Skip to content
This repository has been archived by the owner on Jan 15, 2024. It is now read-only.

Commit

Permalink
Removed JWT/Auth support (now in JwtBundle)
Browse files Browse the repository at this point in the history
  • Loading branch information
kleijnweb committed Nov 21, 2015
1 parent 296bd2d commit 11df86b
Show file tree
Hide file tree
Showing 21 changed files with 3 additions and 1,674 deletions.
99 changes: 1 addition & 98 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ Go to the [release page](https://github.com/kleijnweb/swagger-bundle/releases) t

## Can:

* Integrate OAuth 2.0 compatible JWT API tokens for authentication.
* Amend your Swagger spec to include the error responses added by SwaggerBundle.
* (De-) Serialize objects using either the Symfony Component Serializer or JMS\Serializer
* Generate DTO-like classes representing resources in your Swagger spec.
Expand Down Expand Up @@ -228,103 +227,7 @@ Good chance you are already using a bootstrap file like this, but if the annotat

## Authentication

SwaggerBundle comes with an optional `JwtAuthenticator` which implements a OAuth 2 compatible token-based authentication method.
The role of the server with SwaggerBundle in OAuth terms is "Resource Server" (ie your app has some resources belonging to the "Resource Owner" that a client program wants access to).

The token is validated using standard (reserved) JWT claims:

| Name | Type | Description |
|-------|---------|-------|
| `exp` | int [1] | Expiration time must be omitted [3] or be smaller than `time() + leeway` [2]. |
| `nbf` | int [1] | "Not before", token validity start time, must be omitted [3] or greater than or equal to `time() - leeway` [2]. |
| `iat` | int [1] | The time the token was issued, must be omitted [3] or smaller than configured `minIssueTime + leeway`. Required when `minIssueTime` configured. |
| `iss` | string | Issuer of the token, must match configured `issuer`. Required when `issuer` configured. |
| `aud` | string | JWT "audience", must be omitted [3] or match configured `audience` if configured. Required when `audience` configured. |
| `prn` | string | JWT "principal". Used as `username` for Symfony Security integration. Always required, without it the "Resource Owner cannot be identified. |
| `jti` | string | JWT "ID". Not used, will be ignored. |
| `typ` | string | Not used, will be ignored. |

- [1] Unix time
- [2] The `leeway` allows a difference in seconds between the issuer of the token and the server running your app with SwaggerBundle. Keep at a low number, defaults to 0.
- [3] Mark any claim required, including custom (non-reserved) ones, using the `require` configuration option.

All other claims encountered are ignored. The JWT header is checked for `kid` (see below) and `alg`, which must match the `type` value of the key configuration.

### Keys

`JwtAuthenticator` supports multiple keys, and allows all options to be configured per `kid` (key ID, which must be included in the JWT header when more than 1 key is configured):

```yml
swagger:
auth:
keys:
keyOne: # Only one key, 'kid' is optional (but must match when provided)
issuer: http://api.server.com/oauth2/token # OAuth2 example, but could be any string value
audience: ~ # NULL, accept any
minIssueTime: 1442132949 # Reject 'old' tokens, regardless of 'exp'
require: [nbf, exp, my-claim] # Mark claims as required
leeway: 5 # Allow 5 seconds of time de-synchronization between this server and api.server.com

```

Clients should pass the token using an `Authentication: Bearer` header, eg:

```
Authentication: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
```

While this is compatible with OAuth 2.0, use of such a protocol is outside of the scope of SwaggerBundle and entirely optional. For more information on using JWT Bearer tokens in OAuth, refer to [this spec](http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07).

SwaggerBundle and the issuer must share a secret in order for SwaggerBundle to be able to verify tokens. You can choose between a *pre shared key* (PSK) or *asymmetric keys*.

```yml
swagger:
auth:
keys:
keyOne: # Must match 'kid'
issuer: http://api.server1.com/oauth2/token
secret: 'A Pre-Shared Key'
type: ~ # Defaults to HS256 (HMACSHA256). All options: HS256, HS512, RS256 and RS512
keyTwo: # Must match 'kid'
issuer: http://api.server2.com/oauth2/token
type: RS256 # RSA SHA256, needed for asymmetric keys
secret: |
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwND1VMVJ3BC/aM38tQRH
2GDHecXE8EsGoeAeBR5dFt3QC1/Eoub/F2kee3RBtI6I+kDBjrSDz5lsqh3Sm7N/
47fTKZLvdBaHbCuYXVBQ2tZeEiUBESnsY2HUzXDlqSyDWohuiYeeL6gewxe1CnSE
0l8gYZ0Tx4ViPFYulva6siew0f4tBuSEwSPiKZQnGcssQYJ/VevTD6L4wGoDhkXV
VvJ+qiNgmXXssgCl5vHs22y/RIgeOnDhkj81aB9Evx9iR7DOtyRBxnovrbN5gDwX
m6IDw3fRhZQrVwZ816/eN+1sqpIMZF4oo4kRA4b64U04ex67A/6BwDDQ3LH0mD4d
EwIDAQAB
-----END PUBLIC KEY-----
```

To use *asymmetric keys*, `type` MUST be set to `RS256` or `RS512`. The secret in this case is the public key of the issuer.

### Integration Into Symfony Security

When enabled, `JwtAuthenticator` will be used for any operations referencing a `SecurityDefinition` of type `apiKey` or `oath2`. You will need a *user provider*, which will be passed the
'prn' value when invoking `loadUserByUsername`. Trivial example using 'in memory':

```yml
security:
firewalls:
secured_area:
pattern: ^/
stateless: true
simple_preauth:
authenticator: swagger.auth.authenticator.jwt
provider: in_memory

providers:
in_memory:
memory:
users:
joe:
roles: 'IS_AUTHENTICATED_FULLY'
```
SwaggerBundle 2.0+ does not include authentication functionality. The JWT support from 1.0 was moved into [kleijnweb/jwt-bundle](https://github.com/kleijnweb/jwt-bundle)).

When using `SecurityDefinition` type `oauth2`, it would be possible to translate *scopes* to Symfony roles,
add them to the user, and automatically configure `access_control`.
Expand Down
3 changes: 1 addition & 2 deletions composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -35,15 +35,14 @@
"symfony/serializer": "Object de- serialization using Symfony Serializer Component",
"jms/serializer": "Object de- serialization using JMS\\Serializer",
"doctrine/annotations": "Object de- serialization annotation support",
"symfony/security-bundle": "JWT authentication support"
"kleijnweb/jwt-bundle": "JWT authentication support"
},
"require-dev": {
"phpunit/phpunit": "4.1.*",
"symfony/framework-bundle": ">=2.6.0",
"symfony/console": ">=2.6.0",
"symfony/form": ">=2.6.0",
"symfony/serializer": ">=2.6.0",
"symfony/security-bundle": ">=2.6.0",
"symfony/monolog-bundle": ">=2.6.0",
"sensio/generator-bundle": "~2.3",
"mikey179/vfsStream": "^1.5",
Expand Down
19 changes: 1 addition & 18 deletions src/DependencyInjection/Configuration.php
Original file line number Diff line number Diff line change
Expand Up @@ -29,24 +29,7 @@ public function getConfigTreeBuilder()
->scalarNode('dev')
->defaultFalse()
->end()

->arrayNode('auth')
->addDefaultsIfNotSet()
->children()
->arrayNode('keys')
->requiresAtLeastOneElement()
->useAttributeAsKey('name')
->prototype('array')
->children()
->scalarNode('issuer')->isRequired()->end()
->scalarNode('secret')->isRequired()->end()
->scalarNode('type')->defaultValue('HS256')->end()
->end()
->end()
->end()
->end()
->end()


->arrayNode('serializer')
->addDefaultsIfNotSet()
->children()
Expand Down
5 changes: 0 additions & 5 deletions src/DependencyInjection/KleijnWebSwaggerExtension.php
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,6 @@ public function load(array $configs, ContainerBuilder $container)
$loader->load('services_dev.yml');
}

if ($config['auth']) {
$container->setParameter('swagger.auth.keys', $config['auth']['keys']);
$loader->load('services_auth.yml');
}

$container->setParameter('swagger.document.base_path', $config['document']['base_path']);
$container->setParameter('swagger.serializer.namespace', $config['serializer']['namespace']);

Expand Down
5 changes: 0 additions & 5 deletions src/Resources/config/services_auth.yml

This file was deleted.

132 changes: 0 additions & 132 deletions src/Security/Authenticator/JwtAuthenticator.php

This file was deleted.

66 changes: 0 additions & 66 deletions src/Security/Authenticator/JwtAuthenticator/Decoder.php

This file was deleted.

Loading

0 comments on commit 11df86b

Please sign in to comment.