Painless authentication with access tokens

Transcript

1. Painless Authentication with Access Tokens Mathieu Santostefano 🧑‍💻 Web developer

   at Symfony Core Team Member Twitter @welcomattic GitHub @welcomattic Photo by Kelly Sikkema on Unsplash

2. 🎉 On nov. 18 2021, I received an email to

   join the Core Team 2

3. 🍽 On the menu 3 Photo by Nathan Dumlao on

   Unsplash

4. 🍽 On the menu 1. Access token, what is it?

   3 Photo by Nathan Dumlao on Unsplash

5. 🍽 On the menu 1. Access token, what is it?

   2. Implementation with Symfony 6.1 3 Photo by Nathan Dumlao on Unsplash

6. 🍽 On the menu 1. Access token, what is it?

   2. Implementation with Symfony 6.1 3. Time travel 3 Photo by Nathan Dumlao on Unsplash

7. 🍽 On the menu 1. Access token, what is it?

   2. Implementation with Symfony 6.1 3. Time travel 4. Implementation with Symfony 6.2 3 Photo by Nathan Dumlao on Unsplash

8. 🍽 On the menu 1. Access token, what is it?

   2. Implementation with Symfony 6.1 3. Time travel 4. Implementation with Symfony 6.2 5. Code examples 3 Photo by Nathan Dumlao on Unsplash

9. 🍽 On the menu 1. Access token, what is it?

   2. Implementation with Symfony 6.1 3. Time travel 4. Implementation with Symfony 6.2 5. Code examples 6. In the future? 3 Photo by Nathan Dumlao on Unsplash

10. 🔐 Who has Access Token authentication in their app? 4

11. 🔒 Who is working with the new Symfony Security? 5

12. 🔒 Who is working with the new Symfony Security? Thank

    you for it, Wouter 🙏 5

13. ✨ The New Security System Removed everything but Guards Moved

    to an event-based system Authenticator based: instantiate a Passport with Badges Your job is to use Authenticator or implement your own 6

14. ✨ The New Security System Event-based system You can interact

    on different levels CheckPassportEvent AuthenticationTokenCreatedEvent AuthenticationSuccessEvent LoginSuccessEvent LoginFailureEvent LogoutEvent TokenDeauthenticatedEvent SwitchUserEvent 7

15. ✨ The New Security System As before, you can still

    handle what happens in case of authentication success or failure 🤩 Like many things since the last years in Symfony, it improves the DX 8

16. 🪙 What is an Access Token? 9

17. 🪙 What is an Access Token? i-am-an-4cc3ss-t0k3n could be an

    Access Token 9

18. 🪙 What is an Access Token? i-am-an-4cc3ss-t0k3n could be an

    Access Token mF_9.B5f-4.1JqM could be an Access Token 9

19. 🪙 What is an Access Token? i-am-an-4cc3ss-t0k3n could be an

    Access Token mF_9.B5f-4.1JqM could be an Access Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4... could be an Access Token 9

20. 🪙 What is an Access Token? i-am-an-4cc3ss-t0k3n could be an

    Access Token mF_9.B5f-4.1JqM could be an Access Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4... could be an Access Token 🌮 could be an Access Token 9

21. 🪙 What is an Access Token? i-am-an-4cc3ss-t0k3n could be an

    Access Token mF_9.B5f-4.1JqM could be an Access Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4... could be an Access Token 🌮 could be an Access Token 🔡 An Access Token is represented by a string. 9

22. 📑 Use cases Authentication with Access Token is useful in

    some contexts, like Stateless user login API Gateway in front of private APIs Application that access to personal data provided by a third party Micro-services between them Client applications of a SaaS API … 10

23. 🤨 Ok, so? Must be sent in a HTTP request

    to fetch a protected resource The application expects to find a token, 👉 validate 👈 it and decide to allow access or not 11

24. 🤨 Ok, so? Must be sent in a HTTP request

    to fetch a protected resource The application expects to find a token, 👉 validate 👈 it and decide to allow access or not 11

25. 🛂 Token issuer Let’s assume our tokens come from an

    external authentication server, the user identity has been verified by this server 12

26. ✅ Validate the token? The validation process is up to

    you Check if the string is present in a database Compute a hash and compare it to the expected one Decode the token (base64, …) and make assertions on decoded values Ensure the expiration date is not passed if needed Check if the token has been revoked or not Call an OpenID Connect server to validate the token … 13

27. 🤔 How to set up an Access Token auth with

    Symfony? 14

28. 🎬 Marvel Scenarios Manager, a web app for writers and

    reviewers Each user (Writers and Reviewers) has an API key Admin for Writers Form login authentication Writers can create Scenarios Web app for Reviewers Call the private API using API Key obtained after Reviewer login Admins can revoke API key at any time 15

29. 16

30. 17

31. 👉 With Symfony <= 6.1 Create a custom Authenticator 1.

    Extract token 2. Decode token if needed (JWT, SAML, …) 3. Check token validity 4. Retrieve user identifier from the token 5. Then load User object 6. Handle authentication failure cases 18

32. 👂 Have you heard about RFC 6750? Token transportation In

    request header? ➡ Authorization header In query string? ➡ parameter access_token In request body? ➡ parameter access_token 19

33. 👂 Have you heard about RFC 6750? Token transportation In

    request header? ➡ Authorization header In query string? ➡ parameter access_token In request body? ➡ parameter access_token WWW-Authenticate response header in case of failure 19

34. 👂 Have you heard about RFC 6750? Token transportation In

    request header? ➡ Authorization header In query string? ➡ parameter access_token In request body? ➡ parameter access_token WWW-Authenticate response header in case of failure HTTPS protocol mandatory 19

35. 20

36. 🧑‍💻 Some code 21 1 /** Simplified version */ 2

    private function extractToken(Request $req): ?string 3 { 4 return match (true) { 5 // Header 6 $req->headers->has('Authorization') => str_replace('Bearer ', '', $req->headers->get('Authorization')), 7 8 // Query string 9 $req->query->has('access_token') => $req->query->get('access_token'), 10 11 // Request body 12 $req->request->has('access_token') => $req->request->get('access_token'), 13 14 default => null, 15 }; 16 }

37. 🧑‍💻 Some code 22 1 public function authenticate(Request $req): Passport

    2 { 3 if (null === $apiKey = $this->extractToken($req)) { 4 throw new AuthenticationException('No API Key provided'); 5 } 6 7 // Here, it could be some logic to validate the token 8 9 return new SelfValidatingPassport( 10 new UserBadge($apiKey, 11 function (string $apiKey) { 12 return $this->userRepository->findOneByApiKey($apiKey); 13 } 14 ) 15 ); 16 }

38. 🥱 Boring code We have to repeat this code in

    all our applications, boring Our responsibility to respect RFC6750, boring No body likes boring code Boring code is code we rewrite in all projects, no business value Poor Developer eXperience, Symfony tends to improve DX This is definitely improvable 23

39. 24

40. ⌚ Discussions started long time ago April 2019, at EU

    FOSSA Hackathon 25

41. ⌚ Discussions started long time ago June 2019, first PR

    about OAuth2 Component. ❌ Aborted 26

42. ⌚ Discussions started long time ago September 2019, Wouter’s 1st

    PR about redesign of Security 27

43. ⌚ Discussions started long time ago April 2020, continuation of

    Wouter’s work on new Security system 28

44. ⌚ Discussions started long time ago March 2022, Vincent Chalamon

    opens an issue about "Bearer Authenticator" 29

45. ⌚ Discussions started long time ago Finally, on May 21st,

    2022, Vincent Chalamon & Florent Morselli each open a pull request to implement the Authenticator 30

46. 🤩 Thanks a lot Florent Morselli @Spomky 31

47. Adding a feature to Symfony could take years 32

48. 🚀 Let’s meet AccessTokenAuthenticator in Symfony 6.2 33

49. AccessTokenAuthenticator Takes care of token extraction Header Query string Request

    body And/or your Custom extractors Calls your Token Handler to check the token (revocation, expiration, signature, …) Custom success / failure handlers if needed ✨ All this via configuration! 34

50. What kind of tokens could be used? JWT SAML2 Biscuit

    Macaroons Homemade tokens (with chocolate chips and nuts 😋 ) … Any kind of token, as it’s up to you to handle them 35

51. ⚙ Internally, in Symfony Extraction with ChainTokenExtractor (configurable order) Default

    and custom extractors can be used at the same time Handle the token with your TokenHandlerInterface implementation AccessTokenAuthenticator will create a PostAuthenticationToken object set WWW-Authenticate Response header content in case of failure use the configured User Provider in security.yaml 36

52. 🪄 How much easier is it with 6.2? 37

53. 6.1 security.yaml 38 1 security: 2 providers: 3 user_provider: 4

    entity: 5 class: App\Entity\User 6 property: apiKey 7 firewalls: 8 api: 9 pattern: ^/api 10 lazy: true 11 provider: user_provider 12 custom_authenticator: App\Security\ApiKeyAuthenticator

54. 39 1 class ApiKeyAuthenticator extends AbstractAuthenticator 8 public function supports(Request

    $req): ?bool 9 { 10 return $req->headers->has('Authorization') || $req->query->has('access_token') || $req->request->has('access_token'); 11 } 2 { 3 public function __construct( 4 private readonly UserRepository $userRepository, 5 private readonly string $env, 6 ) {} 7 12 13 public function authenticate(Request $req): Passport 14 { 15 if (null === $apiKey = $this->extractToken($req)) { 16 throw new AuthenticationException('No API Key provided'); 17 } 18 19 // Here, it could be some logic to validate the token 20 21 return new SelfValidatingPassport( 22 new UserBadge($apiKey, 23 function (string $apiKey) { 24 return $this->userRepository->findOneByApiKey($apiKey); 25 } 26 ) 27 ); 28 } 29 } 6.1 ApiKeyAuthenticator

55. 39 13 public function authenticate(Request $req): Passport 14 { 15

    if (null === $apiKey = $this->extractToken($req)) { 16 throw new AuthenticationException('No API Key provided'); 17 } 18 19 // Here, it could be some logic to validate the token 20 21 return new SelfValidatingPassport( 22 new UserBadge($apiKey, 23 function (string $apiKey) { 24 return $this->userRepository->findOneByApiKey($apiKey); 25 } 26 ) 27 ); 28 } 29 } 1 class ApiKeyAuthenticator extends AbstractAuthenticator 2 { 3 public function __construct( 4 private readonly UserRepository $userRepository, 5 private readonly string $env, 6 ) {} 7 8 public function supports(Request $req): ?bool 9 { 10 return $req->headers->has('Authorization') || $req->query->has('access_token') || $req->request->has('access_token'); 11 } 12 6.1 ApiKeyAuthenticator

56. 39 15 if (null === $apiKey = $this->extractToken($req)) { 1

    class ApiKeyAuthenticator extends AbstractAuthenticator 2 { 3 public function __construct( 4 private readonly UserRepository $userRepository, 5 private readonly string $env, 6 ) {} 7 8 public function supports(Request $req): ?bool 9 { 10 return $req->headers->has('Authorization') || $req->query->has('access_token') || $req->request->has('access_token'); 11 } 12 13 public function authenticate(Request $req): Passport 14 { 16 throw new AuthenticationException('No API Key provided'); 17 } 18 19 // Here, it could be some logic to validate the token 20 21 return new SelfValidatingPassport( 22 new UserBadge($apiKey, 23 function (string $apiKey) { 24 return $this->userRepository->findOneByApiKey($apiKey); 25 } 26 ) 27 ); 28 } 29 } 6.1 ApiKeyAuthenticator

57. 6.1 ApiKeyAuthenticator 40 1 /** Simplified version */ 2 private

    function extractToken(Request $req): ?string 3 { 4 return match (true) { 5 // Header 6 $req->headers->has('Authorization') => str_replace('Bearer ', '', $req->headers->get('Authorization')), 7 8 // Query string 9 $req->query->has('access_token') => $req->query->get('access_token'), 10 11 // Request body 12 $req->request->has('access_token') => $req->request->get('access_token'), 13 14 default => null, 15 }; 16 }

58. 6.2 security.yaml 41 1 security: 2 providers: 3 user_provider: 4

    entity: 5 class: App\Entity\User 6 property: apiKey 7 firewalls: 8 api: 9 pattern: ^/api 10 lazy: true 11 provider: user_provider 12 access_token: 13 token_extractors: 14 - header 15 - query_string 16 - request_body 17 token_handler: App\Security\AccessTokenHandler

59. 6.2 AccessTokenHandler 42 1 class AccessTokenHandler implements AccessTokenHandlerInterface 2 {

    3 public function __construct( 4 private readonly UserRepository $userRepository, 5 private readonly string $env, 6 ) {} 7 8 public function getUserIdentifierFrom(string $token): string 9 { 10 $user = $this->userRepository->findOneByApiKey($token); 11 12 if ($user === null) { 13 throw new BadCredentialsException('Invalid credentials.'); 14 } 15 16 return $user->getUserIdentifier(); 17 } 18 }

60. 6.2 With a JWT issued by an OIDC server 43

61. 44

62. 6.2 With a JWT issued by an OIDC server 45

    1 class JwtHandler implements AccessTokenHandlerInterface 2 { 3 public function __construct( 4 private readonly HttpClientInterface $oidcHttpClient, 5 ) {} 6 7 public function getUserIdentifierFrom(string $accessToken): string 8 { 9 try { 10 $userInfo = $this->oidcHttpClient->request('GET', 'protocol/openid-connect/userinfo', [ 11 'auth_bearer' => $accessToken, 12 ])->toArray(); 13 } catch (HttpExceptionInterface $e) { 14 throw new BadCredentialsException($e->getMessage()); 15 } 16 17 return $userInfo['email']; 18 } 19 }

63. 6.2 With a JWT issued by your Symfony app with

    lcobucci/jwt (or web-token/jwt-checker) 46

64. 🔐 6.2 security.yaml 47 1 security: 2 providers: 3 user_provider:

    4 entity: 5 class: App\Entity\User 6 property: email 7 firewalls: 8 api: 9 pattern: ^/api 10 lazy: true 11 provider: user_provider 12 access_token: 13 token_extractors: header 14 token_handler: App\Security\JwtHandler

65. 48 1 class JwtHandler implements AccessTokenHandlerInterface 2 { 3 public

    function __construct( 4 private readonly Parser $jwtParser = new Parser(new JoseEncoder()), 5 private readonly Validator $jwtValidator = new Validator(), 6 ) {} 7 8 public function getUserIdentifierFrom(string $accessToken): string 9 { 10 $jwt = $this->jwtParser->parse($accessToken); 11 $timezone = new \DateTimeZone('Europe/Paris'); 12 13 try { 14 $this->jwtValidator->assert($jwt, new ValidAt(new SystemClock($timezone))); 15 $this->jwtValidator->assert($jwt, new SignedWith( 16 new Sha256(), 17 InMemory::plainText('PRIVATE-KEY') 18 )); 19 } catch (RequiredConstraintsViolated $e) { 20 throw new BadCredentialsException($e->getMessage()); 21 } 22 23 return $jwt->claims()->get(RegisteredClaims::SUBJECT); 24 } 25 } 6.2 JwtHandler

66. API Platform plans to support OpenID Connect authentication https://github.com/api-platform/demo/pull/265 49

67. 💫 In the future? Add a native JwtHandler to Symfony?

    Add a native SamlHandler to Symfony? Add a native BiscuitHandler to Symfony? 👉 It’s up to the community! 50

68. 51

69. 52

70. Less responsibility, less code Configure the way the extraction should

    be done Focus on the token processing Decoding Checking signature, expiration, revocation Retrieve user identifier 🦸 Leverage all Symfony power to fine tune configuration to your needs 53

71. 👏 Thanks a lot Wouter Guillaume Vincent Florent And all

    reviewers, commenters 🎉 54

72. Thank you ☕ 🍰 Any questions? Slides and demo apps

    👉 welcomattic.github.io/painless-authentication-with-access-token Sources JWT RFC Bearer Token Usage RFC In-depth article about token authentication 55