nanasess
commented
1 year ago API プラグインに以下のパッチを適用することで、 Resource owner password credentials grant でアクセストークンを取得可能なのを確認。ただし client_secret は必須の模様
diff --git a/Controller/Admin/OAuthController.php b/Controller/Admin/OAuthController.php
index ab49663..0234969 100644
--- a/Controller/Admin/OAuthController.php
+++ b/Controller/Admin/OAuthController.php
@@ -17,7 +17,7 @@ use Eccube\Controller\AbstractController;
use Exception;
use Plugin\Api42\Form\Type\Admin\ClientType;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template;
-use Symfony\Component\Form\FormInterface;
+use Eccube\Form\Form;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Routing\Annotation\Route;
@@ -108,7 +108,7 @@ class OAuthController extends AbstractController
$secret = $form->get('secret')->getData();
try {
- $client = new Client($name, $identifier, $secret);
+ $client = new Client($name, $identifier, null);
$client = $this->updateClientFromForm($client, $form);
$this->clientManager->save($client);
@@ -193,11 +193,11 @@ class OAuthController extends AbstractController
/**
* @param Client $client
- * @param FormInterface $form
+ * @param Form $form
*
* @return Client
*/
- private function updateClientFromForm(Client $client, FormInterface $form): Client
+ private function updateClientFromForm(Client $client, Form $form): Client
{
$client->setActive(true);
@@ -209,16 +209,21 @@ class OAuthController extends AbstractController
);
$client->setRedirectUris(...$redirectUris);
- $grants = array_map(
- function (string $grant): Grant {
- return new Grant($grant);
- },
- $form->get('grants')->getData()
- );
+ // $grants = array_map(
+ // function (string $grant): Grant {
+ // return new Grant($grant);
+ // },
+ // $form->get('grants')->getData()
+ // );
// authorization code grant が選択されていた場合には refresh token grant も付与
- if (in_array(OAuth2Grants::AUTHORIZATION_CODE, $grants)) {
- array_push($grants, new Grant(OAuth2Grants::REFRESH_TOKEN));
- }
+ // if (in_array(OAuth2Grants::AUTHORIZATION_CODE, $grants)) {
+ // array_push($grants, new Grant(OAuth2Grants::REFRESH_TOKEN));
+ // }
+ $grants = [
+ new Grant(OAuth2Grants::PASSWORD),
+ new Grant(OAuth2Grants::REFRESH_TOKEN)
+ ];
+ array_push($grants, new Grant(OAuth2Grants::REFRESH_TOKEN));
$client->setGrants(...$grants);
$scopes = array_map(
diff --git a/Resource/config/services.yaml b/Resource/config/services.yaml
index a562b9b..33363a1 100644
--- a/Resource/config/services.yaml
+++ b/Resource/config/services.yaml
@@ -17,7 +17,7 @@ league_oauth2_server:
enable_client_credentials_grant: false
# Whether to enable the password grant
- enable_password_grant: false
+ enable_password_grant: true
# Whether to enable the refresh token grant
enable_refresh_token_grant: true
@@ -41,7 +41,7 @@ league_oauth2_server:
services:
Plugin\Api42\EventListener\UserResolveListener:
arguments:
- - '@Eccube\Security\Core\User\MemberProvider'
+ - '@Eccube\Security\Core\User\CustomerProvider'
- '@Eccube\Security\Core\User\UserPasswordHasher'
tags:
- { name: kernel.event_listener, event: league.oauth2_server.event.user_resolve, method: onUserResolve }curl --request POST 'http://localhost:8080/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=5505f99fec016090ffec3145968d13b5' \
--data-urlencode 'scope=read write' \
--data-urlencode 'username=1689822120.5619.sasaki.nanami@example.net' \
--data-urlencode 'password=password' -v | jq
Note: Unnecessary use of -X or --request, POST is already inferred.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> POST /token HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.0.1
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 150
>
} [150 bytes data]
< HTTP/1.1 200 OK
< Date: Mon, 24 Jul 2023 00:21:19 GMT
< Server: Apache/2.4.56 (Debian)
< X-Frame-Options: SAMEORIGIN
< X-Powered-By: PHP/8.1.19
< pragma: no-cache
< Cache-Control: max-age=0, must-revalidate, no-store, private
< X-Debug-Token: e6c84a
< X-Debug-Token-Link: http://localhost:8080/_profiler/e6c84a
< X-Robots-Tag: noindex
< Expires: Mon, 24 Jul 2023 00:21:19 GMT
< Set-Cookie: maintenance_token=deleted; expires=Sun, 24-Jul-2022 00:21:18 GMT; Max-Age=0; path=/; httponly
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Transfer-Encoding: chunked
< Content-Type: application/json; charset=UTF-8
<
{ [2058 bytes data]
100 2201 0 2051 100 150 3743 273 --:--:-- --:--:-- --:--:-- 4023
* Connection #0 to host localhost left intact
{
"token_type": "Bearer",
"expires_in": 3600,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI1NTA1Zjk5ZmVjMDE2MDkwZmZlYzMxNDU5NjhkMTNiNSIsImp0aSI6ImNlMTkyZTM0YTZlOGNjNmU5NDQwYTU3YjNiM2JhMDhkNzRlYWEyN2Y2N2Y0YTMxZjM4YzhhZjE4NzAwNzA1MWFmNDNlNGUzYjhlZGJjOGI3IiwiaWF0IjoxNjkwMTU4MDc5LjgwMTgzNiwibmJmIjoxNjkwMTU4MDc5LjgwMTgzNywiZXhwIjoxNjkwMTYxNjc5Ljc5NDM1Mywic3ViIjoiMTY4OTgyMjEyMC41NjE5LnNhc2FraS5uYW5hbWlAZXhhbXBsZS5uZXQiLCJzY29wZXMiOlsicmVhZCIsIndyaXRlIl19.ZmDgrZtVkcLv9Ko9YQlfqG-TTgL1nyypZXtIct_hUQcSJ1Cr2ayYs9Fs9noEPscf-y3m8CX7nxsFNknD5gB8AKndEt2tQu-rSo6zoh3cjOjG56uP6IA_U5mkTIuTz8PL47vwEqo46u2KWhhU_4AQZ8P4D_-jJEgbf8NRH9XOSvnL2myAs1D6XYuOWdhst6rD7KZUJGoa2E4XgaEBwCu6yIM83iI0yIOGFEeNJ1Oihywrm4MhG9DfhQqfamJbNjnMHmIVivPMwurSllimKee7ENQ-tnDS4zi_BwafH4lW_3oA6paILOBZ0WAIEvOCEcdeZ6BwIUr5Db269GYDETHDLUcmqOxTiYAknqh-6-t5uRaAMNo64wQ1A4u843kuFyLjA2COqTjAD37Irm6t-da8nYFGtKZQFJwIMNEFEnRMR-eevP80Xq5pQBfdVT2HoW8Ayie8-jVsRIOSRPjNOc0slO0x12zRD_7Ua_X7kE8uKKHtPJFQ3fs-uLThA2yqJ3CGk_Ni7jhA8FaABR_OWqBfmkzw2Syg-hJxs9J1bOsg8M6EyNusXQZd9-SzEIJITEaeuYZJOsp6meY1MgLBjo03HBOarLRlI2jwsdHnCfI_Y5JCBv-EIQVBhz9L2oMLQglHu08aS7FJ8bzOVFhSoazO36R5rMGMZ-lHiWJR-Alpsfc",
"refresh_token": "def5020056662e9b06562766cdd857f4c74c72f7f325542ae74802ad89285fd160a7401b5d9ff566f5b863f5bf61124caf2eecf13099e8faf3501971a663fc6e6f80f8c579e8c2f1f69bd760cdda9755bbf80b61b4269acc44ee499b7adb2e6343c08355be202ece96c58040b84021ed3ceb23b2e6ebe9a9d731eeb57fe9229b288b5b88dc2e7380962a3570fc52fc8d1fd2db55749e423056865f6945fb47bcbfb95911da53bebd030218213d048d387c46666e806f66b3170cb84b502b80d560eb9d8c955f38918cb87e44eb6c77ebd964f219bae2d914fa07d322a4b89f208960883f4e6107157b57697beb80f12b5c4be0d715af5d5a718dcb649cbf20272982d6226e5609a16b3b574defe04a7a505fc260d5d9aaff5e4a1a6db552a69efdc10a36fe6b6f2db433aa536892fdd11002c1d9c387cb73dc7223b1236edb26ffe4fce020a3a016648bf0138e9e42e6bbc4b680a81db7232e8ce0c91260c3e5a83dae9e0a49d819435ae361615b5d936d151ceb5e6ba0f68f488365abacfbaa554f08c6b1e1ab661ad170ed3f59a1ed0f11c2cb7f9e71d6ce414b679887c398b99481aba4e12fa17d1cb5e07a9518365cb5bc17adf50195"
}
以下の3点を分けて考える必要がある
課題
ステートレスセッション or ステートフルセッション
JWT の形式(JWS, JWK を使用する?)
トークンの受け渡し方法
認証/認可関連の API
--publicオプションで client_secret 不要になる模様参考サイト
JWTデバッガー(便利) https://jwt.io/
徳丸先生の SPA で JWT を使う話(一番よくまとまってる) https://www.docswell.com/s/ockeghem/ZM6VNK-phpconf2021-spa-security
トークンベースの認証とは? 仕様とJWTのメリット、デメリット https://www.okta.com/jp/identity-101/what-is-token-based-authentication/
JWK(公開鍵のエンコード方式) https://openid-foundation-japan.github.io/rfc7517.ja.html
OpenID Connect https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html