There are several commands available to manage clients.
To add a client you should use the trikoder:oauth2:create-client command.
Description:
Creates a new oAuth2 client
Usage:
trikoder:oauth2:create-client [options] [--] [<identifier> [<secret>]]
Arguments:
identifier The client identifier
secret The client secret
Options:
--redirect-uri[=REDIRECT-URI] Sets redirect uri for client. Use this option multiple times to set multiple redirect URIs. (multiple values allowed)
--grant-type[=GRANT-TYPE] Sets allowed grant type for client. Use this option multiple times to set multiple grant types. (multiple values allowed)
--scope[=SCOPE] Sets allowed scope for client. Use this option multiple times to set multiple scopes. (multiple values allowed)
--public Creates a public client (a client which does not have a secret)
--allow-plain-text-pkce Creates a client which is allowed to create an authorization code grant PKCE request with the "plain" code challenge methodTo update a client you should use the trikoder:oauth2:update-client command.
Description:
Updates an oAuth2 client
Usage:
trikoder:oauth2:update-client [options] [--] <identifier>
Arguments:
identifier The client ID
Options:
--redirect-uri[=REDIRECT-URI] Sets redirect uri for client. Use this option multiple times to set multiple redirect URIs. (multiple values allowed)
--grant-type[=GRANT-TYPE] Sets allowed grant type for client. Use this option multiple times to set multiple grant types. (multiple values allowed)
--scope[=SCOPE] Sets allowed scope for client. Use this option multiple times to set multiple scopes. (multiple values allowed)
--deactivated If provided, it will deactivate the given client.$ bin/console trikoder:oauth2:update-client --grant-type client_credentials --grant-type password foo$ bin/console trikoder:oauth2:update-client --scope create --scope read fooTo delete a client you should use the trikoder:oauth2:delete-client command.
Description:
Deletes an oAuth2 client
Usage:
trikoder:oauth2:delete-client <identifier>
Arguments:
identifier The client IDTo list clients you should use the trikoder:oauth2:list-clients command.
Description:
Lists existing oAuth2 clients
Usage:
trikoder:oauth2:list-clients [options]
Options:
--columns[=COLUMNS] Determine which columns are shown. Comma separated list. [default: "identifier, secret, scope, redirect uri, grant type"]
--redirect-uri[=REDIRECT-URI] Finds by redirect uri for client. Use this option multiple times to filter by multiple redirect URIs. (multiple values allowed)
--grant-type[=GRANT-TYPE] Finds by allowed grant type for client. Use this option multiple times to filter by multiple grant types. (multiple values allowed)
--scope[=SCOPE] Finds by allowed scope for client. Use this option multiple times to find by multiple scopes. (multiple values allowed)__Add two new firewalls in your security configuration:
security:
firewalls:
api_token:
pattern: ^/api/token$
security: false
api:
pattern: ^/api
security: true
stateless: true
oauth2: true- The
api_tokenfirewall will ensure that anyone can access the/api/tokenendpoint in order to be able to retrieve their access tokens. - The
apifirewall will protect all routes prefixed with/apiand clients will require a valid access token in order to access them.
Basically, any firewall which sets the oauth2 parameter to true will make any routes that match the selected pattern go through our OAuth 2.0 security layer.
Alternatively, you can use a guard authenticator to protect your resources:
security:
firewalls:
api_token:
pattern: ^/api/token$
security: false
api:
pattern: ^/api
security: true
stateless: true
guard:
authenticators:
- Trikoder\Bundle\OAuth2Bundle\Security\Guard\Authenticator\OAuth2AuthenticatorNOTE: The order of firewalls is important because Symfony will evaluate them in the specified order.
You can define the oauth2_scopes parameter on the route you which to restrict the access to. The user will have to authenticate with all scopes which you defined:
oauth2_restricted:
path: /api/restricted
controller: 'App\Controller\FooController::barAction'
defaults:
oauth2_scopes: ['foo', 'bar']Once the user gets past the oauth2 firewall, they will be granted additional roles based on their granted token scopes.
By default, the roles are named in the following format:
ROLE_OAUTH2_<scope>
Here's one of the example uses cases featuring the @IsGranted annotation:
/**
* @IsGranted("ROLE_OAUTH2_EDIT")
*/
public function indexAction()
{
// ...
}NOTE: You can change the
ROLE_OAUTH2_prefix via therole_prefixconfiguration option described in Installation section
There are two possible reasons for the authentication server to reject a request:
- Provided token is expired or invalid (HTTP response 401
Unauthorized) - Provided token is valid but scopes are insufficient (HTTP response 403
Forbidden)
To clear expired access and refresh tokens and auth codes you can use the trikoder:oauth2:clear-expired-tokens command.
The command removes all tokens whose expiry time is lesser than the current.
Description:
Clears all expired access and/or refresh tokens and/or auth codes
Usage:
trikoder:oauth2:clear-expired-tokens [options]
Options:
-a, --access-tokens Clear expired access tokens.
-r, --refresh-tokens Clear expired refresh tokens.
-c, --auth-codes Clear expired auth codes.Not passing any option means that both expired access and refresh tokens as well as expired auth codes will be cleared.
For CORS handling, use NelmioCorsBundle