FOSOAuthServerBundle icon indicating copy to clipboard operation
FOSOAuthServerBundle copied to clipboard

Published 20 hours ago verified publisher icon FriendsOfSymfony

Don’t hand out token to disabled/locked users

Open ddeboer opened this issue 11 years ago • 23 comments

PR #277 added preAuth checks so disabled and locked users are now properly denied authentication.

However, these checks only apply after the user has received an OAuth token. So disabled/locked users are still able to retrieve an OAuth token (through password grant type). I think the OAuth server should not hand out tokens to such users. So does it make sense to add the UserChecker to checkUserCredentials too? If you agree, I can open up a PR for this.

ddeboer avatar Oct 14 '14 06:10 ddeboer

Please can this PR be reviewd.... it will be a great addition to the bundle! I have been looking around for a similar functionality.

codemedic avatar Nov 01 '14 13:11 codemedic

I agree that this should be the behaviour and would welcome its implementation. I'd be happy to submit a PR if you've not already made the changes yourself, @ddeboer, and there's agreement that this functionality should be implemented.

abulford avatar Nov 10 '14 14:11 abulford

@abulford I wanted to wait for a go from (some of) the bundle maintainers before doing any further work, but please go ahead and submit your PR. We can then structure any disagreements around your PR.

ddeboer avatar Nov 10 '14 14:11 ddeboer

OK, well I'm on holiday at the moment until Tuesday week, so will look in to putting something together when I get back. I'm obviously also very happy for one of the bundle maintainers to have a go, though!

abulford avatar Nov 15 '14 22:11 abulford

Hi, Any news about this, in this case should I throw OAuth2AuthenticateException or just returning false ?

aitboudad avatar Nov 28 '14 11:11 aitboudad

+1 - having the same problem

karolsojko avatar Jan 23 '15 13:01 karolsojko

+1

dadamssg avatar Apr 22 '15 15:04 dadamssg

+1

hlecorche avatar Nov 04 '15 11:11 hlecorche

+1 any news about this issue?

mkosiedowski avatar Jul 18 '16 08:07 mkosiedowski

+1

abstractk avatar Nov 07 '16 04:11 abstractk

+1

thomas2411 avatar Dec 20 '16 20:12 thomas2411

@ddeboer @abulford Is there any news on this? We've just discovered this in one of our API's and are figuring out how to fix this. A solution in FOSOAuthServerBundle itself would of course be very welcome.

ThomasBerends avatar Dec 22 '16 10:12 ThomasBerends

+1

maltehuebner avatar Jan 31 '17 14:01 maltehuebner

Any news about this problem ?

ziobudda avatar Feb 28 '17 16:02 ziobudda

+1

t3ran13 avatar Apr 10 '17 11:04 t3ran13

+1

Kubitini avatar Jul 08 '17 16:07 Kubitini

Any news on this? +1

fabsalito avatar Jul 14 '17 20:07 fabsalito

I think we can create a custom user provider and add checks there. This is a workaround until we have a better solution from the maintainers.

// config.yml
fos_oauth_server:
    ....
    service:
        user_provider: %your_service_name_here%

// Custom UserProvider
public function loadUserByUsername($username)
{
    $repository = $this->entityManager->getRepository('YourBundle:User');
    $user = $repository->fetchActiveByUsername($username);

    if (!$user || !$user->isEnabled() || $user->isBlocked()) {
        throw new UsernameNotFoundException($this->translator->trans('user.not_found'));
    }

    return $user;
}

sukhrobkhakimov avatar Aug 28 '17 18:08 sukhrobkhakimov

+1

pzienowicz avatar Sep 04 '17 13:09 pzienowicz

+1

patrykzurawik avatar Sep 04 '17 13:09 patrykzurawik

+1

alfons56 avatar Mar 09 '18 15:03 alfons56

@abulford OK, well I'm on holiday at the moment until Tuesday week, so will look in to putting something together when I get back. I'm obviously also very happy for one of the bundle maintainers to have a go, though!

Did you ever come back from that holiday?

glennthehuman avatar Oct 30 '18 11:10 glennthehuman

Any update on this issue? Is there any way we can prevent the user from getting the token other than custom user providers?

soorajlv avatar Jun 20 '19 10:06 soorajlv