|
1
|
|
|
<?php |
|
2
|
|
|
/* |
|
3
|
|
|
* This file is part of the KleijnWeb\JwtBundle package. |
|
4
|
|
|
* |
|
5
|
|
|
* For the full copyright and license information, please view the LICENSE |
|
6
|
|
|
* file that was distributed with this source code. |
|
7
|
|
|
*/ |
|
8
|
|
|
namespace KleijnWeb\JwtBundle\Authenticator; |
|
9
|
|
|
|
|
10
|
|
|
use Symfony\Component\Security\Core\Authentication\SimplePreAuthenticatorInterface; |
|
11
|
|
|
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; |
|
12
|
|
|
use Symfony\Component\Security\Core\Exception\AuthenticationException; |
|
13
|
|
|
use Symfony\Component\Security\Core\Authentication\Token\PreAuthenticatedToken; |
|
14
|
|
|
use Symfony\Component\HttpFoundation\Request; |
|
15
|
|
|
use Symfony\Component\Security\Core\User\UserInterface; |
|
16
|
|
|
use Symfony\Component\Security\Core\User\UserProviderInterface; |
|
17
|
|
|
use Symfony\Component\Security\Core\Exception\BadCredentialsException; |
|
18
|
|
|
|
|
19
|
|
|
/** |
|
20
|
|
|
* @author John Kleijn <[email protected]> |
|
21
|
|
|
*/ |
|
22
|
|
|
class Authenticator implements SimplePreAuthenticatorInterface |
|
|
|
|
|
|
23
|
|
|
{ |
|
24
|
|
|
/** |
|
25
|
|
|
* @var JwtKey[] |
|
26
|
|
|
*/ |
|
27
|
|
|
private $keys = []; |
|
28
|
|
|
|
|
29
|
|
|
/** |
|
30
|
|
|
* @param JwtKey[] $keys |
|
31
|
|
|
*/ |
|
32
|
|
|
public function __construct(array $keys) |
|
33
|
|
|
{ |
|
34
|
|
|
foreach ($keys as $key) { |
|
35
|
|
|
$this->keys[$key->getId()] = $key; |
|
36
|
|
|
} |
|
37
|
|
|
} |
|
38
|
|
|
|
|
39
|
|
|
/** |
|
40
|
|
|
* @param string $id |
|
41
|
|
|
* |
|
42
|
|
|
* @return JwtKey |
|
43
|
|
|
*/ |
|
44
|
|
|
public function getKeyById($id) |
|
45
|
|
|
{ |
|
46
|
|
|
if ($id) { |
|
47
|
|
|
if (!isset($this->keys[$id])) { |
|
48
|
|
|
throw new AuthenticationException("Unknown 'kid' $id"); |
|
49
|
|
|
} |
|
50
|
|
|
|
|
51
|
|
|
return $this->keys[$id]; |
|
52
|
|
|
} |
|
53
|
|
|
if (count($this->keys) > 1) { |
|
54
|
|
|
throw new AuthenticationException("Missing 'kid'"); |
|
55
|
|
|
} |
|
56
|
|
|
|
|
57
|
|
|
return current($this->keys); |
|
|
|
|
|
|
58
|
|
|
} |
|
59
|
|
|
|
|
60
|
|
|
/** |
|
61
|
|
|
* @param Request $request |
|
62
|
|
|
* @param string $providerKey |
|
63
|
|
|
* |
|
64
|
|
|
* @return PreAuthenticatedToken |
|
65
|
|
|
*/ |
|
66
|
|
|
public function createToken(Request $request, $providerKey) |
|
67
|
|
|
{ |
|
68
|
|
|
$tokenString = $request->headers->get('Authorization'); |
|
69
|
|
|
|
|
70
|
|
|
if (0 === strpos($tokenString, 'Bearer ')) { |
|
71
|
|
|
$tokenString = substr($tokenString, 7); |
|
72
|
|
|
} |
|
73
|
|
|
|
|
74
|
|
|
if (!$tokenString) { |
|
75
|
|
|
throw new BadCredentialsException('No API key found'); |
|
76
|
|
|
} |
|
77
|
|
|
|
|
78
|
|
|
try { |
|
79
|
|
|
$token = new JwtToken($tokenString); |
|
80
|
|
|
$key = $this->getKeyById($token->getKeyId()); |
|
81
|
|
|
$key->validateToken($token); |
|
82
|
|
|
} catch (\Exception $e) { |
|
83
|
|
|
throw new AuthenticationException('Invalid key', 0, $e); |
|
84
|
|
|
} |
|
85
|
|
|
|
|
86
|
|
|
return new PreAuthenticatedToken('anon.', $token, $providerKey); |
|
87
|
|
|
} |
|
88
|
|
|
|
|
89
|
|
|
/** |
|
90
|
|
|
* @param TokenInterface $token |
|
91
|
|
|
* @param UserProviderInterface $userProvider |
|
92
|
|
|
* @param string $providerKey |
|
93
|
|
|
* |
|
94
|
|
|
* @return PreAuthenticatedToken |
|
95
|
|
|
*/ |
|
96
|
|
|
public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey) |
|
97
|
|
|
{ |
|
98
|
|
|
/** @var $jwtToken JwtToken */ |
|
99
|
|
|
if (!($jwtToken = $token->getCredentials()) instanceof JwtToken) { |
|
100
|
|
|
throw new \UnexpectedValueException("Expected credentials to be a JwtToken object"); |
|
101
|
|
|
} |
|
102
|
|
|
|
|
103
|
|
|
$user = $userProvider->loadUserByUsername($jwtToken->getSubject()); |
|
|
|
|
|
|
104
|
|
|
|
|
105
|
|
|
$user = $this->setUserRolesFromAudienceClaims($user, $token); |
|
106
|
|
|
|
|
107
|
|
|
return new PreAuthenticatedToken($user, $token, $providerKey, $user->getRoles()); |
|
108
|
|
|
} |
|
109
|
|
|
|
|
110
|
|
|
/** |
|
111
|
|
|
* @param TokenInterface $token |
|
112
|
|
|
* @param string $providerKey |
|
113
|
|
|
* |
|
114
|
|
|
* @return bool |
|
115
|
|
|
*/ |
|
116
|
|
|
public function supportsToken(TokenInterface $token, $providerKey) |
|
117
|
|
|
{ |
|
118
|
|
|
return $token instanceof PreAuthenticatedToken && $token->getProviderKey() === $providerKey; |
|
119
|
|
|
} |
|
120
|
|
|
|
|
121
|
|
|
/** |
|
122
|
|
|
* @param UserInterface $user |
|
123
|
|
|
* @param TokenInterface $token |
|
124
|
|
|
* |
|
125
|
|
|
* @return UserInterface |
|
126
|
|
|
*/ |
|
127
|
|
|
public function setUserRolesFromAudienceClaims(UserInterface $user, TokenInterface $token) |
|
128
|
|
|
{ |
|
129
|
|
|
/** @var JwtToken $credentials */ |
|
130
|
|
|
$credentials = $token->getCredentials(); |
|
131
|
|
|
|
|
132
|
|
|
foreach($credentials->getClaims() as $claimKey => $claimValue) |
|
133
|
|
|
{ |
|
134
|
|
|
if($claimKey === 'aud' && method_exists($user, 'addRole')) { |
|
135
|
|
|
if(is_array($claimValue)) { |
|
136
|
|
|
foreach($claimValue as $role) { |
|
137
|
|
|
$user->addRole($role); |
|
|
|
|
|
|
138
|
|
|
} |
|
139
|
|
|
} elseif(is_string($claimValue)) { |
|
140
|
|
|
$user->addRole($claimValue); |
|
|
|
|
|
|
141
|
|
|
} |
|
142
|
|
|
} |
|
143
|
|
|
} |
|
144
|
|
|
|
|
145
|
|
|
return $user; |
|
146
|
|
|
} |
|
147
|
|
|
} |
|
148
|
|
|
|
kleijnweb /
jwt-bundle
Loading history...
This class, trait or interface has been deprecated. The supplier of the file has supplied an explanatory message.
The explanatory message should give you some clue as to whether and when the type will be removed from the class and what other constant to use instead.