0

My Symfony 5 app provides:

  • api endpoints like api/entry/get/1 (secured with oauth2)
  • admin pages like users/list (secured with database user provider)

For this purpose, my security.yaml uses two firewalls:

firewalls:
    api:
        pattern: ^/api(?!/doc$)
        security: true
        stateless: true
        oauth2: true
    main:
        lazy: true
        provider: app_user_provider
        form_login:
            login_path: app_login
            check_path: app_login
            enable_csrf: true
            default_target_path: app_index
            use_referer: true
        logout:
            path: app_logout
            target: app_index

Is this possible to also access api endpoints like api/entry/get/1 when connected as an admin (ie not with a token but through regular form login with credentials) ?

This would make using a swagger sandbox much easier.

Improve this question
2
  • do you use fosoauthserverbundle ? Commented Jan 8, 2023 at 16:32
  • @V-Light No, I am using phpLeague OAuth2 server bundle Commented Jan 9, 2023 at 10:35

1 Answer 1

Reset to default
1

Is this possible to also access api endpoints like api/entry/get/1 when connected as an admin (ie not with a token but through regular form login with credentials) ?

I'd say in your current configuration, the answer is no.

Since you api firewall is stateless: true there's only one way to tell symfony that request should be considered as authenticated. The presence of Bearer token (it's probably a JWT) in each request. Without a valid token, all request to /api would be considered as unauthorized

In other words: symfony just do not check session/cookies for possible (previously) logged in (admin) user to allow/deny access for all /api routes.

Unfortunately, I hadn't an opportunity to work with OAuth2ServerBundle. So maybe there's a configuration for that.

BUT:

Try to play around with stateless and context

However, RESTful APIs are stateless by design, it's not just a fancy buzzword.

There is also a way to add "Authorize" button to your swagger doc/playgroung so anyone who has access to swaggerUI, could paste a valid auth-token (JWT) and all further request from swaggerUI would be authorized. See Swagger and JWT Token Authentication

I also had a wonderful experience with Insomnia http-client especially when I need to test/play with my apis.

It has great OAuth v.2 support. Free tier is more than enough for local development / quick testing. Just specify your token path, select GrantType as "Resource Owner" paste username/password of your admin user and insomnia will handle the rest automagically each time you hit a protected /api/entry/get/1

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks! I know how to use "Authorize" button in swagger, but getting the token is not that easy and I wanted to spare this work to the admin user. Since it seems there is no easy way with Symfony security setting, I'll just try to make the process of getting my token easier, or I'll take a look at Insomnia :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.