Require a logged in user to resolve an authorization request

src/Converter/UserConverter.php

@@ -10,34 +10,16 @@
 
 final class UserConverter implements UserConverterInterface
 {
- public const DEFAULT_ANONYMOUS_USER_IDENTIFIER = 'anonymous';
-
- /** @var non-empty-string */
- private string $anonymousUserIdentifier;
-
- /**
- * @param non-empty-string $anonymousUserIdentifier
- */
- public function __construct(string $anonymousUserIdentifier = self::DEFAULT_ANONYMOUS_USER_IDENTIFIER)
- {
- $this->anonymousUserIdentifier = $anonymousUserIdentifier;
- }
-
  /**
+ * @psalm-suppress ArgumentTypeCoercion
  * @psalm-suppress DeprecatedMethod
  * @psalm-suppress UndefinedInterfaceMethod
  */
- public function toLeague(?UserInterface $user): UserEntityInterface
+ public function toLeague(UserInterface $user): UserEntityInterface
  {
  $userEntity = new User();
- if ($user instanceof UserInterface) {
- $identifier = method_exists($user, 'getUserIdentifier') ? $user->getUserIdentifier() : $user->getUsername();
- if ('' === $identifier) {
- $identifier = $this->anonymousUserIdentifier;
- }
- } else {
- $identifier = $this->anonymousUserIdentifier;
- }
+
+ $identifier = method_exists($user, 'getUserIdentifier') ? $user->getUserIdentifier() : $user->getUsername();
 
  $userEntity->setIdentifier($identifier);
 

src/Converter/UserConverterInterface.php

@@ -9,5 +9,5 @@
 
 interface UserConverterInterface
 {
- public function toLeague(?UserInterface $user): UserEntityInterface;
+ public function toLeague(UserInterface $user): UserEntityInterface;
 }

src/DependencyInjection/Configuration.php

@@ -5,7 +5,6 @@
 namespace League\Bundle\OAuth2ServerBundle\DependencyInjection;
 
 use Defuse\Crypto\Key;
-use League\Bundle\OAuth2ServerBundle\Converter\UserConverter;
 use League\Bundle\OAuth2ServerBundle\Model\AbstractClient;
 use League\Bundle\OAuth2ServerBundle\Model\Client;
 use Symfony\Component\Config\Definition\Builder\NodeDefinition;
@@ -32,11 +31,6 @@ public function getConfigTreeBuilder(): TreeBuilder
  ->defaultValue('ROLE_OAUTH2_')
  ->cannotBeEmpty()
  ->end()
- ->scalarNode('anonymous_user_identifier')
- ->info('Set a default user identifier for anonymous users')
- ->defaultValue(UserConverter::DEFAULT_ANONYMOUS_USER_IDENTIFIER)
- ->cannotBeEmpty()
- ->end()
  ->end();
 
  return $treeBuilder;

src/DependencyInjection/LeagueOAuth2ServerExtension.php

@@ -8,7 +8,6 @@
 use League\Bundle\OAuth2ServerBundle\AuthorizationServer\GrantTypeInterface;
 use League\Bundle\OAuth2ServerBundle\Command\CreateClientCommand;
 use League\Bundle\OAuth2ServerBundle\Command\GenerateKeyPairCommand;
-use League\Bundle\OAuth2ServerBundle\Converter\UserConverter;
 use League\Bundle\OAuth2ServerBundle\DBAL\Type\Grant as GrantType;
 use League\Bundle\OAuth2ServerBundle\DBAL\Type\RedirectUri as RedirectUriType;
 use League\Bundle\OAuth2ServerBundle\DBAL\Type\Scope as ScopeType;
@@ -69,9 +68,6 @@ public function load(array $configs, ContainerBuilder $container)
  $container->findDefinition(OAuth2Authenticator::class)
  ->setArgument(3, $config['role_prefix']);
 
- $container->findDefinition(UserConverter::class)
- ->setArgument(0, $config['anonymous_user_identifier']);
-
  $container->registerForAutoconfiguration(GrantTypeInterface::class)
  ->addTag('league.oauth2_server.authorization_server.grant');
 

src/Event/AuthorizationRequestResolveEvent.php

@@ -42,18 +42,19 @@ final class AuthorizationRequestResolveEvent extends Event
  private $response;
 
  /**
- * @var UserInterface|null
+ * @var UserInterface
  */
  private $user;
 
  /**
  * @param Scope[] $scopes
  */
- public function __construct(AuthorizationRequestInterface $authorizationRequest, array $scopes, ClientInterface $client)
+ public function __construct(AuthorizationRequestInterface $authorizationRequest, array $scopes, ClientInterface $client, UserInterface $user)
  {
  $this->authorizationRequest = $authorizationRequest;
  $this->scopes = $scopes;
  $this->client = $client;
+ $this->user = $user;
  }
 
  public function getAuthorizationResolution(): bool
@@ -102,18 +103,11 @@ public function getClient(): ClientInterface
  /**
  * @psalm-mutation-free
  */
- public function getUser(): ?UserInterface
+ public function getUser(): UserInterface
  {
  return $this->user;
  }
 
- public function setUser(?UserInterface $user): self
- {
- $this->user = $user;
-
- return $this;
- }
-
  /**
  * @return Scope[]
  */

src/Event/AuthorizationRequestResolveEventFactory.php

@@ -6,36 +6,31 @@
 
 use League\Bundle\OAuth2ServerBundle\Converter\ScopeConverterInterface;
 use League\Bundle\OAuth2ServerBundle\Manager\ClientManagerInterface;
-use League\OAuth2\Server\RequestTypes\AuthorizationRequestInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Security as LegacySecurity;
 
-class AuthorizationRequestResolveEventFactory
-{
- /**
- * @var ScopeConverterInterface
- */
- private $scopeConverter;
-
- /**
- * @var ClientManagerInterface
- */
- private $clientManager;
-
- public function __construct(ScopeConverterInterface $scopeConverter, ClientManagerInterface $clientManager)
+if (class_exists(Security::class)) {
+ final class AuthorizationRequestResolveEventFactory
  {
- $this->scopeConverter = $scopeConverter;
- $this->clientManager = $clientManager;
- }
+ use AuthorizationRequestResolveEventFactoryTrait;
 
- public function fromAuthorizationRequest(AuthorizationRequestInterface $authorizationRequest): AuthorizationRequestResolveEvent
+ public function __construct(ScopeConverterInterface $scopeConverter, ClientManagerInterface $clientManager, Security $security)
+ {
+ $this->scopeConverter = $scopeConverter;
+ $this->clientManager = $clientManager;
+ $this->security = $security;
+ }
+ }
+} else {
+ final class AuthorizationRequestResolveEventFactory
  {
- $scopes = $this->scopeConverter->toDomainArray(array_values($authorizationRequest->getScopes()));
-
- $client = $this->clientManager->find($authorizationRequest->getClient()->getIdentifier());
+ use AuthorizationRequestResolveEventFactoryTrait;
 
- if (null === $client) {
- throw new \RuntimeException(\sprintf('No client found for the given identifier \'%s\'.', $authorizationRequest->getClient()->getIdentifier()));
+ public function __construct(ScopeConverterInterface $scopeConverter, ClientManagerInterface $clientManager, LegacySecurity $security)
+ {
+ $this->scopeConverter = $scopeConverter;
+ $this->clientManager = $clientManager;
+ $this->security = $security;
  }
-
- return new AuthorizationRequestResolveEvent($authorizationRequest, $scopes, $client);
  }
 }

src/Event/AuthorizationRequestResolveEventFactoryTrait.php

@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\Bundle\OAuth2ServerBundle\Event;
+
+use League\Bundle\OAuth2ServerBundle\Converter\ScopeConverterInterface;
+use League\Bundle\OAuth2ServerBundle\Manager\ClientManagerInterface;
+use League\OAuth2\Server\RequestTypes\AuthorizationRequestInterface;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\Security\Core\Security as LegacySecurity;
+
+/**
+ * @internal
+ */
+trait AuthorizationRequestResolveEventFactoryTrait
+{
+ /**
+ * @var ScopeConverterInterface
+ */
+ private $scopeConverter;
+
+ /**
+ * @var ClientManagerInterface
+ */
+ private $clientManager;
+
+ /**
+ * @var Security|LegacySecurity
+ */
+ private $security;
+
+ public function fromAuthorizationRequest(AuthorizationRequestInterface $authorizationRequest): AuthorizationRequestResolveEvent
+ {
+ $scopes = $this->scopeConverter->toDomainArray(array_values($authorizationRequest->getScopes()));
+
+ $client = $this->clientManager->find($authorizationRequest->getClient()->getIdentifier());
+
+ if (null === $client) {
+ throw new \RuntimeException(\sprintf('No client found for the given identifier \'%s\'.', $authorizationRequest->getClient()->getIdentifier()));
+ }
+
+ $user = $this->security->getUser();
+ if (null === $user) {
+ throw new \RuntimeException('A logged in user is required to resolve the authorization request.');
+ }
+
+ return new AuthorizationRequestResolveEvent($authorizationRequest, $scopes, $client, $user);
+ }
+}

src/Resources/config/services.php

@@ -22,7 +22,6 @@
 use League\Bundle\OAuth2ServerBundle\Converter\UserConverterInterface;
 use League\Bundle\OAuth2ServerBundle\Event\AuthorizationRequestResolveEventFactory;
 use League\Bundle\OAuth2ServerBundle\EventListener\AddClientDefaultScopesListener;
-use League\Bundle\OAuth2ServerBundle\EventListener\AuthorizationRequestUserResolvingListener;
 use League\Bundle\OAuth2ServerBundle\Manager\AccessTokenManagerInterface;
 use League\Bundle\OAuth2ServerBundle\Manager\AuthorizationCodeManagerInterface;
 use League\Bundle\OAuth2ServerBundle\Manager\ClientManagerInterface;
@@ -55,9 +54,11 @@
 use Nyholm\Psr7\Factory\Psr17Factory;
 use Symfony\Bridge\PsrHttpMessage\Factory\HttpFoundationFactory;
 use Symfony\Bridge\PsrHttpMessage\Factory\PsrHttpFactory;
+use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Security\Core\Security as LegacySecurity;
 
 return static function (ContainerConfigurator $container): void {
  $container->services()
@@ -206,18 +207,6 @@
  ->tag('controller.service_arguments')
  ->alias(AuthorizationController::class, 'league.oauth2_server.controller.authorization')
 
- // Authorization listeners
- ->set('league.oauth2_server.listener.authorization_request_user_resolving', AuthorizationRequestUserResolvingListener::class)
- ->args([
- service('security.helper'),
- ])
- ->tag('kernel.event_listener', [
- 'event' => OAuth2Events::AUTHORIZATION_REQUEST_RESOLVE,
- 'method' => 'onAuthorizationRequest',
- 'priority' => 1024,
- ])
- ->alias(AuthorizationRequestUserResolvingListener::class, 'league.oauth2_server.listener.authorization_request_user_resolving')
-
  // Token controller
  ->set('league.oauth2_server.controller.token', TokenController::class)
  ->args([
@@ -292,6 +281,7 @@
  ->args([
  service(ScopeConverterInterface::class),
  service(ClientManagerInterface::class),
+ service(class_exists(Security::class) ? Security::class : LegacySecurity::class),
  ])
  ->alias(AuthorizationRequestResolveEventFactory::class, 'league.oauth2_server.factory.authorization_request_resolve_event')