Symfony2 security - Strange behavior (Challenging issue)

Question

Using FOSOauthServerBundle, FOSUserBundle and Symfony2.0, I have followed this documentation (http://blog.logicexception.com/2012/04/securing-syfmony2-rest-service-wiith.html) about creating an own auth_login form when implementing OAuth2 with FOSOAuthServerBundle. Good post, by the way, from my humble point of view.

I must say that I have it almost done. But there is a strange behavior that makes it not to work. Could anyone take a look at my problem and try to give me a clue about the possible solution??

PREVIOUS CONSIDERATIONS

Before developing the instructions at this page, I have the FOSOAuthServerBundle well configured. I complete the process, and I get the token properly, authentication the user credentials and creating the session too. The only thing is that I don't have a specific login form differenced from the main one in my web site. So the page that appears when trying to get the authorization code is the normal login one. What I want is, as described in the manual, to display a different login form, smaller and more specific, to make it friendly for mobile devices.

THE PROBLEM

Developing exactly what is described at this page, I get this behavior:

I call "^/oauth/v2/auth" with the proper parameters
As expected, I am redirected to the /auth_login page
I input a user's credentials (correct login and password)
After the login process, Symfony properly TRIES TO redirect again to "^/oauth/v2/auth" with the proper parameters, but, Surprise!!, some interceptor or something is catching that request and I am again redirected to /auth_login.

The funny thing is that the session IS created (I mean, if in that moment I type any existing page in the site in the url bar, it redirects normally to the requested page with all the session and stuff created). ** So the problem is just with the pattern "^/oauth/v2/auth". No matter whether I have or not created session, that it always will be intercepted and redirected to /auth_login (and, so, I don't get the workflow to go correctly in the way to finally get the token.

THE ONLY DIFFERENCE

Between what I have and what is described in the manual is just that I am using a twig page to display the auth_login form. I don't think this can be a problem, but anyway, I post it next:


    

    {{ 'security.login.username'|trans({}, 'FOSUserBundle') }}
    

    {{ 'security.login.password'|trans({}, 'FOSUserBundle') }}
    

    
    {{ 'security.login.remember_me'|trans({}, 'FOSUserBundle') }}

ONE MORE THING

Although it doesn't work either, I am considering a trick (or workaround) that consists in putting the following in the action field of the form:

{{ path("fos_user_security_check") }}

That means to make the /auth_login form to send the data to the same login_check used by FOSUserBundle instead of FOSOAuthServerBundle's.

The effect in this case is as follows:

I call "^/oauth/v2/auth" with the proper parameters
As expected, I am redirected to the /auth_login page
I input a user's credentials (correct login and password)
After the login process, the redirection of ^/oauth/v2/auth is well performed and I get the authorization_code
I complete the whole thing getting the access_token thanks to the ^/oauth/v2/token URL
Surprise!! Although everything is done well, in this case the session IS NOT created, which is too bad for later calls to the API (the API just doesn't get anything as the session is not created). Imagine, for example a situation in which I want to get from the API a whole list of certain items that belong to the user that entered his or her credentials. Obviously, as the session is not created, all what I get is a redirection to the main page (it is thus how I have configured the firewall at symfony2).

I would really appreciate if someone could help me with all this.

Symfony2 security - Strange behavior (Challenging issue)

Answers (0)

Related Questions