Problems configuring user authentication by external API on Symfony2

3
votes

I have a problem authenticating users for my new Symfony2 application.

This applications gets all the info through an API, so no database is used. When a user goes to login page, he introduce the user and password in the login form. Then, I have to authenticate him using an API call. This API call returns "false" if it's not a user, and return a token key and a token secret if its a correct user. With this token key and secret, during the user session, I can make all the API requests I need for rendering all the pages of the application. Once the user session is over and token key and secret are erased, the user has to login again.

I don't know really how ti implement that. I read this http://symfony.com/doc/current/cookbook/security/custom_provider.html and that http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html, and I'm still so lost... :(

Can any one help me?

Thank you so much :)

1
apiauthenticationsymfonyexternal
look here stackoverflow.com/questions/15634046/…originof

1 Answers

4
votes

If you want to write custom authentication you have found the correct links. As an example you can see the implementation of the OAuth authorization HWIOAuthBundle. But keep in mind that this type of authentication creates a user on your system. If you do not use a database, you must make a request to the API every time user send a request.

First you need to understand that there is no magic. On every request symfony checks if url matches one of the specified firewalls (see secutity.yml). Listener that fired you can see in the firewall factory. If matches are found, the action switches to the corresponding AuthenticationListener. Listener attempts to authenticate the credewntials by creating Token, which is sended to AuthenticationProvider

$this->authenticationManager->authenticate(new UsernamePasswordToken($username, $password, $this->providerKey));

in AuthenticationProvider

public function authenticate(TokenInterface $token) {
    ...
}

AuthenticationProvider try to get user via UserProvider. In case of success, Token stored in the session. On subsequent requests, ContextListener comes into play first, checks the session, extract token and send it to AuthenticationProvider similar.

In general terms, the scheme looks like that. More info you can find examining the source code of Symfony Security component.

Really good starting point is a UsernamePasswordFormAuthenticationListener. It just take login and password from request and make simplest UsernamePasswordToken.

protected function attemptAuthentication(Request $request)
{
    ...
}

Good luck!