Guard Authentication: Powerful, Beautiful Security

Guard Authentication:
Powerful, Beautiful Security
by your friend:
Ryan Weaver
@weaverryan

KnpUniversity.com

github.com/weaverryan
Who is this guy?
> Lead for the Symfony documentation 
> KnpLabs US - Symfony Consulting,

training & general Kumbaya

> Writer for KnpUniversity.com Tutorials
> Husband of the much more

talented @leannapelham

What’s the hardest

part of Symfony?
@weaverryan

Authentication
Who are you?
@weaverryan

Authorization
Do you have access to do X?
@weaverryan

Authentication

in Symfony sucks
@weaverryan

1) Grab information from
the request
@weaverryan

3) Validate if the
credentials are valid
@weaverryan

4) authentication success…
now what?
@weaverryan

5) authentication failure …

dang, now what?!
@weaverryan

6) How do we “ask” the
user to login?
@weaverryan

6 Steps

5 Diﬀerent Classes
@weaverryan

security: 
firewalls: 
main: 
anonymous: ~ 
logout: ~ 
 
form_login: ~ 
http_basic: ~ 
some_invented_system_i_created: ~ 
Each activates a system of these 5 classes
@weaverryan

interface GuardAuthenticatorInterface 
{ 
public function getCredentials(Request $request); 
 
public function getUser($credentials, $userProvider); 
 
public function checkCredentials($credentials, UserInterface $user); 
 
public function onAuthenticationFailure(Request $request); 
 
public function onAuthenticationSuccess(Request $request, $token); 
public function start(Request $request);
 
public function supportsRememberMe(); 
} 
@weaverryan

It’s getting coal for
Christmas!

You still have to do work
(sorry Laravel people)
@weaverryan

But it will be simple
@weaverryan
https://github.com/knpuniversity/guard-presentation

You need a User class
(This has nothing to

do with Guard)
@weaverryan

@weaverryan
use SymfonyComponentSecurityCoreUserUserInterface; 
 
class User implements UserInterface 
{ 
 
}

{ 
private $username; 
 
public function __construct($username) 
{ 
$this->username = $username; 
} 
 
public function getUsername() 
{ 
return $this->username; 
} 
 
public function getRoles() 
{ 
return ['ROLE_USER']; 
} 
 
// … 
}
a unique identiﬁer

(not really used anywhere)

@weaverryan
{ 
// …
 
public function getPassword() 
{ 
} 
public function getSalt() 
{ 
} 
public function eraseCredentials() 
{ 
} 
}
These are only used for users that

have an encoded password

The Hardest Example Ever:
Form Login
@weaverryan

A traditional login form
setup
@weaverryan

class SecurityController extends Controller 
{ 
/** 
* @Route("/login", name="security_login") 
*/ 
public function loginAction() 
{ 
return $this->render('security/login.html.twig'); 
} 
 
/** 
* @Route("/login_check", name="login_check") 
*/ 
public function loginCheckAction() 
{ 
// will never be executed 
} 
}

<form action="{{ path('login_check') }}” method="post"> 
<div> 
<label for="username">Username</label> 
<input name="_username" /> 
</div> 
 
<div> 
<label for="password">Password:</label> 
<input type="password" name="_password" /> 
</div> 
 
<button type="submit">Login</button> 
</form>

Let’s create an
authenticator!
@weaverryan

class FormLoginAuthenticator extends AbstractGuardAuthenticator 
{ 
public function getCredentials(Request $request) 
{ 
} 
 
public function getUser($credentials, UserProviderInterface $userProvider) 
{ 
} 
 
public function checkCredentials($credentials, UserInterface $user) 
{ 
} 
 
public function onAuthenticationFailure(Request $request) 
{ 
} 
 
public function onAuthenticationSuccess(Request $request, TokenInterface $token) 
{ 
} 
 
public function start(Request $request, AuthenticationException $e = null) 
{ 
} 
 
public function supportsRememberMe() 
{ 
} 
}

{ 
if ($request->getPathInfo() != '/login_check') { 
return; 
} 
 
return [ 
'username' => $request->request->get('_username'), 
'password' => $request->request->get('_password'), 
]; 
}
Grab the “login” credentials!
@weaverryan

{ 
$username = $credentials['username']; 
 
$user = new User(); 
$user->setUsername($username); 
 
return $user; 
}
Create/Load that User!
@weaverryan

{ 
$password = $credentials['password']; 
if ($password == 'santa' || $password == 'elves') { 
return; 
} 
 
return true; 
}
Are the credentials correct?
@weaverryan

public function onAuthenticationFailure(Request $request,
AuthenticationException $exception) 
{ 
$url = $this->router->generate('security_login'); 
 
return new RedirectResponse($url); 
}
Crap! Auth failed! Now what!?
@weaverryan

public function onAuthenticationSuccess(Request $request,
TokenInterface $token, $providerKey) 
{ 
$url = $this->router->generate('homepage'); 
 
}
Amazing. Auth worked. Now what?
@weaverryan

public function start(Request $request) 
{ 
$url = $this->router->generate('security_login'); 
 
}
Anonymous user went to /admin

now what?
@weaverryan

Register as a service
services: 
form_login_authenticator: 
class: AppBundleSecurityFormLoginAuthenticator 
arguments: [‘@router’] 
@weaverryan

Activate in your ﬁrewall
security: 
firewalls: 
main: 
anonymous: ~ 
logout: ~ 
guard: 
authenticators: 
- form_login_authenticator
@weaverryan

AbstractFormLoginAuthenticator
Free login form authenticator code
@weaverryan

User Providers

do with Guard)
@weaverryan

Every App has a User class
@weaverryan
And the Christmas spirit

Each User Class Needs 1
User Provider
@weaverryan

class FestiveUserProvider implements UserProviderInterface 
{ 
public function loadUserByUsername($username) 
{ 
// "load" the user - e.g. load from the db 
 
return $user; 
} 
 
public function refreshUser(UserInterface $user) 
{ 
return $user; 
} 
 
public function supportsClass($class) 
{ 
return $class == 'AppBundleEntityUser'; 
} 
}

services: 
festive_user_provider: 
class: AppBundleSecurityFestiveUserProvider 
@weaverryan

security: 
providers: 
elves: 
id: festive_user_provider 
 
firewalls: 
main: 
anonymous: ~ 
logout: ~ 
# this is optional as there is only 1 provider 
provider: elves 
guard: 
authenticators: [form_login_authenticator] 
Boom!
Optional Boom!

{ 
{ 
 
return $user; 
} 
 
{ 
return $user; 
} 
 
{ 
} 
}
But why!?

{ 
{ 
 
return $user; 
} 
 
{ 
return $user; 
} 
 
{ 
} 
}
refresh from the session

{ 
{ 
 
return $user; 
} 
 
{ 
return $user; 
} 
 
{ 
} 
}
switch_user, remember_me

Slightly more wonderful:
Loading a User from the Database
@weaverryan

{ 
{ 
$user = $this->em->getRepository('AppBundle:User') 
->findOneBy(['username' => $username]); 
 
if (!$user) { 
throw new UsernameNotFoundException(); 
} 
 
return $user; 
} 
}
@weaverryan
(of course, the “entity” user
provider does this automatically)

{ 
$username = $credentials['username']; 
//return $userProvider->loadUserByUsername($username); 
 
return $this->em 
->getRepository('AppBundle:User') 
->findOneBy(['username' => $username]); 
}
FormLoginAuthenticator
you can use this if
you want to
… or don’t!

Easiest Example ever:
Api Token Authentication
@weaverryan
Jolliest

1) Client sends a token on an X-
API-TOKEN header

2) We load a User associated
with that token
{ 
/** 
* @ORMColumn(type="string") 
*/ 
private $apiToken; 
 
// ... 
}

class ApiTokenAuthenticator extends AbstractGuardAuthenticator 
{ 
{ 
} 
 
{ 
} 
 
{ 
} 
 
{ 
} 
 
{ 
} 
 
{ 
} 
 
{ 
} 
}

{ 
return $request->headers->get('X-API-TOKEN'); 
}
@weaverryan

{ 
$apiToken = $credentials; 
 
return $this->em 
->findOneBy(['apiToken' => $apiToken]); 
}
@weaverryan

OR
If you use JWT, get the payload from
the token and load the User from it
@weaverryan

{ 
// no credentials to check 
return true; 
} 
@weaverryan

{ 
return new JsonResponse([ 
'message' => $exception->getMessageKey() 
], 401); 
}
@weaverryan

public function onAuthenticationSuccess(Request $request,
TokenInterface $token, $providerKey) 
{ 
// let the request continue to the controller 
return; 
}
@weaverryan

Register as a service
services: 
api_token_authenticator: 
class: AppBundleSecurityApiTokenAuthenticator 
arguments: 
- '@doctrine.orm.entity_manager'
@weaverryan

Activate in your ﬁrewall
security: 
# ... 
firewalls: 
main: 
# ... 
guard: 
authenticators: 
- form_login_authenticator 
- api_token_authenticator 
entry_point: form_login_authenticator 
which “start” method should be called

curl http://localhost:8000/secure
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta http-equiv="refresh" content="1;url=/login" />
<title>Redirecting to /login</title>
</head>
<body>
Redirecting to <a href="/login">/login</a>.
</body>
</html>
@weaverryan

curl

--header "X-API-TOKEN: BAD"

http://localhost:8000/secure
{"message":"Username could not be found."}
@weaverryan

curl

--header "X-API-TOKEN: GOOD"

http://localhost:8000/secure
{"message":"Hello from the secureAction!"}
@weaverryan

!
AUTHENTICATOR
/facebook/check?code=abc
give me user info!
load a User object
"
User
!

composer require league/oauth2-facebook
@weaverryan

@weaverryan
services: 
app.facebook_provider: 
class: LeagueOAuth2ClientProviderFacebook 
arguments: 
- 
clientId: %facebook_app_id% 
clientSecret: %facebook_app_secret% 
graphApiVersion: v2.3 
redirectUri: "..." 
@=service('router').generate('connect_facebook_check', {}, true)

@weaverryan
public function connectFacebookAction() 
{ 
// redirect to Facebook 
$facebookOAuthProvider = $this->get('app.facebook_provider'); 
 
$url = $facebookOAuthProvider->getAuthorizationUrl([ 
// these are actually the default scopes 
'scopes' => ['public_profile', 'email'], 
]); 
 
return $this->redirect($url); 
} 
 
/** 
* @Route("/connect/facebook-check", name="connect_facebook_check") 
*/ 
public function connectFacebookActionCheck() 
{ 
// will not be reached! 
}

class FacebookAuthenticator extends AbstractGuardAuthenticator 
{ 
{ 
} 
 
{ 
} 
 
{ 
} 
 
{ 
} 
 
{ 
} 
 
{ 
} 
 
{ 
} 
}

{ 
if ($request->getPathInfo() != '/connect/facebook-check') { 
return; 
} 
 
return $request->query->get('code'); 
}
@weaverryan

public function getUser($credentials, …) 
{ 
$authorizationCode = $credentials; 
 
$facebookProvider = $this->container->get('app.facebook_provider'); 
 
$accessToken = $facebookProvider->getAccessToken( 
'authorization_code', 
['code' => $authorizationCode] 
); 
 
/** @var FacebookUser $facebookUser */ 
$facebookUser = $facebookProvider->getResourceOwner($accessToken); 
 
// ... 
}
@weaverryan

Now, have some hot chocolate!
@weaverryan

public function getUser($credentials, …) 
{
// ...
 
/** @var FacebookUser $facebookUser */ 
$facebookUser = $facebookProvider->getResourceOwner($accessToken); 
 
// ... 
$em = $this->container->get('doctrine')->getManager(); 
 
// 1) have they logged in with Facebook before? Easy! 
$user = $em->getRepository('AppBundle:User') 
->findOneBy(array('email' => $facebookUser->getEmail()));
 
if ($user) { 
return $user; 
}
 
// ... 
}
@weaverryan

public function getUser($credentials, ...) 
{ 
// ... 
 
// 2) no user? Perhaps you just want to create one 
// (or redirect to a registration) 
$user->setUsername($facebookUser->getName()); 
$user->setEmail($facebookUser->getEmail()); 
$em->persist($user); 
$em->flush();
return $user; 
}
@weaverryan

{ 
// nothing to do here! 
} 
 
public function onAuthenticationFailure(Request $request ...) 
{ 
// redirect to login 
} 
 
public function onAuthenticationSuccess(Request $request ...) 
{ 
// redirect to homepage / last page 
}
@weaverryan

Extra Treats

(no coal)
@weaverryan

Can I control the
error message?
@weaverryan

@weaverryan
If authentication failed, it is because

an AuthenticationException

(or sub-class) was thrown

do with Guard)

{ 
return new JsonResponse([ 
'message' => $exception->getMessageKey() 
], 401); 
}
@weaverryan
Christmas miracle! The exception is passed

when authentication fails
AuthenticationException has a hardcoded

getMessageKey() “safe” string
Invalid
credentials.

{ 
} 
 
{ 
} 
 
{ 
} 
Throw an AuthenticationException at any

time in these 3 methods

How can I customize the message?
@weaverryan
Create a new sub-class of
AuthenticationException for each message
and override getMessageKey()

CustomUserMessageAuthenticationException
@weaverryan

public function getUser($credentials, ...) 
{ 
$apiToken = $credentials; 
 
$user = $this->em 
->findOneBy(['apiToken' => $apiToken]); 
 
if (!$user) { 
throw new CustomUserMessageAuthenticationException( 
'That API token is not very jolly' 
); 
} 
 
return $user; 
}
@weaverryan

I need to manually
authenticate my user
@weaverryan

public function registerAction(Request $request) 
{ 
$form = // ... 
 
if ($form->isValid()) { 
// save the user 
 
$guardHandler = $this->container 
->get('security.authentication.guard_handler'); 
 
$guardHandler->authenticateUserAndHandleSuccess( 
$user, 
$request, 
$this->get('form_login_authenticator'), 
'main' // the name of your firewall 
); 
// redirect 
} 
// ... 
}

I want to save a
lastLoggedInAt
ﬁeld on my user no
matter *how* they login
@weaverryan

Chill… that was already
possible
SecurityEvents::INTERACTIVE_LOGIN
@weaverryan

class LastLoginSubscriber implements EventSubscriberInterface 
{ 
public function onInteractiveLogin(InteractiveLoginEvent $event) 
{ 
/** @var User $user */ 
$user = $event->getAuthenticationToken()->getUser(); 
$user->setLastLoginTime(new DateTime()); 
$this->em->persist($user); 
$this->em->flush($user); 
} 
 
public static function getSubscribedEvents() 
{ 
return [ 
SecurityEvents::INTERACTIVE_LOGIN => 'onInteractiveLogin' 
]; 
} 
} 
@weaverryan

All of these features

are available now!
@weaverryan
Thanks 2.8!

KnpUGuardBundle
@weaverryan
For those on 2.7

@weaverryan
Ok, what just happened?

1. User implements UserInterface
@weaverryan

3. Create your authenticator(s)
@weaverryan

@weaverryan
PHP & Symfony Video Tutorials
KnpUniversity.com
Thank You!

Guard Authentication: Powerful, Beautiful Security

More Related Content

What's hot

Viewers also liked

Similar to Guard Authentication: Powerful, Beautiful Security

More from Ryan Weaver

Recently uploaded

Guard Authentication: Powerful, Beautiful Security