Guard Authentication: Powerful, Beautiful Security
•
19 likes•9,378 views
There are so many interesting ways to authenticate a user: via an API token, social login, a traditional HTML form or anything else you can dream up. But until now, creating a custom authentication system in Symfony has meant a lot of files and a lot of complexity. Introducing Guard: a simple, but expandable authentication system built on top of the security component and introduced in Symfony 2.8. Want to authenticate via an API token? Great - that's just one class. Social login? Easy! Have some crazy legacy central authentication system? In this talk, we'll show you how you'd implement any of these in your application today. Don't get me wrong - you'll still need to do some work. But finally, the path will be clear and joyful.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Guard Authentication: Powerful, Beautiful Security
Similar to Guard Authentication: Powerful, Beautiful Security (20)
More from Ryan Weaver
More from Ryan Weaver (16)
Recently uploaded
Recently uploaded (20)
Guard Authentication: Powerful, Beautiful Security
- 1. Guard Authentication: Powerful, Beautiful Security by your friend: Ryan Weaver @weaverryan
- 2. KnpUniversity.com github.com/weaverryan Who is this guy? > Lead for the Symfony documentation > KnpLabs US - Symfony Consulting, training & general Kumbaya > Writer for KnpUniversity.com Tutorials > Husband of the much more talented @leannapelham
- 5. What’s the hardest part of Symfony? @weaverryan
- 7. Authorization Do you have access to do X? @weaverryan
- 10. 1) Grab information from the request @weaverryan
- 11. 2) Load a User @weaverryan
- 12. 3) Validate if the credentials are valid @weaverryan
- 13. 4) authentication success… now what? @weaverryan
- 14. 5) authentication failure … dang, now what?! @weaverryan
- 15. 6) How do we “ask” the user to login? @weaverryan
- 16. 6 Steps 5 Different Classes @weaverryan
- 17. security: firewalls: main: anonymous: ~ logout: ~ form_login: ~ http_basic: ~ some_invented_system_i_created: ~ Each activates a system of these 5 classes @weaverryan
- 19. interface GuardAuthenticatorInterface { public function getCredentials(Request $request); public function getUser($credentials, $userProvider); public function checkCredentials($credentials, UserInterface $user); public function onAuthenticationFailure(Request $request); public function onAuthenticationSuccess(Request $request, $token); public function start(Request $request); public function supportsRememberMe(); } @weaverryan
- 21. It’s getting coal for Christmas!
- 22. You still have to do work (sorry Laravel people) @weaverryan
- 23. But it will be simple @weaverryan https://github.com/knpuniversity/guard-presentation
- 24. You need a User class (This has nothing to do with Guard) @weaverryan
- 25. @weaverryan use SymfonyComponentSecurityCoreUserUserInterface; class User implements UserInterface { }
- 26. class User implements UserInterface { private $username; public function __construct($username) { $this->username = $username; } public function getUsername() { return $this->username; } public function getRoles() { return ['ROLE_USER']; } // … } a unique identifier (not really used anywhere)
- 27. @weaverryan class User implements UserInterface { // … public function getPassword() { } public function getSalt() { } public function eraseCredentials() { } } These are only used for users that have an encoded password
- 28. The Hardest Example Ever: Form Login @weaverryan
- 29. A traditional login form setup @weaverryan
- 30. class SecurityController extends Controller { /** * @Route("/login", name="security_login") */ public function loginAction() { return $this->render('security/login.html.twig'); } /** * @Route("/login_check", name="login_check") */ public function loginCheckAction() { // will never be executed } }
- 31. <form action="{{ path('login_check') }}” method="post"> <div> <label for="username">Username</label> <input name="_username" /> </div> <div> <label for="password">Password:</label> <input type="password" name="_password" /> </div> <button type="submit">Login</button> </form>
- 33. class FormLoginAuthenticator extends AbstractGuardAuthenticator { public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { } public function onAuthenticationFailure(Request $request) { } public function onAuthenticationSuccess(Request $request, TokenInterface $token) { } public function start(Request $request, AuthenticationException $e = null) { } public function supportsRememberMe() { } }
- 34. public function getCredentials(Request $request) { if ($request->getPathInfo() != '/login_check') { return; } return [ 'username' => $request->request->get('_username'), 'password' => $request->request->get('_password'), ]; } Grab the “login” credentials! @weaverryan
- 35. public function getUser($credentials, UserProviderInterface $userProvider) { $username = $credentials['username']; $user = new User(); $user->setUsername($username); return $user; } Create/Load that User! @weaverryan
- 36. public function checkCredentials($credentials, UserInterface $user) { $password = $credentials['password']; if ($password == 'santa' || $password == 'elves') { return; } return true; } Are the credentials correct? @weaverryan
- 37. public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { $url = $this->router->generate('security_login'); return new RedirectResponse($url); } Crap! Auth failed! Now what!? @weaverryan
- 38. public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey) { $url = $this->router->generate('homepage'); return new RedirectResponse($url); } Amazing. Auth worked. Now what? @weaverryan
- 39. public function start(Request $request) { $url = $this->router->generate('security_login'); return new RedirectResponse($url); } Anonymous user went to /admin now what? @weaverryan
- 40. Register as a service services: form_login_authenticator: class: AppBundleSecurityFormLoginAuthenticator arguments: [‘@router’] @weaverryan
- 41. Activate in your firewall security: firewalls: main: anonymous: ~ logout: ~ guard: authenticators: - form_login_authenticator @weaverryan
- 42. AbstractFormLoginAuthenticator Free login form authenticator code @weaverryan
- 43. User Providers (This has nothing to do with Guard) @weaverryan
- 44. Every App has a User class @weaverryan And the Christmas spirit
- 45. Each User Class Needs 1 User Provider @weaverryan
- 46. class FestiveUserProvider implements UserProviderInterface { public function loadUserByUsername($username) { // "load" the user - e.g. load from the db $user = new User(); $user->setUsername($username); return $user; } public function refreshUser(UserInterface $user) { return $user; } public function supportsClass($class) { return $class == 'AppBundleEntityUser'; } }
- 48. security: providers: elves: id: festive_user_provider firewalls: main: anonymous: ~ logout: ~ # this is optional as there is only 1 provider provider: elves guard: authenticators: [form_login_authenticator] Boom! Optional Boom!
- 49. class FestiveUserProvider implements UserProviderInterface { public function loadUserByUsername($username) { // "load" the user - e.g. load from the db $user = new User(); $user->setUsername($username); return $user; } public function refreshUser(UserInterface $user) { return $user; } public function supportsClass($class) { return $class == 'AppBundleEntityUser'; } } But why!?
- 50. class FestiveUserProvider implements UserProviderInterface { public function loadUserByUsername($username) { // "load" the user - e.g. load from the db $user = new User(); $user->setUsername($username); return $user; } public function refreshUser(UserInterface $user) { return $user; } public function supportsClass($class) { return $class == 'AppBundleEntityUser'; } } refresh from the session
- 51. class FestiveUserProvider implements UserProviderInterface { public function loadUserByUsername($username) { // "load" the user - e.g. load from the db $user = new User(); $user->setUsername($username); return $user; } public function refreshUser(UserInterface $user) { return $user; } public function supportsClass($class) { return $class == 'AppBundleEntityUser'; } } switch_user, remember_me
- 52. Slightly more wonderful: Loading a User from the Database @weaverryan
- 53. class FestiveUserProvider implements UserProviderInterface { public function loadUserByUsername($username) { $user = $this->em->getRepository('AppBundle:User') ->findOneBy(['username' => $username]); if (!$user) { throw new UsernameNotFoundException(); } return $user; } } @weaverryan (of course, the “entity” user provider does this automatically)
- 54. public function getUser($credentials, UserProviderInterface $userProvider) { $username = $credentials['username']; //return $userProvider->loadUserByUsername($username); return $this->em ->getRepository('AppBundle:User') ->findOneBy(['username' => $username]); } FormLoginAuthenticator you can use this if you want to … or don’t!
- 55. Easiest Example ever: Api Token Authentication @weaverryan Jolliest
- 56. 1) Client sends a token on an X- API-TOKEN header 2) We load a User associated with that token class User implements UserInterface { /** * @ORMColumn(type="string") */ private $apiToken; // ... }
- 57. class ApiTokenAuthenticator extends AbstractGuardAuthenticator { public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { } public function onAuthenticationFailure(Request $request) { } public function onAuthenticationSuccess(Request $request, TokenInterface $token) { } public function start(Request $request, AuthenticationException $e = null) { } public function supportsRememberMe() { } }
- 58. public function getCredentials(Request $request) { return $request->headers->get('X-API-TOKEN'); } @weaverryan
- 59. public function getUser($credentials, UserProviderInterface $userProvider) { $apiToken = $credentials; return $this->em ->getRepository('AppBundle:User') ->findOneBy(['apiToken' => $apiToken]); } @weaverryan
- 60. OR If you use JWT, get the payload from the token and load the User from it @weaverryan
- 61. public function checkCredentials($credentials, UserInterface $user) { // no credentials to check return true; } @weaverryan
- 62. public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { return new JsonResponse([ 'message' => $exception->getMessageKey() ], 401); } @weaverryan
- 63. public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey) { // let the request continue to the controller return; } @weaverryan
- 64. Register as a service services: api_token_authenticator: class: AppBundleSecurityApiTokenAuthenticator arguments: - '@doctrine.orm.entity_manager' @weaverryan
- 65. Activate in your firewall security: # ... firewalls: main: # ... guard: authenticators: - form_login_authenticator - api_token_authenticator entry_point: form_login_authenticator which “start” method should be called
- 66. curl http://localhost:8000/secure <!DOCTYPE html> <html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="1;url=/login" /> <title>Redirecting to /login</title> </head> <body> Redirecting to <a href="/login">/login</a>. </body> </html> @weaverryan
- 67. curl --header "X-API-TOKEN: BAD" http://localhost:8000/secure {"message":"Username could not be found."} @weaverryan
- 68. curl --header "X-API-TOKEN: GOOD" http://localhost:8000/secure {"message":"Hello from the secureAction!"} @weaverryan
- 70. ! AUTHENTICATOR /facebook/check?code=abc give me user info! load a User object " User !
- 72. @weaverryan services: app.facebook_provider: class: LeagueOAuth2ClientProviderFacebook arguments: - clientId: %facebook_app_id% clientSecret: %facebook_app_secret% graphApiVersion: v2.3 redirectUri: "..." @=service('router').generate('connect_facebook_check', {}, true)
- 73. @weaverryan public function connectFacebookAction() { // redirect to Facebook $facebookOAuthProvider = $this->get('app.facebook_provider'); $url = $facebookOAuthProvider->getAuthorizationUrl([ // these are actually the default scopes 'scopes' => ['public_profile', 'email'], ]); return $this->redirect($url); } /** * @Route("/connect/facebook-check", name="connect_facebook_check") */ public function connectFacebookActionCheck() { // will not be reached! }
- 74. class FacebookAuthenticator extends AbstractGuardAuthenticator { public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { } public function onAuthenticationFailure(Request $request) { } public function onAuthenticationSuccess(Request $request, TokenInterface $token) { } public function start(Request $request, AuthenticationException $e = null) { } public function supportsRememberMe() { } }
- 75. public function getCredentials(Request $request) { if ($request->getPathInfo() != '/connect/facebook-check') { return; } return $request->query->get('code'); } @weaverryan
- 76. public function getUser($credentials, …) { $authorizationCode = $credentials; $facebookProvider = $this->container->get('app.facebook_provider'); $accessToken = $facebookProvider->getAccessToken( 'authorization_code', ['code' => $authorizationCode] ); /** @var FacebookUser $facebookUser */ $facebookUser = $facebookProvider->getResourceOwner($accessToken); // ... } @weaverryan
- 77. Now, have some hot chocolate! @weaverryan
- 78. public function getUser($credentials, …) { // ... /** @var FacebookUser $facebookUser */ $facebookUser = $facebookProvider->getResourceOwner($accessToken); // ... $em = $this->container->get('doctrine')->getManager(); // 1) have they logged in with Facebook before? Easy! $user = $em->getRepository('AppBundle:User') ->findOneBy(array('email' => $facebookUser->getEmail())); if ($user) { return $user; } // ... } @weaverryan
- 79. public function getUser($credentials, ...) { // ... // 2) no user? Perhaps you just want to create one // (or redirect to a registration) $user = new User(); $user->setUsername($facebookUser->getName()); $user->setEmail($facebookUser->getEmail()); $em->persist($user); $em->flush(); return $user; } @weaverryan
- 80. public function checkCredentials($credentials, UserInterface $user) { // nothing to do here! } public function onAuthenticationFailure(Request $request ...) { // redirect to login } public function onAuthenticationSuccess(Request $request ...) { // redirect to homepage / last page } @weaverryan
- 82. Can I control the error message? @weaverryan
- 83. @weaverryan If authentication failed, it is because an AuthenticationException (or sub-class) was thrown (This has nothing to do with Guard)
- 84. public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { return new JsonResponse([ 'message' => $exception->getMessageKey() ], 401); } @weaverryan Christmas miracle! The exception is passed when authentication fails AuthenticationException has a hardcoded getMessageKey() “safe” string Invalid credentials.
- 85. public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { } Throw an AuthenticationException at any time in these 3 methods
- 86. How can I customize the message? @weaverryan Create a new sub-class of AuthenticationException for each message and override getMessageKey()
- 88. public function getUser($credentials, ...) { $apiToken = $credentials; $user = $this->em ->getRepository('AppBundle:User') ->findOneBy(['apiToken' => $apiToken]); if (!$user) { throw new CustomUserMessageAuthenticationException( 'That API token is not very jolly' ); } return $user; } @weaverryan
- 89. I need to manually authenticate my user @weaverryan
- 90. public function registerAction(Request $request) { $user = new User(); $form = // ... if ($form->isValid()) { // save the user $guardHandler = $this->container ->get('security.authentication.guard_handler'); $guardHandler->authenticateUserAndHandleSuccess( $user, $request, $this->get('form_login_authenticator'), 'main' // the name of your firewall ); // redirect } // ... }
- 91. I want to save a lastLoggedInAt field on my user no matter *how* they login @weaverryan
- 92. Chill… that was already possible SecurityEvents::INTERACTIVE_LOGIN @weaverryan
- 93. class LastLoginSubscriber implements EventSubscriberInterface { public function onInteractiveLogin(InteractiveLoginEvent $event) { /** @var User $user */ $user = $event->getAuthenticationToken()->getUser(); $user->setLastLoginTime(new DateTime()); $this->em->persist($user); $this->em->flush($user); } public static function getSubscribedEvents() { return [ SecurityEvents::INTERACTIVE_LOGIN => 'onInteractiveLogin' ]; } } @weaverryan
- 94. All of these features are available now! @weaverryan Thanks 2.8!
- 97. @weaverryan Ok, what just happened?
- 98. 1. User implements UserInterface @weaverryan
- 100. 3. Create your authenticator(s) @weaverryan
- 102. @weaverryan PHP & Symfony Video Tutorials KnpUniversity.com Thank You!