Guard Authentication: Powerful, Beautiful Security
19 likes9,392 views
The document provides an overview of authentication in Symfony, focusing on the implementation of a security system using guard authenticators. It details the steps involved in user authentication, including credential verification and user creation while showcasing examples of traditional form login and API token authentication. The author also addresses user provider implementations and integration of social login options, like Facebook, along with error handling and customization of authentication failure messages.
![class User implements UserInterface
{
private $username;
public function __construct($username)
{
$this->username = $username;
}
public function getUsername()
{
return $this->username;
}
public function getRoles()
{
return ['ROLE_USER'];
}
// …
}
a unique identifier
(not really used anywhere)](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-26-320.jpg)
![public function getCredentials(Request $request)
{
if ($request->getPathInfo() != '/login_check') {
return;
}
return [
'username' => $request->request->get('_username'),
'password' => $request->request->get('_password'),
];
}
Grab the “login” credentials!
@weaverryan](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-34-320.jpg)
![public function getUser($credentials, UserProviderInterface $userProvider)
{
$username = $credentials['username'];
$user = new User();
$user->setUsername($username);
return $user;
}
Create/Load that User!
@weaverryan](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-35-320.jpg)
![public function checkCredentials($credentials, UserInterface $user)
{
$password = $credentials['password'];
if ($password == 'santa' || $password == 'elves') {
return;
}
return true;
}
Are the credentials correct?
@weaverryan](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-36-320.jpg)
![Register as a service
services:
form_login_authenticator:
class: AppBundleSecurityFormLoginAuthenticator
arguments: [‘@router’]
@weaverryan](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-40-320.jpg)
![security:
providers:
elves:
id: festive_user_provider
firewalls:
main:
anonymous: ~
logout: ~
# this is optional as there is only 1 provider
provider: elves
guard:
authenticators: [form_login_authenticator]
Boom!
Optional Boom!](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-48-320.jpg)
![class FestiveUserProvider implements UserProviderInterface
{
public function loadUserByUsername($username)
{
$user = $this->em->getRepository('AppBundle:User')
->findOneBy(['username' => $username]);
if (!$user) {
throw new UsernameNotFoundException();
}
return $user;
}
}
@weaverryan
(of course, the “entity” user
provider does this automatically)](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-53-320.jpg)
![public function getUser($credentials, UserProviderInterface $userProvider)
{
$username = $credentials['username'];
//return $userProvider->loadUserByUsername($username);
return $this->em
->getRepository('AppBundle:User')
->findOneBy(['username' => $username]);
}
FormLoginAuthenticator
you can use this if
you want to
… or don’t!](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-54-320.jpg)
![public function getUser($credentials, UserProviderInterface $userProvider)
{
$apiToken = $credentials;
return $this->em
->getRepository('AppBundle:User')
->findOneBy(['apiToken' => $apiToken]);
}
@weaverryan](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-59-320.jpg)
![public function onAuthenticationFailure(Request $request,
AuthenticationException $exception)
{
return new JsonResponse([
'message' => $exception->getMessageKey()
], 401);
}
@weaverryan](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-62-320.jpg)
![@weaverryan
public function connectFacebookAction()
{
// redirect to Facebook
$facebookOAuthProvider = $this->get('app.facebook_provider');
$url = $facebookOAuthProvider->getAuthorizationUrl([
// these are actually the default scopes
'scopes' => ['public_profile', 'email'],
]);
return $this->redirect($url);
}
/**
* @Route("/connect/facebook-check", name="connect_facebook_check")
*/
public function connectFacebookActionCheck()
{
// will not be reached!
}](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-73-320.jpg)
![public function getUser($credentials, …)
{
$authorizationCode = $credentials;
$facebookProvider = $this->container->get('app.facebook_provider');
$accessToken = $facebookProvider->getAccessToken(
'authorization_code',
['code' => $authorizationCode]
);
/** @var FacebookUser $facebookUser */
$facebookUser = $facebookProvider->getResourceOwner($accessToken);
// ...
}
@weaverryan](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-76-320.jpg)
![public function onAuthenticationFailure(Request $request,
AuthenticationException $exception)
{
return new JsonResponse([
'message' => $exception->getMessageKey()
], 401);
}
@weaverryan
Christmas miracle! The exception is passed
when authentication fails
AuthenticationException has a hardcoded
getMessageKey() “safe” string
Invalid
credentials.](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-84-320.jpg)
![public function getUser($credentials, ...)
{
$apiToken = $credentials;
$user = $this->em
->getRepository('AppBundle:User')
->findOneBy(['apiToken' => $apiToken]);
if (!$user) {
throw new CustomUserMessageAuthenticationException(
'That API token is not very jolly'
);
}
return $user;
}
@weaverryan](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-88-320.jpg)
![class LastLoginSubscriber implements EventSubscriberInterface
{
public function onInteractiveLogin(InteractiveLoginEvent $event)
{
/** @var User $user */
$user = $event->getAuthenticationToken()->getUser();
$user->setLastLoginTime(new DateTime());
$this->em->persist($user);
$this->em->flush($user);
}
public static function getSubscribedEvents()
{
return [
SecurityEvents::INTERACTIVE_LOGIN => 'onInteractiveLogin'
];
}
}
@weaverryan](https://image.slidesharecdn.com/symfonycon2015-guard-151204090507-lva1-app6892/85/Guard-Authentication-Powerful-Beautiful-Security-93-320.jpg)
Guard Authentication: Powerful, Beautiful Security
- 1. Guard Authentication: Powerful, Beautiful Security by your friend: Ryan Weaver @weaverryan
- 2. KnpUniversity.com github.com/weaverryan Who is this guy? > Lead for the Symfony documentation > KnpLabs US - Symfony Consulting, training & general Kumbaya > Writer for KnpUniversity.com Tutorials > Husband of the much more talented @leannapelham
- 5. What’s the hardest part of Symfony? @weaverryan
- 7. Authorization Do you have access to do X? @weaverryan
- 10. 1) Grab information from the request @weaverryan
- 11. 2) Load a User @weaverryan
- 12. 3) Validate if the credentials are valid @weaverryan
- 13. 4) authentication success… now what? @weaverryan
- 14. 5) authentication failure … dang, now what?! @weaverryan
- 15. 6) How do we “ask” the user to login? @weaverryan
- 16. 6 Steps 5 Different Classes @weaverryan
- 17. security: firewalls: main: anonymous: ~ logout: ~ form_login: ~ http_basic: ~ some_invented_system_i_created: ~ Each activates a system of these 5 classes @weaverryan
- 19. interface GuardAuthenticatorInterface { public function getCredentials(Request $request); public function getUser($credentials, $userProvider); public function checkCredentials($credentials, UserInterface $user); public function onAuthenticationFailure(Request $request); public function onAuthenticationSuccess(Request $request, $token); public function start(Request $request); public function supportsRememberMe(); } @weaverryan
- 21. It’s getting coal for Christmas!
- 22. You still have to do work (sorry Laravel people) @weaverryan
- 23. But it will be simple @weaverryan https://github.com/knpuniversity/guard-presentation
- 24. You need a User class (This has nothing to do with Guard) @weaverryan
- 25. @weaverryan use SymfonyComponentSecurityCoreUserUserInterface; class User implements UserInterface { }
- 26. class User implements UserInterface { private $username; public function __construct($username) { $this->username = $username; } public function getUsername() { return $this->username; } public function getRoles() { return ['ROLE_USER']; } // … } a unique identifier (not really used anywhere)
- 27. @weaverryan class User implements UserInterface { // … public function getPassword() { } public function getSalt() { } public function eraseCredentials() { } } These are only used for users that have an encoded password
- 28. The Hardest Example Ever: Form Login @weaverryan
- 29. A traditional login form setup @weaverryan
- 30. class SecurityController extends Controller { /** * @Route("/login", name="security_login") */ public function loginAction() { return $this->render('security/login.html.twig'); } /** * @Route("/login_check", name="login_check") */ public function loginCheckAction() { // will never be executed } }
- 31. <form action="{{ path('login_check') }}” method="post"> <div> <label for="username">Username</label> <input name="_username" /> </div> <div> <label for="password">Password:</label> <input type="password" name="_password" /> </div> <button type="submit">Login</button> </form>
- 33. class FormLoginAuthenticator extends AbstractGuardAuthenticator { public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { } public function onAuthenticationFailure(Request $request) { } public function onAuthenticationSuccess(Request $request, TokenInterface $token) { } public function start(Request $request, AuthenticationException $e = null) { } public function supportsRememberMe() { } }
- 34. public function getCredentials(Request $request) { if ($request->getPathInfo() != '/login_check') { return; } return [ 'username' => $request->request->get('_username'), 'password' => $request->request->get('_password'), ]; } Grab the “login” credentials! @weaverryan
- 35. public function getUser($credentials, UserProviderInterface $userProvider) { $username = $credentials['username']; $user = new User(); $user->setUsername($username); return $user; } Create/Load that User! @weaverryan
- 36. public function checkCredentials($credentials, UserInterface $user) { $password = $credentials['password']; if ($password == 'santa' || $password == 'elves') { return; } return true; } Are the credentials correct? @weaverryan
- 37. public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { $url = $this->router->generate('security_login'); return new RedirectResponse($url); } Crap! Auth failed! Now what!? @weaverryan
- 38. public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey) { $url = $this->router->generate('homepage'); return new RedirectResponse($url); } Amazing. Auth worked. Now what? @weaverryan
- 39. public function start(Request $request) { $url = $this->router->generate('security_login'); return new RedirectResponse($url); } Anonymous user went to /admin now what? @weaverryan
- 40. Register as a service services: form_login_authenticator: class: AppBundleSecurityFormLoginAuthenticator arguments: [‘@router’] @weaverryan
- 41. Activate in your firewall security: firewalls: main: anonymous: ~ logout: ~ guard: authenticators: - form_login_authenticator @weaverryan
- 42. AbstractFormLoginAuthenticator Free login form authenticator code @weaverryan
- 43. User Providers (This has nothing to do with Guard) @weaverryan
- 44. Every App has a User class @weaverryan And the Christmas spirit
- 45. Each User Class Needs 1 User Provider @weaverryan
- 46. class FestiveUserProvider implements UserProviderInterface { public function loadUserByUsername($username) { // "load" the user - e.g. load from the db $user = new User(); $user->setUsername($username); return $user; } public function refreshUser(UserInterface $user) { return $user; } public function supportsClass($class) { return $class == 'AppBundleEntityUser'; } }
- 48. security: providers: elves: id: festive_user_provider firewalls: main: anonymous: ~ logout: ~ # this is optional as there is only 1 provider provider: elves guard: authenticators: [form_login_authenticator] Boom! Optional Boom!
- 49. class FestiveUserProvider implements UserProviderInterface { public function loadUserByUsername($username) { // "load" the user - e.g. load from the db $user = new User(); $user->setUsername($username); return $user; } public function refreshUser(UserInterface $user) { return $user; } public function supportsClass($class) { return $class == 'AppBundleEntityUser'; } } But why!?
- 50. class FestiveUserProvider implements UserProviderInterface { public function loadUserByUsername($username) { // "load" the user - e.g. load from the db $user = new User(); $user->setUsername($username); return $user; } public function refreshUser(UserInterface $user) { return $user; } public function supportsClass($class) { return $class == 'AppBundleEntityUser'; } } refresh from the session
- 51. class FestiveUserProvider implements UserProviderInterface { public function loadUserByUsername($username) { // "load" the user - e.g. load from the db $user = new User(); $user->setUsername($username); return $user; } public function refreshUser(UserInterface $user) { return $user; } public function supportsClass($class) { return $class == 'AppBundleEntityUser'; } } switch_user, remember_me
- 52. Slightly more wonderful: Loading a User from the Database @weaverryan
- 53. class FestiveUserProvider implements UserProviderInterface { public function loadUserByUsername($username) { $user = $this->em->getRepository('AppBundle:User') ->findOneBy(['username' => $username]); if (!$user) { throw new UsernameNotFoundException(); } return $user; } } @weaverryan (of course, the “entity” user provider does this automatically)
- 54. public function getUser($credentials, UserProviderInterface $userProvider) { $username = $credentials['username']; //return $userProvider->loadUserByUsername($username); return $this->em ->getRepository('AppBundle:User') ->findOneBy(['username' => $username]); } FormLoginAuthenticator you can use this if you want to … or don’t!
- 55. Easiest Example ever: Api Token Authentication @weaverryan Jolliest
- 56. 1) Client sends a token on an X- API-TOKEN header 2) We load a User associated with that token class User implements UserInterface { /** * @ORMColumn(type="string") */ private $apiToken; // ... }
- 57. class ApiTokenAuthenticator extends AbstractGuardAuthenticator { public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { } public function onAuthenticationFailure(Request $request) { } public function onAuthenticationSuccess(Request $request, TokenInterface $token) { } public function start(Request $request, AuthenticationException $e = null) { } public function supportsRememberMe() { } }
- 58. public function getCredentials(Request $request) { return $request->headers->get('X-API-TOKEN'); } @weaverryan
- 59. public function getUser($credentials, UserProviderInterface $userProvider) { $apiToken = $credentials; return $this->em ->getRepository('AppBundle:User') ->findOneBy(['apiToken' => $apiToken]); } @weaverryan
- 60. OR If you use JWT, get the payload from the token and load the User from it @weaverryan
- 61. public function checkCredentials($credentials, UserInterface $user) { // no credentials to check return true; } @weaverryan
- 62. public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { return new JsonResponse([ 'message' => $exception->getMessageKey() ], 401); } @weaverryan
- 63. public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey) { // let the request continue to the controller return; } @weaverryan
- 64. Register as a service services: api_token_authenticator: class: AppBundleSecurityApiTokenAuthenticator arguments: - '@doctrine.orm.entity_manager' @weaverryan
- 65. Activate in your firewall security: # ... firewalls: main: # ... guard: authenticators: - form_login_authenticator - api_token_authenticator entry_point: form_login_authenticator which “start” method should be called
- 66. curl http://localhost:8000/secure <!DOCTYPE html> <html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="1;url=/login" /> <title>Redirecting to /login</title> </head> <body> Redirecting to <a href="/login">/login</a>. </body> </html> @weaverryan
- 67. curl --header "X-API-TOKEN: BAD" http://localhost:8000/secure {"message":"Username could not be found."} @weaverryan
- 68. curl --header "X-API-TOKEN: GOOD" http://localhost:8000/secure {"message":"Hello from the secureAction!"} @weaverryan
- 70. ! AUTHENTICATOR /facebook/check?code=abc give me user info! load a User object " User !
- 72. @weaverryan services: app.facebook_provider: class: LeagueOAuth2ClientProviderFacebook arguments: - clientId: %facebook_app_id% clientSecret: %facebook_app_secret% graphApiVersion: v2.3 redirectUri: "..." @=service('router').generate('connect_facebook_check', {}, true)
- 73. @weaverryan public function connectFacebookAction() { // redirect to Facebook $facebookOAuthProvider = $this->get('app.facebook_provider'); $url = $facebookOAuthProvider->getAuthorizationUrl([ // these are actually the default scopes 'scopes' => ['public_profile', 'email'], ]); return $this->redirect($url); } /** * @Route("/connect/facebook-check", name="connect_facebook_check") */ public function connectFacebookActionCheck() { // will not be reached! }
- 74. class FacebookAuthenticator extends AbstractGuardAuthenticator { public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { } public function onAuthenticationFailure(Request $request) { } public function onAuthenticationSuccess(Request $request, TokenInterface $token) { } public function start(Request $request, AuthenticationException $e = null) { } public function supportsRememberMe() { } }
- 75. public function getCredentials(Request $request) { if ($request->getPathInfo() != '/connect/facebook-check') { return; } return $request->query->get('code'); } @weaverryan
- 76. public function getUser($credentials, …) { $authorizationCode = $credentials; $facebookProvider = $this->container->get('app.facebook_provider'); $accessToken = $facebookProvider->getAccessToken( 'authorization_code', ['code' => $authorizationCode] ); /** @var FacebookUser $facebookUser */ $facebookUser = $facebookProvider->getResourceOwner($accessToken); // ... } @weaverryan
- 77. Now, have some hot chocolate! @weaverryan
- 78. public function getUser($credentials, …) { // ... /** @var FacebookUser $facebookUser */ $facebookUser = $facebookProvider->getResourceOwner($accessToken); // ... $em = $this->container->get('doctrine')->getManager(); // 1) have they logged in with Facebook before? Easy! $user = $em->getRepository('AppBundle:User') ->findOneBy(array('email' => $facebookUser->getEmail())); if ($user) { return $user; } // ... } @weaverryan
- 79. public function getUser($credentials, ...) { // ... // 2) no user? Perhaps you just want to create one // (or redirect to a registration) $user = new User(); $user->setUsername($facebookUser->getName()); $user->setEmail($facebookUser->getEmail()); $em->persist($user); $em->flush(); return $user; } @weaverryan
- 80. public function checkCredentials($credentials, UserInterface $user) { // nothing to do here! } public function onAuthenticationFailure(Request $request ...) { // redirect to login } public function onAuthenticationSuccess(Request $request ...) { // redirect to homepage / last page } @weaverryan
- 82. Can I control the error message? @weaverryan
- 83. @weaverryan If authentication failed, it is because an AuthenticationException (or sub-class) was thrown (This has nothing to do with Guard)
- 84. public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { return new JsonResponse([ 'message' => $exception->getMessageKey() ], 401); } @weaverryan Christmas miracle! The exception is passed when authentication fails AuthenticationException has a hardcoded getMessageKey() “safe” string Invalid credentials.
- 85. public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { } Throw an AuthenticationException at any time in these 3 methods
- 86. How can I customize the message? @weaverryan Create a new sub-class of AuthenticationException for each message and override getMessageKey()
- 88. public function getUser($credentials, ...) { $apiToken = $credentials; $user = $this->em ->getRepository('AppBundle:User') ->findOneBy(['apiToken' => $apiToken]); if (!$user) { throw new CustomUserMessageAuthenticationException( 'That API token is not very jolly' ); } return $user; } @weaverryan
- 89. I need to manually authenticate my user @weaverryan
- 90. public function registerAction(Request $request) { $user = new User(); $form = // ... if ($form->isValid()) { // save the user $guardHandler = $this->container ->get('security.authentication.guard_handler'); $guardHandler->authenticateUserAndHandleSuccess( $user, $request, $this->get('form_login_authenticator'), 'main' // the name of your firewall ); // redirect } // ... }
- 91. I want to save a lastLoggedInAt field on my user no matter *how* they login @weaverryan
- 92. Chill… that was already possible SecurityEvents::INTERACTIVE_LOGIN @weaverryan
- 93. class LastLoginSubscriber implements EventSubscriberInterface { public function onInteractiveLogin(InteractiveLoginEvent $event) { /** @var User $user */ $user = $event->getAuthenticationToken()->getUser(); $user->setLastLoginTime(new DateTime()); $this->em->persist($user); $this->em->flush($user); } public static function getSubscribedEvents() { return [ SecurityEvents::INTERACTIVE_LOGIN => 'onInteractiveLogin' ]; } } @weaverryan
- 94. All of these features are available now! @weaverryan Thanks 2.8!
- 97. @weaverryan Ok, what just happened?
- 98. 1. User implements UserInterface @weaverryan
- 100. 3. Create your authenticator(s) @weaverryan
- 102. @weaverryan PHP & Symfony Video Tutorials KnpUniversity.com Thank You!