Skip to content

Latest commit

 

History

History
98 lines (85 loc) · 3.81 KB

jwt-ldap.md

File metadata and controls

98 lines (85 loc) · 3.81 KB
Raw

Combining JWT and LDAP

Requirements

For JWT, I'm using lexik/jwt-authentication-bundle. For LDAP, I'm using ldaptools/ldaptools-bundle.

Both can be installed via Composer:

composer req lexik/jwt-authentication-bundle ldaptools/ldaptools-bundle

Configuration

Follow the instructions for configuring both packages as normal:

After that, you can add the LDAP guard to the login firewall in your config/packages/security.yaml file:

security:
    # ...
    firewalls:
        login:
            pattern:  ^/api/login
            stateless: true
            anonymous: true
            form_login:
                check_path:               /api/login_check
                success_handler:          lexik_jwt_authentication.handler.authentication_success
                failure_handler:          lexik_jwt_authentication.handler.authentication_failure
                require_previous_session: false
            guard:
                authenticators:
                    - ldap_tools.security.ldap_guard_authenticator

Cross-configuration

Make sure that both packages are using the same names for the username and password parameters.

For JWT, in config/packages/security.yaml:

security:
    # ...
    firewalls:
        login:
            form_login:
                username_path: my_username
                password_path: my_password

And for LDAP, in config/packages/ldaptools.yaml:

ldap_tools:
    security:
        guard:
            username_parameter: my_username
            password_parameter: my_password

Using json_login instead of form_login

I ran into some problems when using the json_login authentication instead of the form_login method used above. The LDAP Guard Authenticator provided by LDAP Tools can not read the credentials from a JSON encoded POST content.

I created a JsonLdapGuardAuthenticator class that extends the original LdapGuardAuthenticator of the LDAP Tools. This class overrides the getRequestParameter method to pull parameters out of the JSON POST content.

I copied the service defintion of the original LdapGuardAuthenticator. To prevent my JWT requests from being redirected to a (non-existing) login form, I had to use some handlers from the JWT package instead of the default ones from the LDAP package.

In config/services.yaml:

services:
    App\Authentication\Ldap\JsonLdapGuardAuthenticator:
        arguments:
            - '%security.authentication.hide_user_not_found%'
            - '@ldap_tools.security.user.ldap_user_checker'
            - '@ldap_tools.ldap_manager'
            - '@lexik_jwt_authentication.security.guard.jwt_token_authenticator' # Instead of '@ldap_tools.security.authentication.form_entry_point'
            - '@event_dispatcher'
            - '@lexik_jwt_authentication.handler.authentication_success' # Instead of '@ldap_tools.security.auth_success_handler'
            - '@lexik_jwt_authentication.handler.authentication_failure' # Instead of '@ldap_tools.security.auth_failure_handler'
            - '%ldap_tools.security.guard.options%'
            - '@ldap_tools.security.user.ldap_user_provider'

Then the new class can be used as a guard in the config/packages/security.yaml file:

security:
    # ...
    firewalls:
        login:
            # ...
            guard:
                authenticators:
                    - App\Authentication\Ldap\JsonLdapGuardAuthenticator