HWIOAuthBundle
HWIOAuthBundle copied to clipboard
hwi
Set the redirect_uri parameter when requesting the access_token
When requesting an OAuth token you have to set the "redirect_uri" parameter. Currently the redirect_uri being pass to the request requesting the token is, for google, "/login/check-google".
I've got an AngularJS client which requests the authorization_token and then call /login/check-google with a redirectUri and an code parameter.
The issue is that the authorization_token has been requested with the client's uri (currently http://localhost:3000) but the access_token requested by HWIOAuthBundle isn't made with the same redirectUri, leading in an "invalid redirect_uri" error.
I've found that the job is done in GenericOAuth2ResourceOwner::getAccessToken(). If I hardcore the redirect_uri key to http://localhost:3000 it works fine. But I haven't found a way to override this parameter. Is there a way to do this or do we need a PR?
Here's a (ugly) workaroun,d I've copied the OAuthListener and declared the service in my bundle. Then I've edited the attemptAuthentication like so:
$redirectUri = $request->get('redirectUri') ? $request->get('redirectUri')
: $this->httpUtils->createRequest($request, $checkPath)->getUri();
$accessToken = $resourceOwner->getAccessToken(
$request,
$redirectUri
);
It's ugly for two reasons:
- I've got code duplication
- I have to duplicate the entire listener! I can't make it extends the HWIOAuthBundle's listener and only redefine the
attemptAuthentication()because$resourceOwnerMapis private and has no getter :/
So either provide a way to change the redirect_uri parameter being pass when requesting the token or expose $resourceOwnerMap (and maybe $checkPaths) to ease extending the listener.
Have the same issue. As temporary solution, override class parameter
#app/config/services.yml
parameters:
hwi_oauth.authentication.listener.oauth.class: AppBundle\Security\OAuthListener
And copy \HWI\Bundle\OAuthBundle\Security\Http\Firewall\OAuthListener.php (can't extend it and override only one method, because there private methods)
Is this resolved? I think it'd be really useful since more and more apps are going headless
And apparently the override described above does not work, as this OAuthListener is entirely different now. Any suggestions? Maybe there's a way to do it now, 6 years later.
For the ones who used OAuthListener to override redirect_uri with "postmessage": sadly, it no longer works with Symfony 6.2 and HWIOAuthBundle 2.0-BETA2 due to the fact that old authentication was removed in Symfony 6
To make it work with Symfony 6+/HWIOAuthBundle 2.0-BETA-2:
- Copy
GoogleResourceOwnerfromHWIOAuthBundlesomewhere to your project - Override
getAccessTokenmethod and in$parametersarray set'postmessage'instead of$redirectUriargument:
public function getAccessToken(HttpRequest $request, $redirectUri, array $extraParameters = [])
{
OAuthErrorHandler::handleOAuthError($request);
$parameters = array_merge([
'code' => $request->query->get('code'),
'grant_type' => 'authorization_code',
'redirect_uri' => 'postmessage',
], $extraParameters);
- Register custom resource owner:
hwi_oauth:
resource_owners:
google_custom:
type: oauth2
class: <overriden GoogleResourceOwner class>
client_id: "%your google client_id param or env%"
client_secret: "%your google client_secret param or env%"
scope: "openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile"
options:
access_type: offline
- Use
google_customeverywhere where you would normally usegoogleresource_owner
Message to comment on stale issues. If none provided, will not mark issues stale
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue was closed because it has been stalled for 5 days with no activity.