Update README.md

Add compatibility with Symfony V6

ABELkeycloakBearerOnlyAdapterBundle.php

@@ -5,11 +5,15 @@ namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle;
 
 
 use ABEL\Bundle\keycloakBearerOnlyAdapterBundle\DependencyInjection\ABELkeycloakBearerOnlyAdapterExtension;
+use Symfony\Component\DependencyInjection\Extension\ExtensionInterface;
 use Symfony\Component\HttpKernel\Bundle\Bundle;
 
 class ABELkeycloakBearerOnlyAdapterBundle extends Bundle
 {
-    public function getContainerExtension()
+    /**
+     * @return ExtensionInterface|null
+     */
+    public function getContainerExtension(): ?ExtensionInterface
     {
         if (null === $this->extension) {
             $this->extension = new ABELkeycloakBearerOnlyAdapterExtension();

DependencyInjection/ABELkeycloakBearerOnlyAdapterExtension.php

@@ -27,7 +27,7 @@ class ABELkeycloakBearerOnlyAdapterExtension extends Extension
         $definition->replaceArgument(4, $config['ssl_verification']);
     }
 
-    public function getAlias()
+    public function getAlias(): string
     {
         return 'abel_keycloak_bearer_only_adapter';
     }

README.md

@@ -5,10 +5,15 @@ This Symfony bundle is an adapter that allows securing API using keycloak Bearer
 
 ## Installation
 
+> Befor installing the bundle, automatic packages configuration can be activated with the following command:
+> ```
+> composer config extra.symfony.allow-contrib true
+> ```
+
 With composer:
 
 ```
-$ composer require abel/keycloak-bearer-only-adapter-bundle
+composer require abel/keycloak-bearer-only-adapter-bundle
 ```
 
 ## Configuration
@@ -17,6 +22,15 @@ If you want to set up keycloak locally you can download it [here](https://www.ke
 
 ### Bundle configuration
 
+#### Via a recipe (Automatic)
+This bundle hase a Symfony recipe that allow the automation of configuration via the Symfony Flex Composer plugin.
+To enable recipe for your project, run the following command:
+
+```
+composer config extra.symfony.allow-contrib true
+```
+
+#### Manual
 Having a running keycloak locally or in Docker and already configured a client with **Access Type = bearer-only**
 here is the configuration to use:
 
@@ -27,27 +41,28 @@ abel_keycloak_bearer_only_adapter:
     realm: '%env(OAUTH_KEYCLOAK_REALM)%' # your keycloak realm name
     client_id: '%env(OAUTH_KEYCLOAK_CLIENT_ID)%' # your keycloak client id
     client_secret: '%env(OAUTH_KEYCLOAK_CLIENT_SECRET)%' # your keycloak client secret
+    #ssl_verification: False # by default ssl_verification is set to False
 ```
 The best practice is to load your configuration from **.env** file.
 
 ```
 # .env
 ...
-###> Keycloak ###
+###> Abel_keycloak_bearer_only_adapter ###
-KEYCLOAK_ISSUER=http://keycloak.local:8080
+OAUTH_KEYCLOAK_ISSUER=keycloak:8080
-KEYCLOAK_REALM=my_realm
+OAUTH_KEYCLOAK_REALM=my_realm
-KEYCLOAK_CLIENT_ID=my_bearer_client
+OAUTH_KEYCLOAK_CLIENT_ID=my_bearer_client
-KEYCLOAK_CLIENT_SECRET=my_bearer_client_secret
+OAUTH_KEYCLOAK_CLIENT_SECRET=my_bearer_client_secret
-###< Keycloak ###
+###< Abel_keycloak_bearer_only_adapter ###
 ...
 ```
 
 In case of using Keycloak with Docker locally replace **issuer** value with your keycloak container reference in the network
 
-For example, you can use the container IPAdresse, that you can get using this command:
+For example, you can use the service name, or container IPAdresse that you can get using this command:
 
 ```
-$ docker inspect <container id> | grep "IPAddress"
+docker inspect <container id> | grep "IPAddress"
 ```
 ### Symfony security configuration
 
@@ -58,6 +73,7 @@ Here is a simple configuration that restrict access to ```/api/*``` routes only
 ```yaml
 # config/packages/security.yaml
 security:
+    enable_authenticator_manager: true
     providers:
         keycloak_bearer_user_provider:
             id: ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User\KeycloakBearerUserProvider
@@ -67,13 +83,24 @@ security:
             security: false
         api:
             pattern: ^/api/
-            guard:
             provider: keycloak_bearer_user_provider
-                authenticators:
+            custom_authenticators:
               - ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator\KeycloakBearerAuthenticator
             stateless: true
-        main:
-            anonymous: ~
     access_control:
         - { path: ^/api/, roles: ROLE_API }
 ```
+> :information_source: Referring to Symfony [documentation](https://symfony.com/doc/5.3/security.html#roles), roles must start with **ROLE_** (otherwise, things won't work as expected)
+### Keycloak configuration
+
+To configure keycloak to work with this bundle, [here](./Resources/docs/keycloak-config-guide.md) is a step by step documentation for a basic configuration of keycloak.
+
+### Compatibility
+
+
+| Bundle Version                                        | Symfony Version    |
+| ------------------------------------------------------|--------------------|
+| V1.0.1                                                | >=4.0.0   <5.0.0   |
+| V1.1.* (uses old authentication systeme with guard)   | >=5.0.0   <6.0.0   |
+| V1.2.* (uses new authentication systeme)              | >=5.3.0   <6.0.0   |
+| V1.3.*                                                | =6.0.*             |

Resources/docs/keycloak-config-guide.md

@@ -0,0 +1,42 @@
+# Keycloak Configuration guide
+
+### Create a realm
+
+We assume that you already have a realm, if not you can create a realm from the Administration UI, go to ```Realm list > Add realm```
+
+![Create a realm](screenshots/create-a-realm.png)
+
+it will appear in the realm list after creation.
+
+### Create a client
+
+You must define a client that will configure the scope of your application security.
+Make sure you already are in your newly created realm and create a new client by going in ```Configure > Clients > Create```.
+
+![Create a client](screenshots/create-a-client.png)
+
+Once created, you can configure it by going in ``` Configure > Clients > [Your client]```
+Here is a sample configuration that work with our bundle :
+
+![Configure client](screenshots/config-client.png)
+> Note that the client Access type is bearer-only.
+
+### Create roles
+ 
+ In keycloak, roles are an abstraction of permissions for our application (used in security.yaml).
+ In our case we need to define a role named **ROLE_API**
+ 
+ You can configure it in ```Configure > Clients > [Your client] > Roles```
+ 
+ ![Create a role](screenshots/create-a-role.png)
+ 
+ ### Assign a role to a user
+
+Last but not least we need to affect our role to our users.
+
+To add role, go to ```Manage > Users > View all users > [Some User] > Role Mappings```.
+
+* In the **Client Roles** dropdown, select your client that contains our role(s).
+* Select Roles in **Available Roles** list, then click **Add selected** to assign role to the user.
+
+And your all done, now you can use your client to secure your API.

Security/Authenticator/KeycloakBearerAuthenticator.php

@@ -3,207 +3,20 @@
 
 namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\Authenticator;
 
-use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
-use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
-use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
-use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 
-class KeycloakBearerAuthenticator extends AbstractGuardAuthenticator
+class KeycloakBearerAuthenticator extends AbstractAuthenticator
 {
 
-    /**
-     * Returns a response that directs the user to authenticate.
-     *
-     * This is called when an anonymous request accesses a resource that
-     * requires authentication. The job of this method is to return some
-     * response that "helps" the user start into the authentication process.
-     *
-     * Examples:
-     *
-     * - For a form login, you might redirect to the login page
-     *
-     *     return new RedirectResponse('/login');
-     *
-     * - For an API token authentication system, you return a 401 response
-     *
-     *     return new Response('Auth header required', 401);
-     *
-     * @param Request $request The request that resulted in an AuthenticationException
-     * @param AuthenticationException|null $authException The exception that started the authentication process
-     *
-     * @return JsonResponse
-     */
-    public function start(Request $request, AuthenticationException $authException = null)
-    {
-        $data = [
-            // you might translate this message
-            'message' => 'Auth header required'
-        ];
-
-        return new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
-    }
-
-    /**
-     * Does the authenticator support the given Request?
-     *
-     * If this returns false, the authenticator will be skipped.
-     *
-     * @param Request $request
-     *
-     * @return bool
-     */
-    public function supports(Request $request)
-    {
-        return !empty($request->headers->get('Authorization'));
-    }
-
-    /**
-     * Get the authentication credentials from the request and return them
-     * as any type (e.g. an associate array).
-     *
-     * Whatever value you return here will be passed to getUser() and checkCredentials()
-     *
-     * For example, for a form login, you might:
-     *
-     *      return [
-     *          'username' => $request->request->get('_username'),
-     *          'password' => $request->request->get('_password'),
-     *      ];
-     *
-     * Or for an API token that's on a header, you might use:
-     *
-     *      return ['api_key' => $request->headers->get('X-API-TOKEN')];
-     *
-     * @param Request $request
-     *
-     * @return mixed Any non-null value
-     *
-     * @throws \UnexpectedValueException If null is returned
-     */
-    public function getCredentials(Request $request)
-    {
-        return [
-            'token' => $request->headers->get('Authorization'),
-        ];
-    }
-
-    /**
-     * Return a UserInterface object based on the credentials.
-     *
-     * The *credentials* are the return value from getCredentials()
-     *
-     * You may throw an AuthenticationException if you wish. If you return
-     * null, then a UsernameNotFoundException is thrown for you.
-     *
-     * @param mixed $credentials
-     * @param UserProviderInterface $userProvider
-     *
-     * @throws AuthenticationException
-     *
-     * @return UserInterface|null
-     */
-    public function getUser($credentials, UserProviderInterface $userProvider)
-    {
-        $token = $credentials['token'];
-
-        if (!$token) {
-            throw new BadCredentialsException('Token is not present in the request headers');
-        }
-
-        try {
-            $user = $userProvider->loadUserByUsername($this->formatToken($token));
-        } catch (\Exception $e) {
-            throw new BadCredentialsException(sprintf('Error when introspecting the token: %s', $e->getMessage()));
-        }
-
-        return $user;
-
-    }
-
-    /**
-     * Returns true if the credentials are valid.
-     *
-     * If any value other than true is returned, authentication will
-     * fail. You may also throw an AuthenticationException if you wish
-     * to cause authentication to fail.
-     *
-     * The *credentials* are the return value from getCredentials()
-     *
-     * @param mixed $credentials
-     * @param UserInterface $user
-     *
-     * @return bool
-     *
-     * @throws AuthenticationException
-     */
-    public function checkCredentials($credentials, UserInterface $user)
-    {
-        return true;
-    }
-
-    /**
-     * Called when authentication executed, but failed (e.g. wrong username password).
-     *
-     * This should return the Response sent back to the user, like a
-     * RedirectResponse to the login page or a 403 response.
-     *
-     * If you return null, the request will continue, but the user will
-     * not be authenticated. This is probably not what you want to do.
-     *
-     * @param Request $request
-     * @param AuthenticationException $exception
-     *
-     * @return Response|null
-     */
-    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
-    {
-        return new JsonResponse(['error' => $exception->getMessage()], Response::HTTP_FORBIDDEN);
-    }
-
-    /**
-     * Called when authentication executed and was successful!
-     *
-     * This should return the Response sent back to the user, like a
-     * RedirectResponse to the last page they visited.
-     *
-     * If you return null, the current request will continue, and the user
-     * will be authenticated. This makes sense, for example, with an API.
-     *
-     * @param Request $request
-     * @param TokenInterface $token
-     * @param string $providerKey The provider (i.e. firewall) key
-     *
-     * @return Response|null
-     */
-    public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
-    {
-        return null;
-    }
-
-    /**
-     * Does this method support remember me cookies?
-     *
-     * Remember me cookie will be set if *all* of the following are met:
-     *  A) This method returns true
-     *  B) The remember_me key under your firewall is configured
-     *  C) The "remember me" functionality is activated. This is usually
-     *      done by having a _remember_me checkbox in your form, but
-     *      can be configured by the "always_remember_me" and "remember_me_parameter"
-     *      parameters under the "remember_me" firewall key
-     *  D) The onAuthenticationSuccess method returns a Response object
-     *
-     * @return bool
-     */
-    public function supportsRememberMe()
-    {
-        return false;
-    }
-
     /**
      * @param string $token
      * @return string
@@ -212,4 +25,38 @@ class KeycloakBearerAuthenticator extends AbstractGuardAuthenticator
     {
         return trim(preg_replace('/^(?:\s+)?[B-b]earer\s/', '', $token));
     }
+
+    public function supports(Request $request): ?bool
+    {
+        return true;
+    }
+
+    public function authenticate(Request $request): Passport
+    {
+        $token = $request->headers->get('Authorization');
+        if (null === $token || empty($token)) {
+            // The token header was empty, authentication fails with HTTP Status
+            // Code 401 "Unauthorized"
+            throw new CustomUserMessageAuthenticationException('Token is not present in the request headers');
+        }
+
+        return new SelfValidatingPassport(new UserBadge($this->formatToken($token)));
+    }
+
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
+    {
+        return null;
+    }
+
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
+    {
+        $data = [
+            // you may want to customize or obfuscate the message first
+            'message' => strtr($exception->getMessageKey(), $exception->getMessageData())
+            // or to translate this message
+            // $this->translator->trans($exception->getMessageKey(), $exception->getMessageData())
+        ];
+
+        return new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
+    }
 }

Security/User/KeycloakBearerUser.php

@@ -202,7 +202,7 @@ class KeycloakBearerUser implements UserInterface, \Serializable
      *
      * @return array (Role|string)[] The user roles
      */
-    public function getRoles()
+    public function getRoles(): array
     {
         return $this->roles;
     }
@@ -245,6 +245,14 @@ class KeycloakBearerUser implements UserInterface, \Serializable
         return $this->preferred_username;
     }
 
+    /**
+     * @return string
+     */
+    public function getUserIdentifier(): string
+    {
+        return $this->preferred_username;
+    }
+
     /**
      * Removes sensitive data from the user.
      *

Security/User/KeycloakBearerUserProvider.php

@@ -5,13 +5,15 @@ namespace ABEL\Bundle\keycloakBearerOnlyAdapterBundle\Security\User;
 
 
 use GuzzleHttp\Client;
+use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
-use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\Exception\UserNotFoundException;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 
-class KeycloakBearerUserProvider implements UserProviderInterface
+
-{
+class KeycloakBearerUserProvider implements UserProviderInterface{
+
     /**
      * @var string
      */
@@ -50,24 +52,55 @@ class KeycloakBearerUserProvider implements UserProviderInterface
     }
 
     /**
-     * Loads the user for the given username.
+     * Refreshes the user after being reloaded from the session.
      *
-     * This method must throw UsernameNotFoundException if the user is not
+     * When a user is logged in, at the beginning of each request, the
-     * found.
+     * User object is loaded from the session and then this method is
+     * called. Your job is to make sure the user's data is still fresh by,
+     * for example, re-querying for fresh User data.
      *
-     * @param string $accessToken The username
+     * If your firewall is "stateless: true" (for a pure API, which is our case), this
+     * method is not called. But it is implement it anyway.
      *
      * @return UserInterface
-     *
-     * @throws UsernameNotFoundException if the user is not found
      */
-    public function loadUserByUsername($accessToken)
+    public function refreshUser(UserInterface $user): UserInterface
+    {
+        if (!$user instanceof KeycloakBearerUser) {
+            throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
+        }
+
+        $user = $this->loadUserByIdentifier($user->getAccessToken());
+
+        if (!$user) {
+            throw new UserNotFoundException();
+        }
+
+        return $user;
+    }
+
+    /**
+     * @param string $class
+     * @return bool
+     */
+    public function supportsClass(string $class)
+    {
+        return KeycloakBearerUser::class === $class || is_subclass_of($class, KeycloakBearerUser::class);
+    }
+
+
+
+    /**
+     * @param string $accessToken
+     * @return UserInterface
+     */
+    public function loadUserByIdentifier(string $accessToken): UserInterface
     {
         $client = new Client([
             'base_uri' => $this->issuer,
         ]);
 
-        $response = $client->post('/realms/'.$this->realm.'/protocol/openid-connect/token/introspect', [
+        $response = $client->post('/auth/realms/'.$this->realm.'/protocol/openid-connect/token/introspect', [
             'auth' => [$this->client_id, $this->client_secret],
             'form_params' => [
                 'token' => $accessToken,
@@ -83,11 +116,11 @@ class KeycloakBearerUserProvider implements UserProviderInterface
         $jwt = json_decode($response->getBody(), true);
 
         if (!$jwt['active']) {
-            throw new \UnexpectedValueException('The token does not exist or is not valid anymore');
+            throw new CustomUserMessageAuthenticationException('The token does not exist or is not valid anymore');
         }
 
         if (!isset($jwt['resource_access'][$this->client_id])) {
-            throw new \UnexpectedValueException('The token does not have the necessary permissions!');
+            throw new CustomUserMessageAuthenticationException('The token does not have the necessary permissions!');
         }
 
         return new KeycloakBearerUser(
@@ -103,42 +136,11 @@ class KeycloakBearerUserProvider implements UserProviderInterface
     }
 
     /**
-     * Refreshes the user.
+     * @param string $username
-     *
-     * It is up to the implementation to decide if the user data should be
-     * totally reloaded (e.g. from the database), or if the UserInterface
-     * object can just be merged into some internal array of users / identity
-     * map.
-     *
      * @return UserInterface
-     *
-     * @throws UnsupportedUserException  if the user is not supported
-     * @throws UsernameNotFoundException if the user is not found
      */
-    public function refreshUser(UserInterface $user)
+    public function loadUserByUsername(string $username): UserInterface
     {
-        if (!$user instanceof KeycloakBearerUser) {
+        return $this->loadUserByIdentifier($username);
-            throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
-        }
-
-        $user = $this->loadUserByUsername($user->getAccessToken());
-
-        if (!$user) {
-            throw new UsernameNotFoundException();
-        }
-
-        return $user;
-    }
-
-    /**
-     * Whether this provider supports the given user class.
-     *
-     * @param string $class
-     *
-     * @return bool
-     */
-    public function supportsClass($class)
-    {
-        return KeycloakBearerUser::class === $class;
     }
 }

composer.json

@@ -11,11 +11,11 @@
     ],
     "minimum-stability": "stable",
     "require": {
-        "php": "^7.1",
+        "php": ">=7.2.5",
-        "symfony/config": "^4.0",
+        "symfony/config": "^6.0",
-        "symfony/dependency-injection": "^4.0",
+        "symfony/dependency-injection": "^6.0",
-        "symfony/http-kernel": "^4.0",
+        "symfony/http-kernel": "^6.0",
-        "symfony/security-bundle": "^4.0",
+        "symfony/security-bundle": "^6.0",
         "guzzlehttp/guzzle": "^6.3",
         "ext-json": "*"
     },