symfony guard authentication: fun with api token, social login, jwt and more

Guard Authentication: Powerful, Beautiful Security

by your friend:

Ryan Weaver @weaverryan

KnpUniversity.comgithub.com/weaverryan

Who is this guy?

> Lead for the Symfony documentation

> KnpLabs US - Symfony Consulting, training & general Kumbaya

> Writer for KnpUniversity.com Tutorials

> Husband of the much more talented @leannapelham

http://www.github.com/weaverryan

http://KnpUniversity.com

KnpUniversity.com

KnpUniversity.comgithub.com/weaverryan

Who is this guy?

> Lead for the Symfony documentation

> KnpLabs US - Symfony Consulting, training & general Kumbaya

> Writer for KnpUniversity.com Tutorials

> Husband of the much more talented @leannapelham

http://www.github.com/weaverryan

http://KnpUniversity.com

What’s the hardestpart of Symfony?

@weaverryan

Authentication*

Who are you?

@weaverryan

*I am hard

Authorization

Do you have access to do X?

@weaverryan

VOTERS!

@weaverryan

Authenticationin Symfony sucks?

@weaverryan

1) Grab information from the request

@weaverryan

2) Load a User

@weaverryan

3) Validate if the credentials are valid

@weaverryan

4) authentication success…now what?

@weaverryan

5) authentication failure …dang, now what?!

@weaverryan

6) How do we “ask” the user to login?

@weaverryan

6 Steps

5 Different Classes

@weaverryan

security: firewalls: main: anonymous: ~ logout: ~ form_login: ~ http_basic: ~ some_invented_system_i_created: ~

Each activates a system of these 5 classes

@weaverryan

Authenticationin Symfony sucks?

@weaverryan

On Guard!

@weaverryan

interface GuardAuthenticatorInterface{ public function getCredentials(Request $request); public function getUser($credentials, $userProvider); public function checkCredentials($credentials, UserInterface $user); public function onAuthenticationFailure(Request $request); public function onAuthenticationSuccess(Request $request, $token);

public function start(Request $request); public function supportsRememberMe();}

@weaverryan

Bad News…

@weaverryan

You still have to do work!

@weaverryan

and wear sunscreen!

But it will be simple

@weaverryan

https://github.com/knpuniversity/guard-presentation

You need a User class

(This has nothing todo with Guard)

@weaverryan

☼

@weaverryan

use Symfony\Component\Security\Core\User\UserInterface; class User implements UserInterface{ }

class User implements UserInterface{ private $username; public function __construct($username) { $this->username = $username; } public function getUsername() { return $this->username; } public function getRoles() { return ['ROLE_USER']; } // …}

a unique identifier(not really used anywhere)

@weaverryan

class User implements UserInterface{ // … public function getPassword() { } public function getSalt() { } public function eraseCredentials() { }}

These are only used for users thathave an encoded password

The Hardest Example Ever:

Form Login

@weaverryan

☼☼

A traditional login form setup

@weaverryan

class SecurityController extends Controller{ /** * @Route("/login", name="security_login") */ public function loginAction() { return $this->render('security/login.html.twig'); } /** * @Route("/login_check", name="login_check") */ public function loginCheckAction() { // will never be executed } }

<form action="{{ path('login_check') }}” method="post"> <div> <label for="username">Username</label> <input name="_username" /> </div> <div> <label for="password">Password:</label> <input type="password" name="_password" /> </div> <button type="submit">Login</button> </form>

Let’s create an authenticator!

@weaverryan

class FormLoginAuthenticator extends AbstractGuardAuthenticator{ public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { } public function onAuthenticationFailure(Request $request) { } public function onAuthenticationSuccess(Request $request, TokenInterface $token) { } public function start(Request $request, AuthenticationException $e = null) { } public function supportsRememberMe() { }}

public function getCredentials(Request $request) { if ($request->getPathInfo() != '/login_check') { return; } return [ 'username' => $request->request->get('_username'), 'password' => $request->request->get('_password'), ];}

Grab the “login” credentials!

@weaverryan

public function getUser($credentials, UserProviderInterface $userProvider) { $username = $credentials['username']; $user = new User(); $user->setUsername($username); return $user; }

Create/Load that User!

@weaverryan

public function checkCredentials($credentials, UserInterface $user) { $password = $credentials['password']; if ($password == 'santa' || $password == 'elves') { return; } return true;}

Are the credentials correct?

@weaverryan

public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { $url = $this->router->generate('security_login'); return new RedirectResponse($url);}

Crap! Auth failed! Now what!?

@weaverryan

public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey) { $url = $this->router->generate('homepage'); return new RedirectResponse($url);}

Amazing. Auth worked. Now what?

@weaverryan

public function start(Request $request) { $url = $this->router->generate('security_login'); return new RedirectResponse($url); }

Anonymous user went to /adminnow what?

@weaverryan

Register as a service

services: form_login_authenticator: class: AppBundle\Security\FormLoginAuthenticator autowire: true

@weaverryan

Activate in your firewall

security: firewalls: main: anonymous: ~ logout: ~ guard: authenticators: - form_login_authenticator

@weaverryan

User Providers

(This has nothing todo with Guard)

@weaverryan

☼☼ ☼

Each App has a User class

@weaverryan

And the Christmas spirit

Each User Class Needs 1 User Provider

@weaverryan

class SunnyUserProvider implements UserProviderInterface{ public function loadUserByUsername($username) { // "load" the user - e.g. load from the db $user = new User(); $user->setUsername($username); return $user; } public function refreshUser(UserInterface $user) { return $user; } public function supportsClass($class) { return $class == 'AppBundle\Entity\User'; }}

services: sunny_user_provider: class: AppBundle\Security\SunnyUserProvider

@weaverryan

security: providers: sunnny_users: id: sunny_user_provider firewalls: main: anonymous: ~ logout: ~ # this is optional as there is only 1 provider provider: sunny_users guard: authenticators: [form_login_authenticator]

Boom!

Optional Boom!


But why!?


refresh from the session


switch_user, remember_me

Slightly more sunshiney:

Loading a User from the Database

@weaverryan

public function getUser($credentials, UserProviderInterface $userProvider) { $username = $credentials['username']; //return $userProvider->loadUserByUsername($username); return $this->em ->getRepository('AppBundle:User') ->findOneBy(['username' => $username]);}

FormLoginAuthenticator

you can use this if you want to… or don’t!

class SunnyUserProvider implements UserProviderInterface{ public function loadUserByUsername($username) { $user = $this->em->getRepository('AppBundle:User') ->findOneBy(['username' => $username]); if (!$user) { throw new UsernameNotFoundException(); } return $user; } }

@weaverryan

(of course, the “entity” user provider does this automatically)

Easiest Example ever:

Api (JWT) Authentication

@weaverryan

Warmest

JSON Web Tokens

@weaverryan

Q) What if an API client could simply send you its user id as authentication?

Authorization: Bearer 123

1) API client authenticates

" API client

Hey dude, I’m weaverryan

POST /token username=weaverryan

password=I<3php

#

app

2) Is this really weaverryan?

" API client

“It checks out, weaverryan’s password really is I<3php. Nerd”


password=I<3php

#

app

3) Create a package of data

" API client

#

app

$data = [ 'username' => 'weaverryan'];

4) Sign the data!$data = [ 'username' => 'weaverryan']; // package: namshi/jose$jws = new SimpleJWS(['alg' => 'RS256']);$jws->setPayload($data); $privateKey = openssl_pkey_get_private( 'file://path/to/private.key' ); $jws->sign($privateKey); $token = $jws->getTokenString()

5) Send the token back!

" API client

#

app{ "token": "big_long_json_webtoken"}


password=I<3php

6) Client sends the token

" API client

#

app

GET /secret/stuff Authorization: Bearer big_login_json_webtoken

7) Verify the signature

// "Authorization: Bearer 123" -> "123"$authHeader = $request->headers->get('Authorization');$headerParts = explode(' ', $authHeader);$token = $headerParts[1]; $jws = SimpleJWS::load($token);$public_key = openssl_pkey_get_public( '/path/to/public.key'); if (!$jws->isValid($public_key, 'RS256')) { die('go away >:(') }

8) Decode the token

$payload = $jws->getPayload();$username = $payload['username'];

How in Symfony?

@weaverryan

@weaverryan

1) Install a library to help sign tokens

composer require lexik/jwt-authentication-bundle

@weaverryan

2) Create a public & private key

mkdir var/jwt

openssl genrsa -out var/jwt/private.pem 4096

openssl rsa -pubout -in var/jwt/private.pem \ -out var/jwt/public.pem

@weaverryan

3) Point the library at them

# app/config/config.ymllexik_jwt_authentication: private_key_path: %kernel.root_dir%/../var/jwt/private.pem public_key_path: %kernel.root_dir%/../var/jwt/public.pem

4) Endpoint to return tokens/** * @Route("/token") */public function fetchToken(Request $request) { $username = $request->request->get('username'); $password = $request->request->get('password'); $user = $this->getDoctrine() ->getRepository('AppBundle:User') ->findOneBy(['username' => $username]); if (!$user) { throw $this->createNotFoundException(); } // check password $token = $this->get('lexik_jwt_authentication.encoder') ->encode(['username' => $user->getUsername()]); return new JsonResponse(['token' => $token]);}

5) Create the JWT Authenticator

class JwtAuthenticator extends AbstractGuardAuthenticator{ private $em; private $jwtEncoder; public function __construct(EntityManager $em, JWTEncoder $jwtEncoder) { $this->em = $em; $this->jwtEncoder = $jwtEncoder; } public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { } public function onAuthenticationFailure(Request $request) { } public function onAuthenticationSuccess(Request $request, TokenInterface $token) { } // …}

public function getCredentials(Request $request) { $extractor = new AuthorizationHeaderTokenExtractor( 'Bearer', 'Authorization' ); $token = $extractor->extract($request); if (false === $token) { return; } return $token; }@weaverryan

public function getUser($credentials, UserProviderInterface $userProvider) { $data = $this->jwtEncoder->decode($credentials); if (!$data) { return; } $username = $data['username']; return $this->em ->getRepository('AppBundle:User') ->findOneBy(['username' => $username]);}

@weaverryan

public function checkCredentials($credentials, UserInterface $user) { // no credentials to check return true; }

@weaverryan

public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { return new JsonResponse([ 'message' => $exception->getMessageKey() ], 401); }

@weaverryan

public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey) { // let the request continue to the controller return; }

@weaverryan

Register as a service

# app/config/services.ymlservices: jwt_authenticator: class: AppBundle\Security\JwtAuthenticator autowire: true

@weaverryan

Activate in your firewallsecurity: # ... firewalls: main: # ... guard: authenticators: - form_login_authenticator - jwt_authenticator entry_point: form_login_authenticator

which “start” method should be called

curl http://localhost:8000/secure

<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="1;url=/login" />

<title>Redirecting to /login</title> </head> <body> Redirecting to <a href="/login">/login</a>. </body></html>

@weaverryan

curl \--header “Authorization: Bearer BAD" \http://localhost:8000/secure

{"message":"Username could not be found."}

@weaverryan

localhost:8000/secure

curl \--header “Authorization: Bearer GOOD" \http://localhost:8000/secure

{"message":"Hello from the secureAction!"}

@weaverryan

http://localhost:8000/secure

Social Login!

@weaverryan

☼

$

AUTHENTICATOR

/facebook/check?code=abc

give me user info!

load a User object

" User

$

composer require \ league/oauth2-facebook \ knpuniversity/oauth2-client-bundle

@weaverryan

@weaverryan

# app/config/config.ymlknpu_oauth2_client: clients: # creates service: "knpu.oauth2.client.facebook" facebook: type: facebook client_id: %facebook_client_id% client_secret: %facebook_client_secret% redirect_route: connect_facebook_check graph_api_version: v2.5

@weaverryan

/** * @Route("/connect/facebook", name="connect_facebook") */public function connectFacebookAction() { return $this->get('knpu.oauth2.client.facebook') ->redirect(['public_profile', 'email']);}

/** * @Route("/connect/facebook-check", name="connect_facebook_check") */public function connectFacebookActionCheck() { // will not be reached!}

class FacebookAuthenticator extends AbstractGuardAuthenticator{ public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { } public function onAuthenticationFailure(Request $request) { } public function onAuthenticationSuccess(Request $request, TokenInterface $token) { } public function start(Request $request, AuthenticationException $e = null) { } public function supportsRememberMe() { }}

public function getCredentials(Request $request) { if ($request->getPathInfo() != '/connect/facebook-check') { return; } return $this->oAuth2Client->getAccessToken($request); }

@weaverryan

public function getUser($credentials, …) { /** @var AccessToken $accessToken */ $accessToken = $credentials; /** @var FacebookUser $facebookUser */ $facebookUser = $this->oAuth2Client ->fetchUserFromToken($accessToken); // ...}

@weaverryan

Now, relax in the shade!

@weaverryan

@weaverryan

public function getUser($credentials, ...){ // ... /** @var FacebookUser $facebookUser */ $facebookUser = $this->oAuth2Client ->fetchUserFromToken($accessToken); // 1) have they logged in with Facebook before? Easy! $user = $this->em->getRepository('AppBundle:User') ->findOneBy(array('email' => $facebookUser->getEmail())); if ($user) { return $user; } // ...}

public function getUser($credentials, ...){ // ... // 2) no user? Perhaps you just want to create one // (or redirect to a registration) $user = new User(); $user->setUsername($facebookUser->getName()); $user->setEmail($facebookUser->getEmail()); $em->persist($user); $em->flush();

return $user; }

@weaverryan

public function checkCredentials($credentials, UserInterface $user) { // nothing to do here!} public function onAuthenticationFailure(Request $request ...){ // redirect to login} public function onAuthenticationSuccess(Request $request ...){ // redirect to homepage / last page}

@weaverryan

* also supports “finishing registration”

@weaverryan

Extra Sunshine(no sunburn)

@weaverryan

Can I control the error message?

@weaverryan

@weaverryan

If authentication failed, it is becausean AuthenticationException(or sub-class) was thrown

(This has nothing to do with Guard)

public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { return new JsonResponse([ 'message' => $exception->getMessageKey() ], 401); }

@weaverryan

Beach Vacation Bonus! The exception is passedwhen authentication fails

AuthenticationException has a hardcodedgetMessageKey() “safe” string

Invalid credentials.

public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { }

Throw an AuthenticationException at anytime in these 3 methods

How can I customize the message?

@weaverryan

Create a new sub-class of AuthenticationException for each message

and override getMessageKey()

CustomUserMessageAuthenticationException

@weaverryan

public function getUser($credentials, ...){ $apiToken = $credentials; $user = $this->em ->getRepository('AppBundle:User') ->findOneBy(['apiToken' => $apiToken]); if (!$user) { throw new CustomUserMessageAuthenticationException( 'That API token is stormy' ); } return $user; }

@weaverryan

I need to manually authenticate my user

@weaverryan

public function registerAction(Request $request) { $user = new User(); $form = // ... if ($form->isValid()) { // save the user $guardHandler = $this->container ->get('security.authentication.guard_handler'); $guardHandler->authenticateUserAndHandleSuccess( $user, $request, $this->get('form_login_authenticator'), 'main' // the name of your firewall ); // redirect } // ...}

I want to save a lastLoggedInAt

field on my user no matter *how* they login

@weaverryan

Chill… that was already possible

SecurityEvents::INTERACTIVE_LOGIN

@weaverryan

class LastLoginSubscriber implements EventSubscriberInterface{ public function onInteractiveLogin(InteractiveLoginEvent $event) { /** @var User $user */ $user = $event->getAuthenticationToken()->getUser(); $user->setLastLoginTime(new \DateTime()); $this->em->persist($user); $this->em->flush($user); } public static function getSubscribedEvents() { return [ SecurityEvents::INTERACTIVE_LOGIN => 'onInteractiveLogin' ]; }}

@weaverryan

@weaverryan

Ok, so how do I make my weird auth system?

1. User implements UserInterface

@weaverryan

2. UserProvider

@weaverryan

3. Create your authenticator(s)

@weaverryan

Authentication%

@weaverryan

@weaverryan

Do it:

http://symfony.com/doc/current/cookbook/security/guard-authentication.html

http://KnpUniversity.com/guard

@weaverryan

New (free) Symfony 3 Tutorial

KnpUniversity.com

Thank You!

symfony guard authentication: fun with api token, social login, jwt and more

Technology