I have implemented resource owner administration in a database. The same resource owners are present in the hwi_oauth.yaml file, so I can directly use them. However, I am facing a difficulty. I want to use the name of the resource owner to be redirected to the Google authentication page, for example. That part works fine. The issue arises when I log in, as I’m not going through my OAuthSuccessHandler service. Instead, I am being redirected to /login, as you can see in the security.yaml file under failure_path.
/**
* @ORMColumn(type="string", unique=true)
*/
private string $name;
/**
* @ORMColumn(type="string")
* @AssertChoice({"google", "azure"})
*/
private string $provider;
/**
* @ORMColumn(type="string")
*/
private string $clientId;
/**
* @ORMColumn(type="string")
*/
private string $clientSecret;
/**
* @ORMManyToOne(targetEntity="AppEntityClient", inversedBy="resourceOwners")
* @ORMJoinColumn(nullable=false)
*/
private Client $client;
security.yaml
oauth:
pattern: ^/(connect|login)
stateless: false
main:
pattern: ^/
stateless: true
lazy: true
provider: my_provider
jwt: ~
custom_authenticators:
- AppSecurityApiKeyAuthenticator
oauth:
resource_owners:
azure: "/check-azure"
google: "/check-google"
login_path: /login
use_forward: false
failure_path: /login
success_handler: AppSecurityOAuthSuccessHandler
oauth_user_provider:
service: AppProviderSSOUserProvider
access_control:
- { path: '^/$', roles: [ IS_AUTHENTICATED_ANONYMOUSLY ] }
- { path: '^/login', roles: [ IS_AUTHENTICATED_ANONYMOUSLY ] }
- { path: '^/login/{authProviderName}', roles: [ IS_AUTHENTICATED_ANONYMOUSLY ] }
- { path: '^/connect', roles: [ IS_AUTHENTICATED_FULLY ] }
My route allows redirection based on the name of a resource owner, and then redirects to the appropriate provider (it’s hard-coded for the Google test, but the idea is to make it generic) :
final class OAuthController extends AbstractController
{
/**
* @Route("/login/{authProviderName}", name="login_redirect_to_provider")
*/
public function redirectToProvider(AuthProviderRepository $authProviderRepository, string $authProviderName)
{
if (!$authProvider = $authProviderRepository->findOneByName($authProviderName)) {
throw new AuthProviderNotFoundException();
}
$clientId = $authProvider->getClientId();
$provider = $authProvider->getProvider();
$redirectUrl = "http://project-sf/check-$provider";
$authUrl = 'https://accounts.google.com/o/oauth2/auth/oauthchooseaccount?response_type=code&client_id='.$clientId.'&scope=openid%20email%20profile&redirect_uri=' . urlencode($redirectUrl) . '&service=lso&o2v=1&flowName=GeneralOAuthFlow';
return new RedirectResponse($authUrl);
}
}
hwi_oauth_connect:
resource: "@HWIOAuthBundle/Resources/config/routing/connect.xml"
prefix: /connect
hwi_oauth_login:
resource: "@HWIOAuthBundle/Resources/config/routing/login.xml"
prefix: /login
google_login:
path: /check-google
controller: HWIBundleOAuthBundleControllerRedirectToServiceController::redirectToServiceAction
azure_login:
path: /check-azure
controller: HWIBundleOAuthBundleControllerRedirectToServiceController::redirectToServiceAction
The bundle allows assigning names to resource owners, but it is not usable afterwards for redirecting to the correct provider. I am required to specify the provider’s name in the login URL, such as /login/google or /login/azure.
What I would like is to have /login/authproviderName and be redirected to the authentication of the associated provider using the correct client_id, in the case where I have two resource owners of the Google type.
2
Answers
Otherwise, the other solution would be to load different YAML files depending on the clients. I will investigate this option.
I’m trying to have multiple Google resource owners for the Google check-path, but I’m encountering this error: Invalid configuration for path ‘security.firewalls.main.oauth.resource_owners’: Each resource owner should have a unique ‘check_path’.
security.yml
config