LexikJWT get token - php

I'm using symfony2 for a website. I also using Fosuser and LexikJWT to connect by a webservice. I read the documentation of LexikJWT but it's doesn't work.
parameters.yml
jwt_private_key_path: %kernel.root_dir%/var/jwt/private.pem # ssh private key path
jwt_public_key_path: %kernel.root_dir%/var/jwt/public.pem # ssh public key path
jwt_key_pass_phrase: 'mypass' # ssh key pass phrase
jwt_token_ttl: 86400
routing.yml
fos_user:
resource: "#FOSUserBundle/Resources/config/routing/all.xml"
fos_user_change_password:
resource: "#FOSUserBundle/Resources/config/routing/change_password.xml"
prefix: /profile
admin:
resource: "#AppBundle/Resources/config/routing.php"
prefix: /
api_login_check:
path: /api/login_check
config.yml
fos_user:
db_driver: orm
firewall_name: main
user_class: AppBundle\Entity\User
registration:
confirmation:
enabled: true
service:
mailer: fos_user.mailer.default
lexik_jwt_authentication:
private_key_path: %jwt_private_key_path%
public_key_path: %jwt_public_key_path%
pass_phrase: %jwt_key_pass_phrase%
token_ttl: %jwt_token_ttl%
security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
in_memory:
memory: ~
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
main:
anonymous: true
pattern: ^/
form_login:
provider: fos_userbundle
#csrf_provider: fos_user.user_provider.username
logout: true
anonymous: true
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# http_basic:
# realm: "REST Service Realm"
# provider: fos_userbundle
login:
pattern: ^/api/login
stateless: true
anonymous: true
#provider: fos_userbundle
form_login:
check_path: /api/login_check
login_path: fos_user_security_login
check_path: fos_user_security_check
username_parameter: username
password_parameter: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
api:
pattern: ^/api/.*
stateless: true
lexik_jwt: ~
provider: fos_userbundle
# default:
# pattern: ^/
# http_basic:
# realm: "REST Service Realm"
# provider: fos_userbundle
# logout: true
# activate different ways to authenticate
# http_basic: ~
# http://symfony.com/doc/current/book/security.html#a-configuring-how-your-users-will-authenticate
# form_login: ~
# http://symfony.com/doc/current/cookbook/security/form_login_setup.html
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, role: ROLE_ADMIN }
- { path: ^/api/login, roles: ROLE_API }
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
To get token, i put on the terminal :
curl -X POST -d '{"username": "xxxx", "password": "xxxxx"}' -H "Content-Type:application/json" http://myhost:8888/api/login_check
and it returns :
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta http-equiv="refresh" content="1;url=http://myhost:8888/login" />
<title>Redirecting to http://myhost:8888/login</title>
</head>
<body>
Redirecting to http://myhost:8888/login.
</body>
</html>
But i want a json response like :
{
"token" : "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJleHAiOjE0MzQ3Mjc1MzYsInVzZXJuYW1lIjoia29ybGVvbiIsImlhdCI6IjE0MzQ2NDExMzYifQ.nh0L_wuJy6ZKIQWh6OrW5hdLkviTs1_bau2GqYdDCB0Yqy_RplkFghsuqMpsFls8zKEErdX5TYCOR7muX0aQvQxGQ4mpBkvMDhJ4-pE4ct2obeMTr_s4X8nC00rBYPofrOONUOR4utbzvbd4d2xT_tj4TdR_0tsr91Y7VskCRFnoXAnNT-qQb7ci7HIBTbutb9zVStOFejrb4aLbr7Fl4byeIEYgp2Gd7gY"
}
I don't understand ... anyone can help me ?
Thanks !!
EDIT : I saw the dev log and the error is :
Access denied, the user is not fully authenticated

Related

FOSUserBundle + LexixJWTAuthBundle login via email

I have to have jwt auth for my REST API. Now everything works fine but when I'm trying to get token via pair email/password I get an error: Bad credentials. When I use username/password everything is ok.
My security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
api_doc:
pattern: ^/api/doc
anonymous: true
security: false
login:
pattern: ^/login
stateless: true
anonymous: true
form_login:
check_path: /login
username_parameter: username
password_parameter: password
provider: fos_userbundle
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
api:
pattern: ^/api
stateless: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
password:
pattern: ^/user/passwords
anonymous: true
security: false
access_control:
- { path: ^/user/passwords, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/doc, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
config.yml
lexik_jwt_authentication:
private_key_path: '%jwt_private_key_path%'
public_key_path: '%jwt_public_key_path%'
pass_phrase: '%jwt_key_pass_phrase%'
token_ttl: '%jwt_token_ttl%'
user_identity_field: email
So the answer was to add new user provider:
providers:
main_provider:
entity: { class: UserBundle\Entity\User, property: email }
I don't know why default fos_userprovider didn't work. Maybe some setup in error.
For check_path it have be
check_path: /login_check

Redirect Loop on Symfony security

Im just new to Symfony. So I have a task on my work to create a
traditional login form. So I've created a firewall and access_control on my security.yml named main like so:
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
profiler1:
pattern: ^/_profiler
security: false
anonymous: true
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
gos_websocket:
pattern: ^/channel
security: false
oauth_token:
pattern: ^/oauth/v2/token
security: false
api_doc:
pattern: ^/api/doc
security: false
oauth_authorize:
pattern: ^/oauth/v2/auth
security: false
api:
pattern: ^/api
fos_oauth: true
stateless: true
anonymous: false
main:
pattern: ^/
#stateless: false
#simple_preauth:
# authenticator: apikey_authenticator
#provider: api_key_account_provider
provider: ms.user_provider
logout:
path: /security/logout
target: /security/login
form_login:
login_path: /security/login
check_path: /security/check-login
default_target_path: /dashboard
always_use_default_target_path: true
#anonymous: true
# activate different ways to authenticate
# http_basic: ~
# http://symfony.com/doc/current/book/security.html#a-configuring-how-your-users-will-authenticate
# form_login: ~
# http://symfony.com/doc/current/cookbook/security/form_login_setup.html
access_control:
#- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
# - { path: ^/, roles: IS_AUTHENTICATED_FULLY }
- { path: ^/security/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }
When I try to access the security/login URL it said that it encounters too many redirects? Why is that so?
Thanks!
You missed an "s"
- { path: ^/security/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }

Symfony: Multiple firewall contexts - User being forwarded to the wrong context

I've got a login for the frontend (which is optional), and another login for the admin panel, which is mandatory.
When a user goes to fe_login, they can login to the frontend context. This is okay!
When they go to admin_login, they should be able to login to the admin context. This is not okay
The issue is that when I go to /admin, I get redirected to fe_login when I should be redirected to admin_login
Here's my security.yml:
security:
encoders:
App\FrontendBundle\Controller\UserController:
algorithm: bcrypt
App\AdminBundle\Controller\UserController:
algorithm: bcrypt
App\Entity\User:
algorithm: bcrypt
providers:
administrators:
entity: { class: AppEntity:User, property: username }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin:
pattern: ^/admin
form_login:
login_path: admin_login
check_path: admin_auth
csrf_provider: form.csrf_provider
logout:
path: admin_logout
target: admin_login
frontend:
anonymous: ~
form_login:
login_path: fe_login
check_path: fe_auth
csrf_provider: form.csrf_provider
always_use_default_target_path: true
default_target_path: fe_landing
logout:
path: fe_logout
target: fe_landing
login:
pattern: ^/admin/login
anonymous: ~
default:
anonymous: ~
access_control:
- { path: ^/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: [ROLE_ADMIN,ROLE_MANAGER,ROLE_DRIVER,ROLE_PARTNER] }
Any idea what I am doing wrong?
Here is my security.yml, but as I said it is for Symfony2.0, may be you will find a hint.
security:
encoders:
### ...
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
fos_userbundle:
id: fos_user.user_manager
admin_adminbundle:
id: custom_admin_manager_id
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin:
pattern: ^/admin/
form_login:
check_path: /admin/check-login
login_path: /admin/login
provider: admin_adminbundle
csrf_provider: form.csrf_provider
post_only: true
success_handler: login_success_handler
failure_handler: admin_login_failure_handler
username_parameter: login_username
password_parameter: login_password
remember_me: false
logout:
path: /admin/logout
target: /admin/login
anonymous: true
frontend:
pattern: ^/
form_login:
check_path: /frontend/check-login
login_path: /frontend/login
provider: fos_userbundle
csrf_provider: form.csrf_provider
post_only: true
success_handler: login_success_handler
failure_handler: login_failure_handler
username_parameter: login_username
password_parameter: login_password
logout:
path: /frontend/logout
success_handler: logout_success_handler
anonymous: true
access_control:
- { path: ^/frontend/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
I'm not quite sure about the reason, but you must now that security.yml must be a really clear file in order to avoid miss configuration (which would lead in security issues)
So, regarding your file:
it misses the pattern key on the frontend section: I would add pattern: ^/
the frontend login path could be specified as you did for the backend one
the order of your rules make me think something is not correct
This is a version you should test:
security:
encoders:
App\FrontendBundle\Controller\UserController:
algorithm: bcrypt
App\AdminBundle\Controller\UserController:
algorithm: bcrypt
App\Entity\User:
algorithm: bcrypt
providers:
administrators:
entity: { class: AppEntity:User, property: username }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login_admin:
pattern: ^/admin/login
anonymous: ~
admin:
pattern: ^/admin
form_login:
login_path: admin_login
check_path: admin_auth
csrf_provider: form.csrf_provider
logout:
path: admin_logout
target: admin_login
login_frontend:
pattern: ^/login # you should adapt this to your app
anonymous: ~
frontend:
pattern: ^/
anonymous: ~
form_login:
login_path: fe_login
check_path: fe_auth
csrf_provider: form.csrf_provider
always_use_default_target_path: true
default_target_path: fe_landing
logout:
path: fe_logout
target: fe_landing
access_control:
- { path: ^/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: [ROLE_ADMIN,ROLE_MANAGER,ROLE_DRIVER,ROLE_PARTNER] }
You have some firewalls that seem unnecessary. Let's simplify your firewall config:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin:
pattern: ^/admin
form_login:
login_path: admin_login
check_path: admin_auth
csrf_provider: form.csrf_provider
logout:
path: admin_logout
target: admin_login
anonymous: ~
frontend:
pattern: ^/
anonymous: ~
form_login:
login_path: fe_login
check_path: fe_auth
csrf_provider: form.csrf_provider
always_use_default_target_path: true
default_target_path: fe_landing
logout:
path: fe_logout
target: fe_landing
access_control:
# allow unauthenticated to access admin login
- { path: ^/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
# restrict admin access
- { path: ^/admin, roles: [ROLE_ADMIN,ROLE_MANAGER,ROLE_DRIVER,ROLE_PARTNER] }
# allow unauthenticated to access front end login
- { path: ^/fe/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
# restrict front end access
- { path: ^/fe, roles: ROLE_USER } # or whatever the role is of your frontend user
# allow all other pages to be viewed by unauthenticated users
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
This config makes it so that all pages under /fe require front end authorization and all pages under /admin require admin authorization. And all other pages are not protected at all. You can adjust that however you want.
The order of the access_control is important. As soon as a rule is matched, it does not try to match any further entries. This config should work so that the correct login is displayed. However, it does not appear that you are using a different user provider for each firewall. So when you are logging in, the application will use the same provider for both logins. This may or may not be what you intend, but I thought I would point it out. If you do want a different user provider for each login, just add the provider: ProviderName to each firewall.

Symfony 2: Multiple login pages, multiple firewalls

I have an application that has two login pages - one for frontend users and one for administrators.
I have a custom auth provider that I would like to use for both. Here is my code:
firewalls:
admin_area:
pattern: ^/admin
anonymous: ~
form_login:
check_path: /admin/admin_login_check
login_path: knetik_admin_user_login
logout:
path: knetik_user_logout
target: _welcome
invalidate_session: true
handlers: [ knetik.authentication.logout.listener ]
context: my_context
secured_area:
pattern: ^/
anonymous: ~
form_login:
check_path: /admin/login_check
login_path: knetik_user_login
remember_me: true
logout:
path: knetik_user_logout
target: _welcome
invalidate_session: true
handlers: [ knetik.authentication.logout.listener ]
knetik_auth:
remember_me: true
remember_me:
key: "%secret%"
lifetime: 2232000
path: /
domain: ~
context: my_context
access_control:
# - { path: ^/, roles: ROLE_USER, requires_channel: http }
- { path: ^/admin, roles: ROLE_ADMIN }
This gives me an error message of:
2InvalidConfigurationException: Invalid configuration for path "security.firewalls.admin_area": The check_path "/login_check" for login method "knetik_auth" is not matched by the firewall pattern "^/admin/".
Looking to see if anyone has run into a similar issue?
this is my project security.yml file maybe will give you some references:
security:
encoders:
myBundle\Service\WebserviceUser: plaintext
entity_admin:
class: My\Entity\Administrator
algorithm: sha1
iterations: 1
encode_as_base64: false
providers:
entity_admin:
entity:
class: myBundle\Entity\Administrator
property: username
provider_members:
id: my_custom.service.user_provider//this is my customized user provider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
admin_secured_area:
pattern: ^/admin
provider: entity_admin
anonymous: ~
form_login:
login_path: /admin/login
check_path: /admin/login_check
logout:
path: /admin/logout
target: /admin
members_secured_area:
pattern: ^/
provider: provider_members
anonymous: ~
form_login:
check_path: /login_check
login_path: /login
remember_me: true
remember_me:
key: "%secret%"
lifetime: 31536000 # 365 days in seconds
path: /
domain: ~ # Defaults to the current domain from $_SERVER
logout:
path: /logout
target: /
access_control:
admin_login:
path: /admin/login
roles: IS_AUTHENTICATED_ANONYMOUSLY
admin_area:
path: ^/admin
roles: ROLE_ADMIN
members_login:
path: /login
roles: IS_AUTHENTICATED_ANONYMOUSLY
members_area:
path: ^/
roles: ROLE_USER
For implementing multiple login in symfony 2XX, try the following code
Security.yml
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
Company\AngularBundle\Entity\User: plaintext
Company\AngularBundle\Entity\Admin: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
users:
entity: { class: CompanyAngularBundle:User, property: username }
admin:
entity: { class: CompanyAngularBundle:Admin, property: username }
firewalls:
admin_secured_area:
pattern: ^/admin
anonymous: ~
provider: admin
form_login:
login_path: /admin/login
check_path: /admin/login_check
default_target_path: /admin
user_secured_area:
pattern: ^/
anonymous: ~
provider: users
form_login:
login_path: login
check_path: login_check
default_target_path: /home
routing.yml
login_check:
path: /login_check
admin_login_check:
path: /admin/login_check
Twig file
Action of login form should be like this
<form action="{{ path('login_check') }}" method="post">
Action of admin/login form should be like this
<form action="{{ path('admin_login_check') }}" method="post">

unrecognized options resource_owners in symfony 2

i am using HWIOAuthBundle to integrate Facebook oAuth and when i update my schema i am getting following error
[Symfony\Component\Config\Definition\Exception\InvalidConfigurationException]
Unrecognized options "resource_owners" under "security.firewalls.oauth"
here is my security.yml and i really dont know what is this error
jms_security_extra:
secure_all_services: false
expressions: true
security:
providers:
fos_userbundle:
id: fos_user.user_provider.username
# administrators:
# entity: { class: NotificaHomeBundle:TbNotificaUser }
encoders:
"FOS\UserBundle\Model\UserInterface": sha512
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /login
check_path: /login_check
logout: true
anonymous: true
oauth:
resource_owners:
facebook: "/login/check-facebook"
oauth_user_provider:
#this is my custom user provider, created from FOSUBUserProvider - will manage the
#automatic user registration on your site, with data from the provider (facebook. google, etc.)
service: my_user_provider
oauth_token:
pattern: ^/oauth/v2/token
security: false
oauth_authorize:
pattern: ^/oauth/v2/auth
form_login:
provider: fos_userbundle
check_path: /oauth/v2/auth/login_check
login_path: /oauth/v2/auth/login
anonymous: true
# Add your favorite authentication process here
api:
pattern: ^/api
fos_oauth: true
stateless: true
anonymous: true # can be omitted as its default value
# admin_area:
# pattern: ^/xadmin
# http_basic: ~
access_control:
- { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, role: ROLE_ADMIN }
- { path: ^/notifica/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
# - { path: ^/xadmin/, role: ROLE_ADMIN }
- { path: ^/api, roles: [ IS_AUTHENTICATED_ANONYMOUSLY ] }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
Your identation is wrong. YAML files are based on identation.
firewalls:
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
login_path: /login
check_path: /login_check
oauth:
resource_owners:
facebook: "/login/check-facebook"
google: "/login/check-google"
login_path: /login
failure_path: /login
oauth_user_provider:
#this is my custom user provider, created from FOSUBUserProvider - will manage the
#automatic user registration on your site, with data from the provider (facebook. google, etc.)
service: my_user_provider

Categories