oauth2-bundle
oauth2-bundle copied to clipboard
trikoder
Possibility to not store token
Hi, thanks for this good bundle.
I have my own bundle for now because this one did not exist. I had looked and the architecture is pretty smart. I have one suggestion, because access token are self signed it is not necessary to store them (especialy for big traffic architecture) because we have all that we need to check access token validity.
With this behavior it's not possible to revoke a token but it can be down on the user object with a flag or accept that a "revoke" user can access to the platform until the token expire (~1h00 for common usage).
What do you thing about adding this kind of feature ?
Well, for example the interface from the league server says this for the access token repository:
Persists a new access token to permanent storage.
https://github.com/thephpleague/oauth2-server/blob/8.1.1/src/Repositories/AccessTokenRepositoryInterface.php#L34
But I guess that the feature request in general is legit (if it can be done properly and of the top of my head I don't see why it wouldn't be possible).
So basically there would have to be null implementations of the League repository interfaces which could be used instead of the current Doctrine implementation (which could be configurable and depending on the config a different implementation would be set for autowiring by the bundle extension class). The default would still have to be the Doctrine implementation for BC reasons.
A PR would be highly appreciated.
Yes for exemple this is the implementation I have on my side, it's pretty simple to do it
class AccessTokenRepository implements AccessTokenRepositoryInterface
{
/**
* Create a new access token
*
* @param ClientEntityInterface $clientEntity
* @param ScopeEntityInterface[] $scopes
* @param mixed $userIdentifier
*
* @return AccessTokenEntityInterface
*/
public function getNewToken(ClientEntityInterface $clientEntity, array $scopes, $userIdentifier = null): AccessTokenEntityInterface
{
return new AccessToken($clientEntity, $scopes, (string) $userIdentifier);
}
/**
* Persists a new access token to permanent storage.
*
* @param AccessTokenEntityInterface $accessTokenEntity
*
* @throws UniqueTokenIdentifierConstraintViolationException
*/
public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity): void
{
}
/**
* Revoke an access token.
*
* @param string $tokenId
*/
public function revokeAccessToken($tokenId): void
{
}
/**
* Check if the access token has been revoked.
*
* @param string $tokenId
*
* @return bool Return true if this token has been revoked
*/
public function isAccessTokenRevoked($tokenId): bool
{
return false;
}
}
It's need to be only for AccessToken not for RefreshToken because when you want to revoke an access token as you can't revoke it, you can revoke at least the refresh token and flag the user.
For this feature we need to not use AccessToken.ORM.xml mapping any suggestion to do it properly ? I will work on a PR tomorrow