Transformed scopes to roles as default behavior + documentation

Resources/doc/dealing_with_scopes.md

@@ -0,0 +1,44 @@
+Dealing With Scopes
+===================
+
+OAuth2 allows to use [access token scopes](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.3).
+Scopes are what you want, there is not real constraint except to list scopes as a list of strings separated by a space:
+
+    scope1 scope2
+
+That's why the `scope` column in the model layer is a string, not an array for instance.
+
+
+## Configuring scopes
+
+To configure allowed scopes in your application, you have to edit your `app/config/config.yml` file:
+
+``` yaml
+# app/config/config.yml
+fos_oauth_server:
+    service:
+        options:
+            supported_scopes: scope1 scope2
+```
+
+Now, clients will be able to pass a `scope` parameter when they request an access token.
+
+
+## Using scopes
+
+The default behavior of the FOSOAuthServerBundle is to use scopes as [roles](http://symfony.com/doc/master/book/security.html#roles).
+In the previous example, it would allow us to use the roles `ROLE_SCOPE1`, and `ROLE_SCOPE2` (scopes are automatically uppercased).
+
+That way, you can configure the `access_control` section of the security layer:
+
+``` yaml
+# app/config/security.yml
+security:
+    access_control:
+        - { path: ^/api/super/secured, role: ROLE_SCOPE1 }
+```
+
+For more information, you can read the [Security documentation](http://symfony.com/doc/master/book/security.html#authorization).
+
+
+[Back to index](index.md)

Resources/doc/index.md

@@ -342,10 +342,12 @@ The `authorize` endpoint is at `/oauth/v2/auth` by default (see `Resources/confi
 
 ## Next steps
 
+[A Note About Security](a_note_about_security.md)
+
+[Dealing With Scopes](dealing_with_scopes.md)
+
 [Extending the Authorization page](extending_the_authorization_page.md)
 
 [Extending the Model](extending_the_model.md)
 
-[A Note About Security](a_note_about_security.md)
-
 [The OAuthEvent class](the_oauth_event_class.md)

Security/Authentication/Provider/OAuthProvider.php

@@ -11,12 +11,12 @@
 
 namespace FOS\OAuthServerBundle\Security\Authentication\Provider;
 
+use FOS\OAuthServerBundle\Security\Authentication\Token\OAuthToken;
 use Symfony\Component\DependencyInjection\Container;
 use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
-use FOS\OAuthServerBundle\Security\Authentication\Token\OAuthToken;
 use OAuth2\OAuth2;
 use OAuth2\OAuth2ServerException;
 
@@ -56,15 +56,24 @@ public function authenticate(TokenInterface $token)
         }
 
         try {
-            $accessToken = $this->serverService->verifyAccessToken($token->getToken());
-            if ($accessToken) {
-                $data = $accessToken->getData();
+            if ($accessToken = $this->serverService->verifyAccessToken($token->getToken())) {
+                $roles = array();
 
-                if (null !== $data) {
-                    $token->setUser($data);
+                foreach ($token->getRoles() as $role) {
+                    $roles[] = $role->getRole();
+                }
+
+                foreach (explode(' ', $accessToken->getScope()) as $role) {
+                    $roles[] = 'ROLE_' . strtoupper($role);
                 }
 
+                $token = new OAuthToken($roles);
                 $token->setAuthenticated(true);
+                $token->setToken($accessToken->getToken());
+
+                if (null !== $data = $accessToken->getData()) {
+                    $token->setUser($data);
+                }
 
                 return $token;
             }