I did an SPA that gets an access token from Azure, and an API with which I need to securely communicate. My users are Azure ones so I followed these Microsoft instructions to register the API and the related scopes.
Custom Custom
SPA AzureAD API Graph
──┼───────────┼───────────┼───────────┼──
│ │ │ │
Access │ ────────> │ │ │
Token │ <──────── │ │ │
│ │ │ │
Access some │ ────────────────────> │ │
resource │ │ │ │
│ │ │ │
Check the │ │ <──────── │ │
token │ │ ────────> │ │ ╮ Both things
│ │ │ │ │ I need to do
Get info │ │ │ ────────> │ ╯ with Symfony
about the user │ │ <──────── │
│ │ │ │
Return the │ <──────────────────── │ │
resource │ │ │ │
Now I need to validate the token from the API with php (Symfony 4) and eventually get some info about the user with Graph on behalf of him.
I guess there are plenty of Symfony bundles there to help me do that, I'd like to avoid reinventing the wheel and I guess I should use the "On Behalf Of" flow, am I right ?
So my question is: Can someone point me to some known bundles and some examples ? Should I do an authenticator guard ?
CodePudding user response:
thenetworg/oauth2-azure's wiki helped me with that
I've finally created an authentication guard for which the interesting part relies on the getCredentials()
:
public function getCredentials(Request $request)
{
$accessToken = explode(' ', $request->headers->get($this->tokenHeader))[1];
// Gets the latest signature keys from Microsoft
$keys = (new Azure())->getJwtVerificationKeys();
// Validates and returns the decoded token
return (array)JWT::decode($accessToken, $keys, ['RS256']);
}
My full authenticator is available in this gist
The Azure
class can be found in thenetworg/oauth2-azure package and JWT
comes from firebase/php-jwt (which is a dependency of the former)
It's not caching the signature keys from Microsoft but I think this should be included into thenetworg/oauth2-azure
, I'm talking about it in a related issue