search

thephpleague / oauth2-server-bundle

Symfony bundle for the OAuth2 Server.
MIT License
176 stars 86 forks source link

`oauth2: true` option is not clear to me #188

Open VincentLanglet opened 1 month ago

VincentLanglet commented 1 month ago

Hi @chalasr ,

This bundle is great and simplify the integration of oauth. Thanks a lot. But I ended up with some questions.

We're having our firewall config done this way:

        oauth:
            host: '%oauth_domain%'
            context: main_context
            provider: main_provider
            form_login:
                login_path: weglot_security_oauth_login
                check_path: weglot_security_oauth_login
                enable_csrf: true
        api_oauth:
            host: '%api_domain%'
            pattern: ^/v2
            stateless: true
            access_token:
                token_handler: App\Security\AccessTokenHandler
            provider: api_provider

And I discovered that if I try to reach v2/foo route, I get errors log

Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\HttpException: "Full authentication is required to access this resource." at ExceptionListener.php line 232

and

No Authentication entry point configured, returning a 401 HTTP response. Configure "entry_point" on the firewall "api_oauth" if you want to modify the response.

Re-reading the doc, I think it's because I was missing oauth2: true on the api_oauth firewall, this option seems to use the OAuth2Authenticator and solve the "No Authentication entry point configured" error. But I soon as I use this option, the page go from

image

to

image

I assume it's because of the code

public function start(Request $request, ?AuthenticationException $authException = null): Response
    {
        return new Response('', 401, ['WWW-Authenticate' => 'Bearer']);
    }

Wouldn't it better to still have the symfony-profiler/debug tools in debug mode ? Is it possible ? Also, why my custom 401 error page is not used ?

Wouldn't it better to rely on Symfony Exception listener and throw an AuthenticationException in the start method rather than

new Response('', 401, ['WWW-Authenticate' => 'Bearer']);

Something like a OAuth2AuthenticationException ?

VincentLanglet commented 3 weeks ago

Hi @mtarld, seems like you're the one who wrote the OAuth2Authenticator in https://github.com/thephpleague/oauth2-server-bundle/pull/24 maybe you could help me on the choice to send 

new Response('', 401, ['WWW-Authenticate' => 'Bearer']);

rather than an AuthenticationException ?