) {
  155.             // symfony 5.4 only
  156.             /**
  157.              * @psalm-suppress TooManyArguments
  158.              * @psalm-suppress UndefinedMethod
  159.              */
  160.             $token->setAuthenticated(truefalse);
  161.         }
  163.         return $token;
  164.     }
  166.     public function onAuthenticationSuccess(Request $requestTokenInterface $tokenstring $firewallName): ?Response
  167.     {
  168.         return null;
  169.     }
  171.     public function onAuthenticationFailure(Request $requestAuthenticationException $exception): ?Response
  172.     {
  173.         if ($exception instanceof OAuth2AuthenticationException) {
  174.             return new Response($exception->getMessage(), $exception->getStatusCode(), $exception->getHeaders());
  175.         }
  177.         throw $exception;
  178.     }
  179. }