oauth2-server-bundle icon indicating copy to clipboard operation
oauth2-server-bundle copied to clipboard

Published 20 hours ago verified publisher icon thephpleague

Logical authorization bug

Open WagnerPMC opened this issue 2 years ago • 1 comments

Hello there!

Please see https://github.com/thephpleague/oauth2-server-bundle/blob/7b25756bdee0321d55d11b7dc39fff11aacfd7ec/src/Controller/AuthorizationController.php#L106

This is where we convert the Symfony UserInterface into a League UserEntityInterface

I think it would be more correct to remove this transformation, and in the getUser() and setUser() methods of the AuthorizationRequestResolveEvent event we need to pass only League UserEntityInterface, and the task of transforming the current user into League UserEntityInterface should be passed to the programmer

I should also point out that we do not need to use a Symfony user to release an access_token, because we can also have Telegram users as separate entities in addition to them.

So it would be more correct to assign UserEntityInterface directly to the line I specified, instead of redoing the Symfony UserInterface object

upd. Also within this Issue, in my opinion, it is necessary to detach the AuthorizationRequestUserResolvingListener

WagnerPMC avatar Mar 15 '22 02:03 WagnerPMC

I think you are proposing an advanced use case that can be implemented by overriding some defaults.

I think it would be more correct to remove this transformation, and in the getUser() and setUser() methods of the AuthorizationRequestResolveEvent event we need to pass only League UserEntityInterface, and the task of transforming the current user into League UserEntityInterface should be passed to the programmer

The programmer can control the transformation from Symfony UserInterface into League UserEntityInterface implementing a custom UserConverterInterface and defining it in the Symfony container.

I should also point out that we do not need to use a Symfony user to release an access_token, because we can also have Telegram users as separate entities in addition to them.

You could transform your Telegram user entity class to implement the Symfony UserInterface and create a custom league.oauth2_server.event.authorization_request_resolve listener that injects your Telegram user entity into the event.

upd. Also within this Issue, in my opinion, it is necessary to detach the AuthorizationRequestUserResolvingListener You can implement a custom

If the custom event listener is executed after the AuthorizationRequestUserResolvingListener you can overwrite the UserInterface set into the event.

ajgarlag avatar Mar 15 '22 07:03 ajgarlag