remove /auth from Keycloak Token URL

ABELkeycloakBearerOnlyAdapterBundle.php

@@ -5,15 +5,11 @@ namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle;
 
 
 use ABEL\Bundle\keycloakBearerOnlyAdapterBundle\DependencyInjection\ABELkeycloakBearerOnlyAdapterExtension;
-use Symfony\Component\DependencyInjection\Extension\ExtensionInterface;
 use Symfony\Component\HttpKernel\Bundle\Bundle;
 
 class ABELkeycloakBearerOnlyAdapterBundle extends Bundle
 {
-    /**
-     * @return ExtensionInterface|null
-     */
-    public function getContainerExtension(): ?ExtensionInterface
+    public function getContainerExtension()
     {
         if (null === $this->extension) {
             $this->extension = new ABELkeycloakBearerOnlyAdapterExtension();

DependencyInjection/ABELkeycloakBearerOnlyAdapterExtension.php

@@ -27,7 +27,7 @@ class ABELkeycloakBearerOnlyAdapterExtension extends Extension
         $definition->replaceArgument(4, $config['ssl_verification']);
     }
 
-    public function getAlias(): string
+    public function getAlias()
     {
         return 'abel_keycloak_bearer_only_adapter';
     }

README.md

@@ -5,15 +5,10 @@ This Symfony bundle is an adapter that allows securing API using keycloak Bearer
 
 ## Installation
 
-> Befor installing the bundle, automatic packages configuration can be activated with the following command:
-> ```
-> composer config extra.symfony.allow-contrib true
-> ```
-
 With composer:
 
 ```
-composer require abel/keycloak-bearer-only-adapter-bundle
+$ composer require abel/keycloak-bearer-only-adapter-bundle
 ```
 
 ## Configuration
@@ -22,15 +17,6 @@ If you want to set up keycloak locally you can download it [here](https://www.ke
 
 ### Bundle configuration
 
-#### Via a recipe (Automatic)
-This bundle hase a Symfony recipe that allow the automation of configuration via the Symfony Flex Composer plugin.
-To enable recipe for your project, run the following command:
-
-```
-composer config extra.symfony.allow-contrib true
-```
-
-#### Manual
 Having a running keycloak locally or in Docker and already configured a client with **Access Type = bearer-only**
 here is the configuration to use:
 
@@ -41,28 +27,27 @@ abel_keycloak_bearer_only_adapter:
     realm: '%env(OAUTH_KEYCLOAK_REALM)%' # your keycloak realm name
     client_id: '%env(OAUTH_KEYCLOAK_CLIENT_ID)%' # your keycloak client id
     client_secret: '%env(OAUTH_KEYCLOAK_CLIENT_SECRET)%' # your keycloak client secret
-    #ssl_verification: False # by default ssl_verification is set to False
 ```
 The best practice is to load your configuration from **.env** file.
 
 ```
 # .env
 ...
-###> Abel_keycloak_bearer_only_adapter ###
-OAUTH_KEYCLOAK_ISSUER=keycloak:8080
-OAUTH_KEYCLOAK_REALM=my_realm
-OAUTH_KEYCLOAK_CLIENT_ID=my_bearer_client
-OAUTH_KEYCLOAK_CLIENT_SECRET=my_bearer_client_secret
-###< Abel_keycloak_bearer_only_adapter ###
+###> Keycloak ###
+KEYCLOAK_ISSUER=http://keycloak.local:8080
+KEYCLOAK_REALM=my_realm
+KEYCLOAK_CLIENT_ID=my_bearer_client
+KEYCLOAK_CLIENT_SECRET=my_bearer_client_secret
+###< Keycloak ###
 ...
 ```
 
 In case of using Keycloak with Docker locally replace **issuer** value with your keycloak container reference in the network
 
-For example, you can use the service name, or container IPAdresse that you can get using this command:
+For example, you can use the container IPAdresse, that you can get using this command:
 
 ```
-docker inspect <container id> | grep "IPAddress"
+$ docker inspect <container id> | grep "IPAddress"
 ```
 ### Symfony security configuration
 
@@ -73,7 +58,6 @@ Here is a simple configuration that restrict access to ```/api/*``` routes only
 ```yaml
 # config/packages/security.yaml
 security:
-    enable_authenticator_manager: true
     providers:
         keycloak_bearer_user_provider:
             id: ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User\KeycloakBearerUserProvider
@@ -83,23 +67,13 @@ security:
             security: false
         api:
             pattern: ^/api/
-            provider: keycloak_bearer_user_provider
-            custom_authenticators:
-              - ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator\KeycloakBearerAuthenticator
+            guard:
+                provider: keycloak_bearer_user_provider
+                authenticators:
+                    - ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator\KeycloakBearerAuthenticator
             stateless: true
+        main:
+            anonymous: ~
     access_control:
         - { path: ^/api/, roles: ROLE_API }
 ```
-> :information_source: Referring to Symfony [documentation](https://symfony.com/doc/5.3/security.html#roles), roles must start with **ROLE_** (otherwise, things won't work as expected)
-### Keycloak configuration
-
-To configure keycloak to work with this bundle, [here](./Resources/docs/keycloak-config-guide.md) is a step by step documentation for a basic configuration of keycloak.
-
-### Compatibility
-
-
-| Bundle Version                                        | Symfony Version    |
-| ------------------------------------------------------|--------------------|
-| V1.0.1                                                | >=4.0.0   <5.0.0   |
-| V1.1.* (uses old authentication systeme with guard)   | >=5.0.0   <6.0.0   |
-| V1.2.* (uses new authentication systeme)              | >=5.3.0   <6.0.0   |

Resources/docs/keycloak-config-guide.md

@@ -1,42 +0,0 @@
-# Keycloak Configuration guide
-
-### Create a realm
-
-We assume that you already have a realm, if not you can create a realm from the Administration UI, go to ```Realm list > Add realm```
-
-![Create a realm](screenshots/create-a-realm.png)
-
-it will appear in the realm list after creation.
-
-### Create a client
-
-You must define a client that will configure the scope of your application security.
-Make sure you already are in your newly created realm and create a new client by going in ```Configure > Clients > Create```.
-
-![Create a client](screenshots/create-a-client.png)
-
-Once created, you can configure it by going in ``` Configure > Clients > [Your client]```
-Here is a sample configuration that work with our bundle :
-
-![Configure client](screenshots/config-client.png)
-> Note that the client Access type is bearer-only.
-
-### Create roles
- 
- In keycloak, roles are an abstraction of permissions for our application (used in security.yaml).
- In our case we need to define a role named **ROLE_API**
- 
- You can configure it in ```Configure > Clients > [Your client] > Roles```
- 
- ![Create a role](screenshots/create-a-role.png)
- 
- ### Assign a role to a user
-
-Last but not least we need to affect our role to our users.
-
-To add role, go to ```Manage > Users > View all users > [Some User] > Role Mappings```.
-
-* In the **Client Roles** dropdown, select your client that contains our role(s).
-* Select Roles in **Available Roles** list, then click **Add selected** to assign role to the user.
-
-And your all done, now you can use your client to secure your API.

Security/Authenticator/KeycloakBearerAuthenticator.php

@@ -3,20 +3,207 @@
 
 namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator;
 
-use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
-use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
-use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
-use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
-use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
 
-class KeycloakBearerAuthenticator extends AbstractAuthenticator
+class KeycloakBearerAuthenticator extends AbstractGuardAuthenticator
 {
 
+    /**
+     * Returns a response that directs the user to authenticate.
+     *
+     * This is called when an anonymous request accesses a resource that
+     * requires authentication. The job of this method is to return some
+     * response that "helps" the user start into the authentication process.
+     *
+     * Examples:
+     *
+     * - For a form login, you might redirect to the login page
+     *
+     *     return new RedirectResponse('/login');
+     *
+     * - For an API token authentication system, you return a 401 response
+     *
+     *     return new Response('Auth header required', 401);
+     *
+     * @param Request $request The request that resulted in an AuthenticationException
+     * @param AuthenticationException|null $authException The exception that started the authentication process
+     *
+     * @return JsonResponse
+     */
+    public function start(Request $request, AuthenticationException $authException = null)
+    {
+        $data = [
+            // you might translate this message
+            'message' => 'Auth header required'
+        ];
+
+        return new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
+    }
+
+    /**
+     * Does the authenticator support the given Request?
+     *
+     * If this returns false, the authenticator will be skipped.
+     *
+     * @param Request $request
+     *
+     * @return bool
+     */
+    public function supports(Request $request)
+    {
+        return !empty($request->headers->get('Authorization'));
+    }
+
+    /**
+     * Get the authentication credentials from the request and return them
+     * as any type (e.g. an associate array).
+     *
+     * Whatever value you return here will be passed to getUser() and checkCredentials()
+     *
+     * For example, for a form login, you might:
+     *
+     *      return [
+     *          'username' => $request->request->get('_username'),
+     *          'password' => $request->request->get('_password'),
+     *      ];
+     *
+     * Or for an API token that's on a header, you might use:
+     *
+     *      return ['api_key' => $request->headers->get('X-API-TOKEN')];
+     *
+     * @param Request $request
+     *
+     * @return mixed Any non-null value
+     *
+     * @throws \UnexpectedValueException If null is returned
+     */
+    public function getCredentials(Request $request)
+    {
+        return [
+            'token' => $request->headers->get('Authorization'),
+        ];
+    }
+
+    /**
+     * Return a UserInterface object based on the credentials.
+     *
+     * The *credentials* are the return value from getCredentials()
+     *
+     * You may throw an AuthenticationException if you wish. If you return
+     * null, then a UsernameNotFoundException is thrown for you.
+     *
+     * @param mixed $credentials
+     * @param UserProviderInterface $userProvider
+     *
+     * @throws AuthenticationException
+     *
+     * @return UserInterface|null
+     */
+    public function getUser($credentials, UserProviderInterface $userProvider)
+    {
+        $token = $credentials['token'];
+
+        if (!$token) {
+            throw new BadCredentialsException('Token is not present in the request headers');
+        }
+
+        try {
+            $user = $userProvider->loadUserByUsername($this->formatToken($token));
+        } catch (\Exception $e) {
+            throw new BadCredentialsException(sprintf('Error when introspecting the token: %s', $e->getMessage()));
+        }
+
+        return $user;
+
+    }
+
+    /**
+     * Returns true if the credentials are valid.
+     *
+     * If any value other than true is returned, authentication will
+     * fail. You may also throw an AuthenticationException if you wish
+     * to cause authentication to fail.
+     *
+     * The *credentials* are the return value from getCredentials()
+     *
+     * @param mixed $credentials
+     * @param UserInterface $user
+     *
+     * @return bool
+     *
+     * @throws AuthenticationException
+     */
+    public function checkCredentials($credentials, UserInterface $user)
+    {
+        return true;
+    }
+
+    /**
+     * Called when authentication executed, but failed (e.g. wrong username password).
+     *
+     * This should return the Response sent back to the user, like a
+     * RedirectResponse to the login page or a 403 response.
+     *
+     * If you return null, the request will continue, but the user will
+     * not be authenticated. This is probably not what you want to do.
+     *
+     * @param Request $request
+     * @param AuthenticationException $exception
+     *
+     * @return Response|null
+     */
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
+    {
+        return new JsonResponse(['error' => $exception->getMessage()], Response::HTTP_FORBIDDEN);
+    }
+
+    /**
+     * Called when authentication executed and was successful!
+     *
+     * This should return the Response sent back to the user, like a
+     * RedirectResponse to the last page they visited.
+     *
+     * If you return null, the current request will continue, and the user
+     * will be authenticated. This makes sense, for example, with an API.
+     *
+     * @param Request $request
+     * @param TokenInterface $token
+     * @param string $providerKey The provider (i.e. firewall) key
+     *
+     * @return Response|null
+     */
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
+    {
+        return null;
+    }
+
+    /**
+     * Does this method support remember me cookies?
+     *
+     * Remember me cookie will be set if *all* of the following are met:
+     *  A) This method returns true
+     *  B) The remember_me key under your firewall is configured
+     *  C) The "remember me" functionality is activated. This is usually
+     *      done by having a _remember_me checkbox in your form, but
+     *      can be configured by the "always_remember_me" and "remember_me_parameter"
+     *      parameters under the "remember_me" firewall key
+     *  D) The onAuthenticationSuccess method returns a Response object
+     *
+     * @return bool
+     */
+    public function supportsRememberMe()
+    {
+        return false;
+    }
+
     /**
      * @param string $token
      * @return string
@@ -25,38 +212,4 @@ class KeycloakBearerAuthenticator extends AbstractAuthenticator
     {
         return trim(preg_replace('/^(?:\s+)?[B-b]earer\s/', '', $token));
     }
-
-    public function supports(Request $request): ?bool
-    {
-        return true;
-    }
-
-    public function authenticate(Request $request): Passport
-    {
-        $token = $request->headers->get('Authorization');
-        if (null === $token || empty($token)) {
-            // The token header was empty, authentication fails with HTTP Status
-            // Code 401 "Unauthorized"
-            throw new CustomUserMessageAuthenticationException('Token is not present in the request headers');
-        }
-
-        return new SelfValidatingPassport(new UserBadge($this->formatToken($token)));
-    }
-
-    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
-    {
-        return null;
-    }
-
-    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
-    {
-        $data = [
-            // you may want to customize or obfuscate the message first
-            'message' => strtr($exception->getMessageKey(), $exception->getMessageData())
-            // or to translate this message
-            // $this->translator->trans($exception->getMessageKey(), $exception->getMessageData())
-        ];
-
-        return new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
-    }
 }

Security/User/KeycloakBearerUser.php

@@ -202,7 +202,7 @@ class KeycloakBearerUser implements UserInterface, \Serializable
      *
      * @return array (Role|string)[] The user roles
      */
-    public function getRoles(): array
+    public function getRoles()
     {
         return $this->roles;
     }
@@ -245,14 +245,6 @@ class KeycloakBearerUser implements UserInterface, \Serializable
         return $this->preferred_username;
     }
 
-    /**
-     * @return string
-     */
-    public function getUserIdentifier(): string
-    {
-        return $this->preferred_username;
-    }
-
     /**
      * Removes sensitive data from the user.
      *

Security/User/KeycloakBearerUserProvider.php

@@ -5,15 +5,13 @@ namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User;
 
 
 use GuzzleHttp\Client;
-use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
-use Symfony\Component\Security\Core\Exception\UserNotFoundException;
+use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 
-
-class KeycloakBearerUserProvider implements UserProviderInterface{
-
+class KeycloakBearerUserProvider implements UserProviderInterface
+{
     /**
      * @var string
      */
@@ -52,55 +50,24 @@ class KeycloakBearerUserProvider implements UserProviderInterface{
     }
 
     /**
-     * Refreshes the user after being reloaded from the session.
+     * Loads the user for the given username.
      *
-     * When a user is logged in, at the beginning of each request, the
-     * User object is loaded from the session and then this method is
-     * called. Your job is to make sure the user's data is still fresh by,
-     * for example, re-querying for fresh User data.
+     * This method must throw UsernameNotFoundException if the user is not
+     * found.
      *
-     * If your firewall is "stateless: true" (for a pure API, which is our case), this
-     * method is not called. But it is implement it anyway.
+     * @param string $accessToken The username
      *
      * @return UserInterface
+     *
+     * @throws UsernameNotFoundException if the user is not found
      */
-    public function refreshUser(UserInterface $user): UserInterface
-    {
-        if (!$user instanceof KeycloakBearerUser) {
-            throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
-        }
-
-        $user = $this->loadUserByIdentifier($user->getAccessToken());
-
-        if (!$user) {
-            throw new UserNotFoundException();
-        }
-
-        return $user;
-    }
-
-    /**
-     * @param string $class
-     * @return bool
-     */
-    public function supportsClass(string $class)
-    {
-        return KeycloakBearerUser::class === $class || is_subclass_of($class, KeycloakBearerUser::class);
-    }
-
-
-
-    /**
-     * @param string $accessToken
-     * @return UserInterface
-     */
-    public function loadUserByIdentifier(string $accessToken): UserInterface
+    public function loadUserByUsername($accessToken)
     {
         $client = new Client([
             'base_uri' => $this->issuer,
         ]);
 
-        $response = $client->post('/auth/realms/'.$this->realm.'/protocol/openid-connect/token/introspect', [
+        $response = $client->post('/realms/'.$this->realm.'/protocol/openid-connect/token/introspect', [
             'auth' => [$this->client_id, $this->client_secret],
             'form_params' => [
                 'token' => $accessToken,
@@ -116,11 +83,11 @@ class KeycloakBearerUserProvider implements UserProviderInterface{
         $jwt = json_decode($response->getBody(), true);
 
         if (!$jwt['active']) {
-            throw new CustomUserMessageAuthenticationException('The token does not exist or is not valid anymore');
+            throw new \UnexpectedValueException('The token does not exist or is not valid anymore');
         }
 
         if (!isset($jwt['resource_access'][$this->client_id])) {
-            throw new CustomUserMessageAuthenticationException('The token does not have the necessary permissions!');
+            throw new \UnexpectedValueException('The token does not have the necessary permissions!');
         }
 
         return new KeycloakBearerUser(
@@ -136,11 +103,42 @@ class KeycloakBearerUserProvider implements UserProviderInterface{
     }
 
     /**
-     * @param string $username
+     * Refreshes the user.
+     *
+     * It is up to the implementation to decide if the user data should be
+     * totally reloaded (e.g. from the database), or if the UserInterface
+     * object can just be merged into some internal array of users / identity
+     * map.
+     *
      * @return UserInterface
+     *
+     * @throws UnsupportedUserException  if the user is not supported
+     * @throws UsernameNotFoundException if the user is not found
      */
-    public function loadUserByUsername(string $username): UserInterface
+    public function refreshUser(UserInterface $user)
     {
-        return $this->loadUserByIdentifier($username);
+        if (!$user instanceof KeycloakBearerUser) {
+            throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
+        }
+
+        $user = $this->loadUserByUsername($user->getAccessToken());
+
+        if (!$user) {
+            throw new UsernameNotFoundException();
+        }
+
+        return $user;
+    }
+
+    /**
+     * Whether this provider supports the given user class.
+     *
+     * @param string $class
+     *
+     * @return bool
+     */
+    public function supportsClass($class)
+    {
+        return KeycloakBearerUser::class === $class;
     }
 }

composer.json

@@ -11,11 +11,11 @@
     ],
     "minimum-stability": "stable",
     "require": {
-        "php": ">=7.2.5",
-        "symfony/config": "^6.0",
-        "symfony/dependency-injection": "^6.0",
-        "symfony/http-kernel": "^6.0",
-        "symfony/security-bundle": "^6.0",
+        "php": "^7.1",
+        "symfony/config": "^4.0",
+        "symfony/dependency-injection": "^4.0",
+        "symfony/http-kernel": "^4.0",
+        "symfony/security-bundle": "^4.0",
         "guzzlehttp/guzzle": "^6.3",
         "ext-json": "*"
     },