-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require a logged in user to resolve an authorization request #196
Conversation
@chalasr Can your review this? Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks 👍 Let's merge for now and reconsider in case the BC break appears to be too annoying.
Thank you @ajgarlag. |
@ajgarlag figured the config is required i was more thinking about throwing but then the issue may not be noticed in logs 🤔 |
IMO the Since |
Hello, <?php
#[AsEventListener(OAuth2Events::AUTHORIZATION_REQUEST_RESOLVE, method: 'onAuthorizationRequestResolve')]
class AuthorizationRequestResolve
{
public function __construct(
private readonly RequestStack $requestStack,
private readonly UrlGeneratorInterface $urlGenerator
)
{
}
public function onAuthorizationRequestResolve(AuthorizationRequestResolveEvent $event): void
{
if (null !== $event->getUser()) {
$event->resolveAuthorization(AuthorizationRequestResolveEvent::AUTHORIZATION_APPROVED);
return;
}
$request = $this->requestStack->getMainRequest();
$session = $request->getSession();
$session->set('_security.api_authorize.client_id', $event->getClient()->getIdentifier());
$session->set('_security.api_authorize.target_path', $request->getUri());
$event->setResponse(new RedirectResponse($this->urlGenerator->generate('api_authorize_login')));
}
} This is now impossible because the Is this an unwanted side-event, or was it not supported? My use case is not clear in the code, but we're customizing the login form depending on the client_id. |
Please disregard my last comment, it looks like it can be handled nicely with a custom entry point: https://symfony.com/doc/current/security/access_denied_handler.html#customize-the-unauthorized-response |
Thanks for sharing your alternative @Mika56, looks good 👍 |
Hello, |
Introduces BC breaks
Fix #195