Create ZF Client Authentication for Apigility Oauth with ApigilityConsumer
If you have Apigility as API builder in API side, and client app that consume it using Zend Framework 2/3 or ZF Expressive, you can create an authentication from the client application that call oauth in apigility side.
Zend\Authentication has AbstractAdapter that you can extends to create custom adapter for its need. Let’s assume the applications are like the following diagram:
[CLIENT - A ZF Application] [API - An Apigility Application]
| |
AuthController ZF\MvcAuth\Authentication\OAuth2Adapter
| |
| authenticateAction() |
| ------------------------------------> |
| identity json |
| <------------------------------------ |
On oauth result call, you may get the following result:
{
"access_token": "8e4b0e5ddc874a6f1500514ef530dbea3976ae77",
"expires_in": 3600,
"token_type": "Bearer",
"scope": null,
"refresh_token": "d19b79cd376924409c14ee46e5230617482fb169"
}
The ApigilityConsumer
ApigilityConsumer is a ZF2/ZF3 Apigility Client module (can also be used in ZF Expressive) to consume Apigility API Services.
You can install by run composer command:
composer require samsonasik/apigility-consumer
For full configurations and features, you can read at its README, for this post’s need, you can do something like this:
<?php
// config/autoload/apigility-consumer.local.php
return [
'apigility-consumer' => [
// your apigility host url
'api-host-url' => 'https://your.apigilty.api.host',
// your apigility oauth setting
'oauth' => [
'grant_type' => 'password',
'client_id' => 'your client id',
'client_secret' => 'your client secret',
],
],
];
and register the module into config/application.config.php or config/modules.config.php:
<?php
// config/application.config.php or config/modules.config.php
return [
'ApigilityConsumer', // <-- register here
'Application',
],
Create Adapter
You need to extends Zend\Authentication\Adapter\AbstractAdapter and implements Zend\Authentication\Adapter\AdapterInterface. So, You can have the class:
<?php
namespace Application\Adapter;
use ApigilityConsumer\Service\ClientAuthService;
use Zend\Authentication\Adapter\AbstractAdapter;
use Zend\Authentication\Adapter\AdapterInterface;
use Zend\Authentication\Result;
class ApigilityAuthenticationAdapter
extends AbstractAdapter
implements AdapterInterface
{
/**
* @var ClientAuthService
*/
private $clientAuthService;
/**
* @param ClientAuthService $clientAuthService
*/
public function __construct(ClientAuthService $clientAuthService)
{
$this->clientAuthService = $clientAuthService;
}
/**
* @return Result
*/
public function authenticate()
{
$clientResult = $this->clientAuthService->callAPI(
[
// your oauth registered route segment in apigility.
'api-route-segment' => '/oauth',
'form-data' => [
'username' => $this->getIdentity(),
'password' => $this->getCredential(),
],
'form-request-method' => 'POST',
]
);
if (! $clientResult->success) {
return new Result(Result::FAILURE, null, $clientResult::$messages);
}
return new Result(RESULT::SUCCESS, $clientResult->data);
}
}
Your can now build a factory from it:
<?php
namespace Application\Adapter;
use ApigilityConsumer\Service\ClientAuthService;
class ApigilityAuthenticationAdapterFactory
{
public function __invoke($container)
{
return new ApigilityAuthenticationAdapter(
$container->get(ClientAuthService::class)
);
}
}
You can then register at service_manager:
<?php
// module/Application/config/module.config.php
namespace Application;
'service_manager' => [
'factories' => [
// ...
Adapter\ApigilityAuthenticationAdapter::class => Adapter\ApigilityAuthenticationAdapterFactory::class,
],
],
For ZF Expressive, you can register under ‘dependencies’ key.
Set Adapter into AuthenticationService
You need to set authentication service’s adapter with defined adapter above with factory:
<?php
namespace Application\Factory;
use Application\Adapter\ApigilityAuthenticationAdapter;
use Zend\Authentication\AuthenticationService;
use Zend\Authentication\Storage\Session;
class AuthenticationServiceFactory
{
public function __invoke($container)
{
$adapter = $container->get(ApigilityAuthenticationAdapter::class);
return new AuthenticationService(
new Session(), // or your own storage implementing Zend\Authentication\Storage\StorageInterface
$adapter
);
}
}
You can then register also at service_manager:
<?php
// module/Application/config/module.config.php
namespace Application;
use Zend\Authentication\AuthenticationService;
'service_manager' => [
'factories' => [
// ...
AuthenticationService::class => Factory\AuthenticationServiceFactory::class,
],
],
For ZF Expressive, you can register under ‘dependencies’ key.
The AuthController::authenticate()
I assume that you already inject controler with login form, use “username” and “password” as field names, and fill the data, so, your AuthController::authenticate() can be like the following:
<?php
namespace Application\Controller;
use Application\Form\LoginForm;
use Zend\Authentication\AuthenticationService;
class AuthController
{
public function __construct(
AuthenticationService $authenticationService,
LoginForm $loginForm,
) { /* ...*/ }
public function authenticateAction()
{
/*
* check request and form validity here
*/
$formData = $this->loginForm->getData();
$this->authenticationService->getAdapter()
->setIdentity($formData['username'])
->setCredential($formData['password']);
$result = $this->authenticationService->authenticate();
if (!$result->isValid()) {
/**
* For security reason, you should not show user the reason of failure,
* However, if it actually needed for specific purpose, you can pull by call:
*
* $result->getMessages();
*
*/
return $this->redirect()->toRoute('/auth');
}
return $this->redirect()->toRoute('/account');
}
}
For ZF Expressive, you can create routed Authentication middleware.
That’s it, you’re now have successfully created a client authentication for your ZF2/ZF3 or ZF Expressive application that consume Apigility oauth.
Apigility: Create custom Authentication for Oauth2 with service delegators
Custom authentication in apigility is do-able with service delegators. We need to wrap ZF\MvcAuth\Authentication\DefaultAuthenticationListener::class in decorator. For example, we want to use ZF\OAuth2\Adapter\PdoAdapter but want to modify checkUserCredentials($username, $password) to include is_active check. Let’s do it!
- Setup Apigility Authentication with Oauth2
- With in assumption, we have the following config:
return [ // ... config/autoload/local.php 'zf-oauth2' => [ 'db' => [ 'driver' => 'PDO_Mysql', 'username' => 'root', 'password' => '', 'dsn' => 'mysql:host=localhost;dbname=app_oauth', ], ], // ... ];We can then modify
config/autoload/zf-mvc-auth-oauth2-override.global.phpas follows:// config/autoload/zf-mvc-auth-oauth2-override.global.php return [ 'service_manager' => [ 'factories' => [ 'ZF\OAuth2\Service\OAuth2Server' => 'Application\MvcAuth\NamedOAuth2ServerFactory', ], ], ]; - Define our own
NamedOAuth2ServerFactoryto use our ownOAuth2ServerFactoryforOAuth2\Serverinstance creationnamespace Application\MvcAuth; use Interop\Container\ContainerInterface; class NamedOAuth2ServerFactory { /** * @param ContainerInterface $container * * @return callable */ public function __invoke(ContainerInterface $container) { $config = $container->get('config'); $mvcAuthConfig = isset($config['zf-mvc-auth']['authentication']['adapters']) ? $config['zf-mvc-auth']['authentication']['adapters'] : []; $servers = (object) ['application' => null, 'api' => []]; return function ($type = null) use ( $mvcAuthConfig, $container, $servers ) { foreach ($mvcAuthConfig as $name => $adapterConfig) { if (!isset($adapterConfig['storage']['route'])) { // Not a zf-oauth2 config continue; } if ($type !== $adapterConfig['storage']['route']) { continue; } // Found! return $servers->api[$type] = OAuth2ServerFactory::factory( $adapterConfig['storage'], $container ); } }; } } - Create our
Application\MvcAuth\OAuth2ServerFactorybased on\ZF\MvcAuth\Factory\OAuth2ServerFactorynamespace Application\MvcAuth; use Interop\Container\ContainerInterface; use OAuth2\GrantType\AuthorizationCode; use OAuth2\GrantType\ClientCredentials; use OAuth2\GrantType\RefreshToken; use OAuth2\GrantType\UserCredentials; use OAuth2\GrantType\JwtBearer; use OAuth2\Server as OAuth2Server; final class OAuth2ServerFactory { private function __construct() { } public static function factory(array $config, ContainerInterface $container) { $allConfig = $container->get('config'); $oauth2Config = isset($allConfig['zf-oauth2']) ? $allConfig['zf-oauth2'] : []; $options = self::marshalOptions($oauth2Config); $oauth2Server = new OAuth2Server( $container->get(\ZF\OAuth2\Adapter\PdoAdapter::class), $options ); return self::injectGrantTypes($oauth2Server, $oauth2Config['grant_types'], $options); } private static function marshalOptions(array $config) { // same as \ZF\MvcAuth\Factory\OAuth2ServerFactory::marshalOptions() } private static function injectGrantTypes( OAuth2Server $server, array $availableGrantTypes, array $options ) { // same as \ZF\MvcAuth\Factory\OAuth2ServerFactory::injectGrantTypes() } } - As we want custom PdoAdapter, we need to map
\ZF\OAuth2\Adapter\PdoAdapter::classto ourPdoAdapter, for example:Application\MvcAuth\PdoAdapter:namespace Application\MvcAuth; use Zend\Crypt\Bcrypt; use ZF\OAuth2\Adapter\PdoAdapter as BasePdoAdapter; class PdoAdapter extends BasePdoAdapter { public function checkUserCredentials($username, $password) { $stmt = $this->db->prepare( 'SELECT * from oauth_users where username = :username and is_active = 1' ); $stmt->execute(compact('username')); $result = $stmt->fetch(); if ($result === false) { return false; } // bcrypt verify return $this->verifyHash($password, $result['password']); } } - For our
Application\MvcAuth\PdoAdapter, we need to define factory for it:namespace Application\MvcAuth; use Interop\Container\ContainerInterface; use ZF\OAuth2\Factory\PdoAdapterFactory as BasePdoAdapterFactory; class PdoAdapterFactory extends BasePdoAdapterFactory { public function __invoke(ContainerInterface $container) { $config = $container->get('config'); return new PdoAdapter([ 'dsn' => $config['zf-oauth2']['db']['dsn'], 'username' => $config['zf-oauth2']['db']['username'], 'password' => $config['zf-oauth2']['db']['password'], 'options' => [], ], []); } } - Register the adapter into service manager into
config/autoload/global.php// config/autoload/global.php return [ // ... 'service_manager' => [ 'factories' => [ \ZF\OAuth2\Adapter\PdoAdapter::class => \Application\MvcAuth\PdoAdapterFactory::class, ], ], // ... ]; -
Time to attach the
\ZF\OAuth2\Adapter\PdoAdapterinto our delegated serviceZF\MvcAuth\Authentication\DefaultAuthenticationListenervia delegator factorynamespace Application\MvcAuth; use Interop\Container\ContainerInterface; use OAuth2\Server as OAuth2Server; use Zend\ServiceManager\Factory\DelegatorFactoryInterface; use ZF\MvcAuth\Authentication\OAuth2Adapter; class AuthenticationListenerDelegatorFactory implements DelegatorFactoryInterface { public function __invoke( ContainerInterface $container, $name, callable $callback, array $options = null ) { $listener = call_user_func($callback); $listener->attach( new OAuth2Adapter( new Oauth2Server( $container->get(\ZF\OAuth2\Adapter\PdoAdapter::class), ['Bearer'] ) ) ); return $listener; } } -
Last one! Register our
AuthenticationListenerDelegatorFactoryinto service delegators:// config/autoload/global.php return [ // ... 'service_manager' => [ 'delegators' => [ \ZF\MvcAuth\Authentication\DefaultAuthenticationListener::class => [ \Application\MvcAuth\AuthenticationListenerDelegatorFactory::class ], ], ], // ... ];
Done 😉
Welcome to Abdul Malik Ikhsan's Blog 
8 comments