- https://github.com/maxpou/docker-symfony for Docker Setup
- http://symfony.com/doc/current/security/custom_provider.html for own Userprovider
- https://causeyourestuck.io/2016/07/19/oauth2-explained-part-1-principles-terminology/ for OAuth Configuration
- https://bitgandtter.blog/2015/09/30/symfony-a-restful-app-security-securing-the-token-path-fixed/ for OAuth in Symfony
Docker-symfony gives you everything you need for developing Symfony application. This complete stack run with docker and docker-compose (1.7 or higher).
-
Change the .env file to your needs, but it should work the way it is right now.
-
Build/run containers with (with and without detached mode)
$ docker-compose build $ docker-compose up -d
-
Update your system host file (add symfony.dev)
$ sudo echo "127.0.0.1 symfony.dev" >> /etc/hosts
-
Prepare Symfony app
- Update app/config/parameters.yml
$ mv app/config/parameter.yml.dist app/config/parameter.yml
-
Composer install & create database
$ docker-compose exec php bash $ composer install $ php bin/console doctrine:schema:update --force $ php bin/console doctrine:fixtures:load --no-interaction
-
Setup OAuth
$ php bin/console schulzcodes:oauth-server:user:create $ php bin/console schulzcodes:oauth-server:client:create --redirect-uri="http://client.local/" --grant-type="authorization_code" --grant-type="password" --grant-type="refresh_token" --grant-type="token" --grant-type="client_credentials"
```
Just run docker-compose up -d
, then:
- Symfony app: visit symfony.dev
- Symfony dev mode: visit symfony.dev/app_dev.php
- Logs (Kibana): symfony.dev:81
- Logs (files location): logs/nginx and logs/symfony
Taken from https://causeyourestuck.io/2016/07/19/oauth2-explained-part-3-using-oauth2-bare-hands/
That’s the most commonly used one, recommended to authorize end customers. A good example is the Facebook Login for websites. Here’s how it works. Request this url in the browser:
symfony.dev/oauth/v2/auth?client_id=CLIENT_ID&response_type=code&redirect_uri=CLIENT_HOST
note: redirect_uri should be identical to the one provided on client creation, otherwise you will get a corresponding error message. The page you are requesting will offer you a login, then authorization of the client permissions, once you confirm everything it will redirect you back to the url you provided in redirect_url. In our case, redirect will look like
CLIENT_HOST/?code=Yjk2MWU5YjVhODBiN2I0ZDRkYmQ1OGM0NGY4MmUyOGM2NDQ2MmY2ZDg2YjUxYjRiMzAwZTY2MDQxZmUzODg2YQ
I’ll refer to this long code parameter as CODE in the future. This code is stored on the Provider side, and once you request for the token, it can uniquely identify the client which made request and the user. It’s time to request the token
symfony.dev/oauth/v2/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=authorization_code&redirect_uri=http%3A%2F%2Fclinet.local%2F&code=CODE
µ Most probably this request will fail. That’s because CODE expires rather quickly. Fear not, just request first URL, repeat the process, prepare the second url in the text editor of your choice, copy in the code rather quickly, and you will get the desired result. It’s a JSON which contains access_token and looks like this
{
"access_token":"NjlmNDNiZTU4ZDY3ZGFlYTI5MGEzNDcxZWVmZDU4Y2E1NGJmZTJlMjNjNzc2M2E0MmZlZTk2ZjliMWE0MDQyNw",
"expires_in":3600,
"token_type":"bearer",
"scope":null,
"refresh_token":"ZGU2NzlhOTQ2MmRlY2YyYjAyMjBkYmJmMmJhMDllNTgyNmJkNmQxOWZlNGQ4NzczY2RiMThlNmRhMjBiYjFjNg"
}
this suggests that access_token expires in 3600 seconds, and to refresh it you have the refresh token. We will discuss how to handle that later on this chapter.
It’s similar to Authorization Code grant, it’s just a bit simpler. You just need to make only one request, and you will get the access_token as a part of redirect URL, there’s no need for second response. That’s for the situations where you trust the user and the client, but you still want the user to identify himself in the browser.
symfony.dev/oauth/v2/auth?client_id=2_1y1zqhh7ws5c8kok8g8w88kkokos0wwswwwowos4o48s48s88w&redirect_uri=http%3A%2F%2Fclinet.local%2F&response_type=token
then you will get redirected to
CLIENT_HOST/#access_token=YWZhZWQ5NjQxOTI2ODJmZWE4YjJiYmExZTIxZmE5OWUxOWZjZjgwZDFlZWMwMjkyZDQwZWU1NWI4YWIzODllNQ&expires_in=3600&token_type=bearer&refresh_token=YzQ1YjRhODk2YzJiYTZmMzNiNjI5ZjI2MDI3ZmMwMDg3MjkxMDdhYmE5YjBlYzRlZmM2M2Q0NTM3ZjFmZDZiYQ
Let’s say you have no luxury of redirecting user to some website, then handle redirect call, all you have is just an application which is able to send HTTP requests. And you still want to somehow authenticate user on the server side, and all you have is username and password.
symfony.dev/oauth/v2/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=password&username=USERNAME&password=PASSWORD
{
"access_token":"MjY1MWRhYTAyZDZlOTEyN2EzNTg4MGMwMTcyYjczY2Y0MWI3NzZjODc1OGM2NDdjODgxZjY3YzEyMDdhZjU0Yg",
"expires_in":3600,
"token_type":"bearer",
"scope":null,
"refresh_token":"MDNmNzBmNWQ2NzdhYWVmYjE2NjI3ZjAyZTM4Y2Q1NDRiNDY1YjUyZGE1ZDk0ODZjYmU0MDM0NTQxNjhiZmU3ZA"
}
This one is the most simplistic flow of them all. You just need to provide CLIENT_ID and CLIENT_SECRET.
symfony.dev/oauth/v2/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=client_credentials
{
"access_token":"YTk0YTVjZDY0YWI2ZmE0NjRiODQ4OWIyNjZkNjZlMTdiZGZlNmI3MDNjZGQwYTZkMDNiMjliNDg3NWYwZWI0MQ",
"expires_in":3600,
"token_type":"bearer",
"scope":"user",
"refresh_token":"ZDU1MDY1OTc4NGNlNzQ5NWFiYTEzZTE1OGY5MWNjMmViYTBiNmRjOTNlY2ExNzAxNWRmZTM1NjI3ZDkwNDdjNQ"
}
Before I mentioned that access_tokens
have a lifetime of one hour, after which they will expire. With every access_token
you were provided a refresh_token
. You can exchange refresh token and get a new pair of access_token
and refresh_token
PROVIDER_HOST/oauth/v2/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=refresh_token&refresh_token=REFRESH_TOKEN
{
"access_token":NEW_ACCESS_TOKEN,
"expires_in":3600,
"token_type":"bearer",
"scope":"user",
"refresh_token":"NEW_REFRESH_TOKEN"
}
Let’s not fail or using the access_token
Remember our failed attempt to request an API at the beginning of the article? Let’s try again. Request
symfony.dev/api/articles?access_token=ACCESS_TOKEN
["article1","article2","article3"]
Seems like a proper response, does it? Let’s try the other request, which is supposed to maintain user session with the access_token.
symfony.dev/api/user?access_token=ACCESS_TOKEN
If you obtained your access_token through Authorization Code, Implicit Grant or Password, you should see a JSON representation of the user object.
{
"id":1,
"username":"user1"
}
If that was the Client Credentials, ACCESS_TOKEN
doesn’t contain any user information association with it, therefore there can’t be any user information retrieved, as the response suggests
{"message":"User is not identified"}
## Customize
If you want to add optionnals containers like Redis, PHPMyAdmin... take a look on doc/custom.md.
Have a look at the docker-compose.yml
file, here are the docker-compose
built images:
db
: This is the MySQL database container,php
: This is the PHP-FPM container in which the application volume is mounted,nginx
: This is the Nginx webserver container in which application volume is mounted too,elk
: This is a ELK stack container which uses Logstash to collect logs, send them into Elasticsearch and visualize them with Kibana.
This results in the following running containers:
$ docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------------------
dockersymfony_db_1 /entrypoint.sh mysqld Up 0.0.0.0:3306->3306/tcp
dockersymfony_elk_1 /usr/bin/supervisord -n -c ... Up 0.0.0.0:81->80/tcp
dockersymfony_nginx_1 nginx Up 443/tcp, 0.0.0.0:80->80/tcp
dockersymfony_php_1 php-fpm Up 0.0.0.0:9000->9000/tcp
# bash commands
$ docker-compose exec php bash
# Composer (e.g. composer update)
$ docker-compose exec php composer update
# SF commands (Tips: there is an alias inside php container)
$ docker-compose exec php php /var/www/symfony/app/console cache:clear # Symfony2
$ docker-compose exec php php /var/www/symfony/bin/console cache:clear # Symfony3
# Same command by using alias
$ docker-compose exec php bash
$ sf cache:clear
# Retrieve an IP Address (here for the nginx container)
$ docker inspect --format '{{ .NetworkSettings.Networks.dockersymfony_default.IPAddress }}' $(docker ps -f name=nginx -q)
$ docker inspect $(docker ps -f name=nginx -q) | grep IPAddress
# MySQL commands
$ docker-compose exec db mysql -uroot -p"root"
# F***ing cache/logs folder
$ sudo chmod -R 777 app/cache app/logs # Symfony2
$ sudo chmod -R 777 var/cache var/logs # Symfony3
# Check CPU consumption
$ docker stats $(docker inspect -f "{{ .Name }}" $(docker ps -q))
# Delete all containers
$ docker rm $(docker ps -aq)
# Delete all images
$ docker rmi $(docker images -q)
-
Got this error:
ERROR: Couldn't connect to Docker daemon at http+docker://localunixsocket - is it running? If it's at a non-standard location, specify the URL with the DOCKER_HOST environment variable.
?
Rundocker-compose up -d
instead. -
Permission problem? See this doc (Setting up Permission)
-
How to config Xdebug? Xdebug is configured out of the box! Just config your IDE to connect port
9001
and id keyPHPSTORM