Hi,

I think the dependency is overkill for the server side. What about removing it ?

William

Hi Guys,

I've found a (small) typo in the Doc. (Resources/doc/extending_the_authorization_page.md)

In the sentence "The first step is to copy the authorize_content.html.twig template to the app/Resources/FOSOAuthServerBundle/view/Authorize/ directory."

The correct path is of course app/Resources/FOSOAuthServerBundle/views/Authorize/

Thanks for your awesome work.

=> Can't inherit abstract function OAuth2\Model\IOAuth2Client::getRedirectUris() (previously declared abstract in FOS\OAuthServerBundle\Model\ClientInterface) in C:\wamp\lib\Symfony\vendor\bundles\FOS\OAuthServerBundle\Model\ClientInterface.php on line 17

(version 1.1.0 for Symfony 2.0x)

The fos_oauth_server.service.options accepts only array of scalars. But the supported_scopes option as it defined in OAuth2 class should be array. So how to right configure supported scopes?

Would be great to have more tagged releases for FOSOAuthServerBundle so that I can stick my project to a specific version using Composer.

---insert-sql generates the following sql snippet:

´´´
CREATE TABLE token
(
id serial NOT NULL,
token VARCHAR NOT NULL,
expires_at INTEGER,
scope VARCHAR,
client_id INTEGER NOT NULL,
user TEXT,
class_key INTEGER,
PRIMARY KEY (id)
)
´´´
which Postgresql (Testable in phppgadmin) rejects:
´´´
ERROR: syntax error at or near "user"
LINE 8: user TEXT,
^
´´´
this is clearly based on the column name "user", as replacing it with "usr" works:
´´´
CREATE TABLE token
(
id serial NOT NULL,
token VARCHAR NOT NULL,
expires_at INTEGER,
scope VARCHAR,
client_id INTEGER NOT NULL,
usr TEXT,
class_key INTEGER,
PRIMARY KEY (id)
)
´´´
I expect the same to be true for auth_code as well ;-)

Hi,

Is it possible to disable the authorization form?
It does not make sense to have this form inside my own app.

Thanks!

Hello! In my project we will be implement REST maybe we will be used FOSRestBundle. We use MongoDB as our storage.
Now, we have anonymous users and users with some credentials (phone plus licence id not email plus password).
Can I implement this in this bundle?
Or I need only http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html

Send me to the right way, please.

Thanks!

Hi there,

When setting a custom service for fos_oauth_server.service.storage an exception is thrown when the services are first loaded like so:

[Symfony\Component\DependencyInjection\Exception\InvalidArgumentException]  
The service definition "list_app.auth.oauth_storage" does not exist.  

the offending line seems to be line 78 of FOS/OAuthServerBundle/DependencyInjection/FOSOAuthServerExtension.php where it attempts to get the definition for the storage service. My service is definitely being defined as it shows up in the Symfony container:debug console command as the following:

list_app.auth.oauth_storage    container ListApp\AuthBundle\Storage\OAuthStorage

The relevant chunk of my config.yml looks like this:

service:
    user_provider:      fos_user.user_manager
    client_manager:     list_app.auth.client_manager
    storage:            list_app.auth.oauth_storage
    options:
        access_token_lifetime: 1209600

I am using the OAuth bundle in conjunction with the FOS user bundle and I need to set a custom storage as I need to take other details of a users account (such as active or suspended flags) in to consideration when fetching the from the DB. Am I approaching this correctly? Let me know if you need any more information.

Interestingly, this pull request #109 looks like it would help in my particular scenario as that is what I was after, but it still seems odd that it can't find my service.

Cheers.

Hi FOS members,

Since 4 months ago, this project is definitely locked by @schmittjoh who started a refactoring of the whole. The problem is that you (Johannes) didn't provide any new commits since 4 months, and no guidelines or something else to move ahead.

So, I suggest we decide something there, there are a few Pull Requests, and people now want to use this bundle, and both @stof, and me often repeat the same sentence: "we have to wait the @schmittjoh's refactoring".

I don't have a lot of time these days, but I could (as well as some other people) try to give a hand to work on the refactoring, and to provide a stable bundle.

Regards,
William

Could someone pass this commit on the branch 1.1.x? We have the same issue on this branch.

5ce729f

Thanks a lot! :)

Hi,

I don't know if it's the good place for my issue, but I am lost and I don't find any help on Google...

In fact, I installed FOSOAuthServerBundle (With FOSUserBundle and FOSRestBundle). I can log in (oauth/v2/auth), but I have an error just after:

As you can see, I am logged under "Sebastien". Maybe you have an idea how I can fix that?

Thank you.

Installing under symfony 2.2 causes an old version of the oauth2 library (1.0.2) to be installed.

(FriendsOfSymfony/oauth2-php#18)

Causes the following error:

Fatal error: Declaration of FOS\OAuthServerBundle\Storage\OAuthStorage::checkGrantExtension() must be compatible with OAuth2\IOAuth2GrantExtension::checkGrantExtension(OAuth2\IOAuth2Client $client, $uri, array $inputData, array $authHeaders) in /home/mmucklo/service/qvc/vendor/friendsofsymfony/oauth-server-bundle/FOS/OAuthServerBundle/Storage/OAuthStorage.php on line 33

In order to use the Implicit Grant workflow, shouldn't we implement IOAuth2GrantImplicit in the Storage\OAuthStorage class?

Tell me if I'm wrong, but isn't the /oauth/v2/token endpoint supposed to be POST only?
I read this in the IETF v31 proposal for OAuth2:

"The client MUST use the HTTP "POST" method when making access token requests."

It'll be easier to use bundle inheritance, for instance for client object.

If you send an authentication request via POST to /oauth/v2/auth endpoint the AuthorizeForm doesn't get populated because in AuthorizeFormHandler the form fails to bind expecting a CSRF token.

Maybe the form could be populated upon creation in the controller?

I know this bundle is under heavy work right now; I'm just toying with it + Propel.

The FOS\OAuthServerBundle\Model\ClientInterface has typed arguments in method declarations:

function setRedirectUris(array $redirectUris);
function setAllowedGrantTypes(array $grantTypes);

When generating model classes with Propel, implementations in generated classes miss those types:

function setRedirectUris($redirectUris);
function setAllowedGrantTypes($grantTypes);

In that case, the classloader reports this error - Propel's implementation doesn't match its interface.
Is it ok to remove those types for compatibility's sake?

Or should I report this issue to propelorm?
(ping @willdurand )

We have the choice between @arnaud-lb's one, and the FOS fork we have at the moment.

For Symfony 2.0, there is a problem if no factory is declared in config.yml (old

- { resource: "@FOSOAuthServerBundle/Resources/config/security.yml" } 

added in app/config/config.yml)

in the spec http://tools.ietf.org/html/draft-ietf-oauth-v2-30

redirect_uri
OPTIONAL. As described in Section 3.1.2.

I'm working on a client-server application which makes use of a 2-legged authentication flow using the password grant-type. The only problem I have with this is the fact that the credentials are sent to the server unencrypted. What can I do to secure these credentials better? Thanks in advance!

We're working on a app where the API is used by a backbone.js client and native mobile clients. Right now our api endpoints can only be accessed through stateless firewall, when accessed by the browser by an authenticated user, we get OAuth2 authentication required.

However, we'd need to access the api endpoints from the browser as well, where the user is authenticated using cookie based authentication.

Is there a way to secure the API either by oauth2 or by the cookie authentication scheme?

Currently our firewalls in security.yml look like this:

    firewalls:
        api:
            pattern:    ^/api
            fos_oauth:  true
            stateless:  true

        webapp:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
            logout:       true
            anonymous:    true

        oauth_token:
            pattern:    ^/oauth/v2/token
            security:   false

        oauth_authorize:
            pattern:    ^/oauth/v2/auth
            form_login:
                provider: fos_userbundle
                check_path: /oauth/v2/auth_login_check
                login_path: /oauth/v2/auth_login
            anonymous: true

Would be great if the docs were updated to include the latest configs

When installing 1.2.2 I get:

Fatal error: Declaration of FOS\OAuthServerBundle\Storage\OAuthStorage::checkGrantExtension() must be compatible with that of OAuth2\IOAuth2GrantExtension::checkGrantExtension() in /Users/boy/Sites/Speakap/api/vendor/friendsofsymfony/oauth-server-bundle/FOS/OAuthServerBundle/Storage/OAuthStorage.php on line 33

Appearantly there is a use statement missing.

In my database, all tokens have the user value set to NULL.
How can I associate my tokens with the user who authorized the client ?

In Model/Token.php, the line 33 as no sense :

<?php

public function getClientId()
{
    return $this->client->getPublicId();
}

It should be instead :

<?php

public function getClientId()
{
    return $this->client->getId();
}

In fact, I suppose this is because there's a bug in the file Oauth2.php of the FOS/oauth2-php repository:

Line 814 : $client->getId() != $token->getClientId()
Line 748 : $client->getPublicId() != $authCode->getClientId()

The line 748 should be $client->getId() and not $client->getPublicId().

Authorized scopes can be defined in config.yml:

fos_oauth_server:
    service:
        options:
            supported_scopes: scope1 scope2 …

Is it possible to manage them with a custom service?
For examble:

fos_oauth_server:
    service:
        options:
            supported_scopes:
                id: my_authorized_scopes_service

My aim is to let bundles define the scopes they need.
my_authorized_scopes_service will lists all available scopes provided by bundles.

the MongoDB implementation is far from being completed (there is no mapping for instance)

I'm using the password grant method however it was failing un-nessecarily in my opinion because the token request didn't pass in the client secret. It was my understanding that you shouldn't need to pass in the client secret when using this grant type?

If I comment out lines 685-687 in OAuth2.php then it works as expected (fails on incorrect credentials). However I imagine this will break other grant types.

My suggestion is that line 685 should be changed to:

if ($this->storage->checkClientCredentials($client, $clientCreds[1]) === FALSE && !self::GRANT_TYPE_USER_CREDENTIALS) {

But I'm fairly new to OAuth2 so please correct me if I'm wrong.

I was trying to use the bundle for basic authentification operations and it always created an exception : Client not found.
I modified the FOS\OAuthServerBundle\Controller\AuthorizeController line 133 in the getClient method :

before :

$client = $this->container
                ->get('fos_oauth_server.client_manager')
                ->findClientByPublicId($clientId);

after :

$client = $this->container
                ->get('fos_oauth_server.client_manager')
                ->findClientBy(array("id" => $clientId));

and now it's working !
did i miss something ?

Would it be relevant to add client registration in this bundle since oauth2 require some fields to exist (redirect_uris, allowed_grant_types, id and secret) ?

Is it possible to get the current oauth client?
I can't find a way to do it properly.

Here is my idea:

• Add a client field in FOS\OAuthServerBundle\Security\Authentication\Token\OAuthToken
• Edit FOS\OAuthServerBundle\Security\Authentication\Provider\OAuthProvider and set the client in OAuthToken

Is it ok?

Would this be something to be included in this bundle? Maybe I have time to develop it.

This happens when installing the 1.1.x bundle through bin/vendors. It seems that issue #53 changed this into the composer path but it breaks the standard bin/vendors install.

Is there a possibility that both paths can be searched?

Hi. I'm using oAuth user credential flow and support to AdvancedUserInterface methods like isEnabled() or isAccountNonLocked() in OAuthStorage implementation would be interesting.

I'm quite confused. By activating the bundle (with prod environment enabled), the response time increases from 150ms to 600ms. Have you noticed similar issues?

http://symfony.com/doc/master/cookbook/doctrine/resolve_target_entity.html

This avoids having to implement all 4 classes, which is really annoying

When checking for the method addSecurityListenerFactory, this line fails with JMSSecurityExtraBundle since its SecurityExtension class does not extend sf2's SecurityExtension class.

Does something like this work?

is_callable(array($extension,'addSecurityListenerFactory'))

Maybe there's something wrong with my setup?

First, thanks for this bundle.

What do you think about moving your bundle, and the oauth2 library to the FOS organization? Of course, that would also include adding you as a member.

I believe this bundle might be useful for many people, and deserves higher visibility.

What do you think?

Hi, how i can integrate this bundle, with FOSOAuthServerBundle?

Thanks a lot

hello,
I'm trying to create Oauth api server using FOSOauthServerBundle, FOSUserBundle and FOSRestBundle.
I followd the instructions on http://blog.logicexception.com/2012/04/securing-syfmony2-rest-service-wiith.html, and got the access token and the refresh token successfully. Now, I'm trying to test my server by creating a demo application that makes api requests.
the result of the request is "access_denied, Oauth2 authentication required", in spite the fact the the user was authenticated and the client received an access token.
when i tried to debug the process i noticed that the oauth2 authentication process never executed.

my security.yml:
jms_security_extra:
secure_all_services: false
expressions: true

security:
acl:
connection: default

role_hierarchy:
    ROLE_ADMIN:       ROLE_USER
    ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

providers:
    in_memory:
        memory:
            users:
                user:  { password: userpass, roles: [ 'ROLE_USER' ] }
                admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
    fos_userbundle:
        id: fos_user.user_provider.username

encoders:
      FOS\UserBundle\Model\UserInterface: sha512
      Symfony\Component\Security\Core\User\User: plaintext

firewalls:
    api:
        pattern: ^/api
        fos_oauth: true
        stateless: true

    oauth_authorize:
        pattern: ^/oauth/v2/auth
        form_login:
            provider: fos_userbundle
            check_path: /oauth/v2/auth_login_check
            login_path: /oauth/v2/auth_login
            use_referer: true
        anonymous: true

    oauth_token:
        pattern: ^/oauth/v2/token
        security: false  

    secured_area:
        pattern:    ^/
        anonymous: ~
        form_login:
            provider: fos_userbundle
            check_path: /login_check
            login_path: /login
            always_use_default_target_path: true
            default_target_path: /

access_control:
    - { path: ^/oauth/v2/auth_login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/oauth/v2/auth, role: ROLE_USER }
    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY}
    - { path: ^/, roles: ROLE_USER }
    - { path: ^/api, roles: [ IS_AUTHENTICATED_FULLY ] }

It seems that I'm unable to authenticate the request using the access_token parameter for anything other than a GET and POST request. I've narrowed this down to the OAuth2.php file in oauth2-php.

https://github.com/FriendsOfSymfony/oauth2-php/blob/master/lib/OAuth2/OAuth2.php#L560

When I comment out those three lines it works as expected.

Is there another way I should be doing this?

Hi,

A silly question : why auth code data (containing user) isn't persisted in database ?

Thanks !

I installed the bundle using composer (branch v1.1.*) .
With composer, the path of the bundle is not "app/../vendor/bundles/FOS/OAuthServerBundle/" but "app/../friendsofsymfony/oauth-server-bundle/FOS/OAuthServerBundle/"