Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more

Guard Authentication: Powerful, Beautiful Security by your friend: Ryan Weaver @weaverryan

KnpUniversity.com github.com/weaverryan Who is this guy? > Lead for the Symfony documentation  > KnpLabs US - Symfony Consulting, training & general Kumbaya > Writer for KnpUniversity.com Tutorials > Husband of the much more talented @leannapelham

What’s the hardest part of Symfony? @weaverryan

Authentication* Who are you? @weaverryan *I am hard

Authorization Do you have access to do X? @weaverryan

Authentication in Symfony sucks? @weaverryan

1) Grab information from the request @weaverryan

3) Validate if the credentials are valid @weaverryan

4) authentication success… now what? @weaverryan

5) authentication failure … dang, now what?! @weaverryan

6) How do we “ask” the user to login? @weaverryan

6 Steps 5 Diﬀerent Classes @weaverryan

security:  firewalls:  main:  anonymous: ~  logout: ~    form_login: ~  http_basic: ~  some_invented_system_i_created: ~  Each activates a system of these 5 classes @weaverryan

interface GuardAuthenticatorInterface  {  public function getCredentials(Request $request);    public function getUser($credentials, $userProvider);    public function checkCredentials($credentials, UserInterface $user);    public function onAuthenticationFailure(Request $request);    public function onAuthenticationSuccess(Request $request, $token);  public function start(Request $request);   public function supportsRememberMe();  }  @weaverryan

You still have to do work! @weaverryan and wear sunscreen!

But it will be simple @weaverryan https://github.com/knpuniversity/guard-presentation

You need a User class (This has nothing to do with Guard) @weaverryan ☼

@weaverryan use SymfonyComponentSecurityCoreUserUserInterface;    class User implements UserInterface  {    }

class User implements UserInterface  {  private $username;    public function __construct($username)  {  $this->username = $username;  }    public function getUsername()  {  return $this->username;  }    public function getRoles()  {  return ['ROLE_USER'];  }    // …  } a unique identiﬁer (not really used anywhere)

@weaverryan class User implements UserInterface  {  // …   public function getPassword()  {  }  public function getSalt()  {  }  public function eraseCredentials()  {  }  } These are only used for users that have an encoded password

The Hardest Example Ever: Form Login @weaverryan ☼ ☼

A traditional login form setup @weaverryan

class SecurityController extends Controller  {  /**  * @Route("/login", name="security_login")  */  public function loginAction()  {  return $this->render('security/login.html.twig');  }    /**  * @Route("/login_check", name="login_check")  */  public function loginCheckAction()  {  // will never be executed  }  }

<form action="{{ path('login_check') }}” method="post">  <div>  <label for="username">Username</label>  <input name="_username" />  </div>    <div>  <label for="password">Password:</label>  <input type="password" name="_password" />  </div>    <button type="submit">Login</button>  </form>

Let’s create an authenticator! @weaverryan

class FormLoginAuthenticator extends AbstractGuardAuthenticator  {  public function getCredentials(Request $request)  {  }    public function getUser($credentials, UserProviderInterface $userProvider)  {  }    public function checkCredentials($credentials, UserInterface $user)  {  }    public function onAuthenticationFailure(Request $request)  {  }    public function onAuthenticationSuccess(Request $request, TokenInterface $token)  {  }    public function start(Request $request, AuthenticationException $e = null)  {  }    public function supportsRememberMe()  {  }  }

public function getCredentials(Request $request)  {  if ($request->getPathInfo() != '/login_check') {  return;  }    return [  'username' => $request->request->get('_username'),  'password' => $request->request->get('_password'),  ];  } Grab the “login” credentials! @weaverryan

public function getUser($credentials, UserProviderInterface $userProvider)  {  $username = $credentials['username'];    $user = new User();  $user->setUsername($username);    return $user;  } Create/Load that User! @weaverryan

public function checkCredentials($credentials, UserInterface $user)  {  $password = $credentials['password'];  if ($password == 'santa' || $password == 'elves') {  return;  }    return true;  } Are the credentials correct? @weaverryan

public function onAuthenticationFailure(Request $request, AuthenticationException $exception)  {  $url = $this->router->generate('security_login');    return new RedirectResponse($url);  } Crap! Auth failed! Now what!? @weaverryan

public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)  {  $url = $this->router->generate('homepage');    return new RedirectResponse($url);  } Amazing. Auth worked. Now what? @weaverryan

public function start(Request $request)  {  $url = $this->router->generate('security_login');    return new RedirectResponse($url);  } Anonymous user went to /admin now what? @weaverryan

Register as a service services:  form_login_authenticator:  class: AppBundleSecurityFormLoginAuthenticator  autowire: true  @weaverryan

Activate in your ﬁrewall security:  firewalls:  main:  anonymous: ~  logout: ~  guard:  authenticators:  - form_login_authenticator @weaverryan

User Providers (This has nothing to do with Guard) @weaverryan ☼☼ ☼

Each App has a User class @weaverryan And the Christmas spirit

Each User Class Needs 1 User Provider @weaverryan

class SunnyUserProvider implements UserProviderInterface  {  public function loadUserByUsername($username)  {  // "load" the user - e.g. load from the db  $user = new User();  $user->setUsername($username);    return $user;  }    public function refreshUser(UserInterface $user)  {  return $user;  }    public function supportsClass($class)  {  return $class == 'AppBundleEntityUser';  }  }

services:  sunny_user_provider:  class: AppBundleSecuritySunnyUserProvider  @weaverryan

security:  providers:  sunnny_users:  id: sunny_user_provider    firewalls:  main:  anonymous: ~  logout: ~  # this is optional as there is only 1 provider  provider: sunny_users  guard:  authenticators: [form_login_authenticator]  Boom! Optional Boom!

class SunnyUserProvider implements UserProviderInterface  {  public function loadUserByUsername($username)  {  // "load" the user - e.g. load from the db  $user = new User();  $user->setUsername($username);    return $user;  }    public function refreshUser(UserInterface $user)  {  return $user;  }    public function supportsClass($class)  {  return $class == 'AppBundleEntityUser';  }  } But why!?

class SunnyUserProvider implements UserProviderInterface  {  public function loadUserByUsername($username)  {  // "load" the user - e.g. load from the db  $user = new User();  $user->setUsername($username);    return $user;  }    public function refreshUser(UserInterface $user)  {  return $user;  }    public function supportsClass($class)  {  return $class == 'AppBundleEntityUser';  }  } refresh from the session

class SunnyUserProvider implements UserProviderInterface  {  public function loadUserByUsername($username)  {  // "load" the user - e.g. load from the db  $user = new User();  $user->setUsername($username);    return $user;  }    public function refreshUser(UserInterface $user)  {  return $user;  }    public function supportsClass($class)  {  return $class == 'AppBundleEntityUser';  }  } switch_user, remember_me

Slightly more sunshiney: Loading a User from the Database @weaverryan

public function getUser($credentials, UserProviderInterface $userProvider)  {  $username = $credentials['username'];  //return $userProvider->loadUserByUsername($username);    return $this->em  ->getRepository('AppBundle:User')  ->findOneBy(['username' => $username]);  } FormLoginAuthenticator you can use this if you want to … or don’t!

class SunnyUserProvider implements UserProviderInterface  {  public function loadUserByUsername($username)  {  $user = $this->em->getRepository('AppBundle:User')  ->findOneBy(['username' => $username]);    if (!$user) {  throw new UsernameNotFoundException();  }    return $user;  }  } @weaverryan (of course, the “entity” user provider does this automatically)

Easiest Example ever: Api (JWT) Authentication @weaverryan Warmest

JSON Web Tokens @weaverryan Q) What if an API client could simply send you its user id as authentication? Authorization: Bearer 123

1) API client authenticates API client Hey dude, I’m weaverryan POST /token username=weaverryan password=I<3php app

2) Is this really weaverryan? API client “It checks out, weaverryan’s password really is I<3php. Nerd” POST /token username=weaverryan password=I<3php app

3) Create a package of data API client app $data = [  'username' => 'weaverryan'  ];

4) Sign the data! $data = [  'username' => 'weaverryan'  ];    // package: namshi/jose  $jws = new SimpleJWS(['alg' => 'RS256']);  $jws->setPayload($data);    $privateKey = openssl_pkey_get_private(  'file://path/to/private.key'  );  $jws->sign($privateKey);    $token = $jws->getTokenString()

5) Send the token back! API client app {  "token": "big_long_json_webtoken"  } POST /token username=weaverryan password=I<3php

6) Client sends the token API client app GET /secret/stuﬀ Authorization: Bearer big_login_json_webtoken

7) Verify the signature // "Authorization: Bearer 123" -> "123"  $authHeader = $request->headers->get('Authorization'); $headerParts = explode(' ', $authHeader);  $token = $headerParts[1];    $jws = SimpleJWS::load($token);  $public_key = openssl_pkey_get_public(  '/path/to/public.key'  );  if (!$jws->isValid($public_key, 'RS256')) {  die('go away >:(')  }

8) Decode the token   $payload = $jws->getPayload();    $username = $payload['username'];

@weaverryan 1) Install a library to help sign tokens composer require lexik/jwt-authentication-bundle

@weaverryan 2) Create a public & private key mkdir var/jwt openssl genrsa -out var/jwt/private.pem 4096 openssl rsa -pubout -in var/jwt/private.pem -out var/jwt/public.pem

@weaverryan 3) Point the library at them # app/config/config.yml  lexik_jwt_authentication:  private_key_path: %kernel.root_dir%/../var/jwt/private.pem  public_key_path: %kernel.root_dir%/../var/jwt/public.pem

4) Endpoint to return tokens /**  * @Route("/token")  */  public function fetchToken(Request $request)  {  $username = $request->request->get('username');  $password = $request->request->get('password');    $user = $this->getDoctrine()  ->getRepository('AppBundle:User')  ->findOneBy(['username' => $username]);  if (!$user) {  throw $this->createNotFoundException();  }    // check password    $token = $this->get('lexik_jwt_authentication.encoder')  ->encode(['username' => $user->getUsername()]);    return new JsonResponse(['token' => $token]);  }

5) Create the JWT Authenticator

class JwtAuthenticator extends AbstractGuardAuthenticator  { private $em;  private $jwtEncoder;    public function __construct(EntityManager $em, JWTEncoder $jwtEncoder)  {  $this->em = $em;  $this->jwtEncoder = $jwtEncoder;  }   public function getCredentials(Request $request)  {  }    public function getUser($credentials, UserProviderInterface $userProvider)  {  }    public function checkCredentials($credentials, UserInterface $user)  {  }    public function onAuthenticationFailure(Request $request)  {  }    public function onAuthenticationSuccess(Request $request, TokenInterface $token)  {  }    // …  }

public function getCredentials(Request $request)  {  $extractor = new AuthorizationHeaderTokenExtractor(  'Bearer',  'Authorization'  );    $token = $extractor->extract($request);    if (false === $token) {  return;  }    return $token;  } @weaverryan

public function getUser($credentials, UserProviderInterface $userProvider)  {  $data = $this->jwtEncoder->decode($credentials);    if (!$data) {  return;  }    $username = $data['username'];    return $this->em  ->getRepository('AppBundle:User')  ->findOneBy(['username' => $username]);  } @weaverryan

public function checkCredentials($credentials, UserInterface $user)  {  // no credentials to check  return true;  }  @weaverryan

public function onAuthenticationFailure(Request $request, AuthenticationException $exception)  {  return new JsonResponse([  'message' => $exception->getMessageKey()  ], 401);  } @weaverryan

public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)  {  // let the request continue to the controller  return;  } @weaverryan

Register as a service # app/config/services.yml  services:  jwt_authenticator:  class: AppBundleSecurityJwtAuthenticator  autowire: true @weaverryan

Activate in your ﬁrewall security:  # ...  firewalls:  main:  # ...  guard:  authenticators:  - form_login_authenticator  - jwt_authenticator  entry_point: form_login_authenticator  which “start” method should be called

curl http://localhost:8000/secure <!DOCTYPE html> <html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="1;url=/login" /> <title>Redirecting to /login</title> </head> <body> Redirecting to <a href="/login">/login</a>. </body> </html> @weaverryan

curl --header “Authorization: Bearer BAD" http://localhost:8000/secure {"message":"Username could not be found."} @weaverryan

curl --header “Authorization: Bearer GOOD" http://localhost:8000/secure {"message":"Hello from the secureAction!"} @weaverryan

AUTHENTICATOR /facebook/check?code=abc give me user info! load a User object User

composer require league/oauth2-facebook knpuniversity/oauth2-client-bundle @weaverryan

@weaverryan # app/config/config.yml  knpu_oauth2_client:  clients:  # creates service: "knpu.oauth2.client.facebook"  facebook:  type: facebook  client_id: %facebook_client_id%  client_secret: %facebook_client_secret%  redirect_route: connect_facebook_check  graph_api_version: v2.5

@weaverryan /**  * @Route("/connect/facebook", name="connect_facebook")  */  public function connectFacebookAction()  {  return $this->get('knpu.oauth2.client.facebook')  ->redirect(['public_profile', 'email']);  }    /**  * @Route("/connect/facebook-check", name="connect_facebook_check")  */  public function connectFacebookActionCheck()  {  // will not be reached!  }

class FacebookAuthenticator extends AbstractGuardAuthenticator  {  public function getCredentials(Request $request)  {  }    public function getUser($credentials, UserProviderInterface $userProvider)  {  }    public function checkCredentials($credentials, UserInterface $user)  {  }    public function onAuthenticationFailure(Request $request)  {  }    public function onAuthenticationSuccess(Request $request, TokenInterface $token)  {  }    public function start(Request $request, AuthenticationException $e = null)  {  }    public function supportsRememberMe()  {  }  }

public function getCredentials(Request $request)  {  if ($request->getPathInfo() != '/connect/facebook-check') {  return;  }    return $this->oAuth2Client->getAccessToken($request);  } @weaverryan

public function getUser($credentials, …)  {  /** @var AccessToken $accessToken */  $accessToken = $credentials;    /** @var FacebookUser $facebookUser */  $facebookUser = $this->oAuth2Client  ->fetchUserFromToken($accessToken);    // ...  } @weaverryan

Now, relax in the shade! @weaverryan

@weaverryan public function getUser($credentials, ...)  {  // ...    /** @var FacebookUser $facebookUser */  $facebookUser = $this->oAuth2Client  ->fetchUserFromToken($accessToken);    // 1) have they logged in with Facebook before? Easy!  $user = $this->em->getRepository('AppBundle:User')  ->findOneBy(array('email' => $facebookUser->getEmail()));    if ($user) {  return $user;  }    // ...  }

public function getUser($credentials, ...)  {  // ...    // 2) no user? Perhaps you just want to create one  // (or redirect to a registration)  $user = new User();  $user->setUsername($facebookUser->getName());  $user->setEmail($facebookUser->getEmail());  $em->persist($user);  $em->flush(); return $user;  } @weaverryan

public function checkCredentials($credentials, UserInterface $user)  {  // nothing to do here!  }    public function onAuthenticationFailure(Request $request ...)  {  // redirect to login  }    public function onAuthenticationSuccess(Request $request ...)  {  // redirect to homepage / last page  } @weaverryan

* also supports “ﬁnishing registration” @weaverryan

Extra Sunshine (no sunburn) @weaverryan

Can I control the error message? @weaverryan

@weaverryan If authentication failed, it is because an AuthenticationException (or sub-class) was thrown (This has nothing to do with Guard)

public function onAuthenticationFailure(Request $request, AuthenticationException $exception)  {  return new JsonResponse([  'message' => $exception->getMessageKey()  ], 401);  } @weaverryan Beach Vacation Bonus! The exception is passed when authentication fails AuthenticationException has a hardcoded getMessageKey() “safe” string Invalid credentials.

public function getCredentials(Request $request)  {  }    public function getUser($credentials, UserProviderInterface $userProvider)  {  }    public function checkCredentials($credentials, UserInterface $user)  {  }  Throw an AuthenticationException at any time in these 3 methods

How can I customize the message? @weaverryan Create a new sub-class of AuthenticationException for each message and override getMessageKey()

CustomUserMessageAuthenticationException @weaverryan

public function getUser($credentials, ...)  {  $apiToken = $credentials;    $user = $this->em  ->getRepository('AppBundle:User')  ->findOneBy(['apiToken' => $apiToken]);    if (!$user) {  throw new CustomUserMessageAuthenticationException(  'That API token is stormy'  );  }    return $user;  } @weaverryan

I need to manually authenticate my user @weaverryan

public function registerAction(Request $request)  {  $user = new User();  $form = // ...    if ($form->isValid()) {  // save the user    $guardHandler = $this->container  ->get('security.authentication.guard_handler');    $guardHandler->authenticateUserAndHandleSuccess(  $user,  $request,  $this->get('form_login_authenticator'),  'main' // the name of your firewall  );  // redirect  }  // ...  }

I want to save a lastLoggedInAt ﬁeld on my user no matter *how* they login @weaverryan

Chill… that was already possible SecurityEvents::INTERACTIVE_LOGIN @weaverryan

class LastLoginSubscriber implements EventSubscriberInterface  {  public function onInteractiveLogin(InteractiveLoginEvent $event)  {  /** @var User $user */  $user = $event->getAuthenticationToken()->getUser();  $user->setLastLoginTime(new DateTime());  $this->em->persist($user);  $this->em->flush($user);  }    public static function getSubscribedEvents()  {  return [  SecurityEvents::INTERACTIVE_LOGIN => 'onInteractiveLogin'  ];  }  }  @weaverryan

@weaverryan Ok, so how do I make my weird auth system?

1. User implements UserInterface @weaverryan

3. Create your authenticator(s) @weaverryan

@weaverryan Do it: http://symfony.com/doc/current/cookbook/security/guard-authentication.html http://KnpUniversity.com/guard

@weaverryan New (free) Symfony 3 Tutorial KnpUniversity.com Thank You!

Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more

More Related Content

What's hot

Similar to Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more

More from Ryan Weaver

Recently uploaded

Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more