FOSbundle + FOSOAuthServerBundle Firewall Configuration

Question

I'm working on a Symfony 2.7 project that have both the Web login interface and OAuth autentication for API. I use FOSUserBundle for autentication provider and FOSOAuthServerBundle to provide the OAuth functionality.

I'm following the guide linked to this post for the implementation of OAuth with FOSOauthServerBundle FOSOAuthServerBundle with FOSUserBundle - How to make it works?

I think to be almost there, but a security problem is blocking me. I've the firewalls set in the following way on my securtiy.yml

firewalls:
    main:
        pattern: ^/
        form_login:
            provider: fos_userbundle
            csrf_provider: security.csrf.token_manager # Use form.csrf_provider instead for Symfony <2.4
            login_path:          fos_user_security_login
            check_path:          fos_user_security_check
            #default_target_path: app_website_index
        logout:       true
        anonymous:    true
        logout:
              path: fos_user_security_logout
              #target: index
              target: fos_user_security_login

    oauth_token:
                pattern:    ^/oauth/v2/token
                security:   false

    oauth_authorize:
        pattern:    ^/oauth/v2/auth
        # Add your favorite authentication process here
        form_login:
             provider: fos_userbundle
             csrf_provider: security.csrf.token_manager # Use form.csrf_provider instead for Symfony <2.4
             login_path:          fos_user_security_login
             check_path:          fos_user_security_check
             #default_target_path: app_website_index

    api:
        pattern:    ^/api
        fos_oauth:  true
        stateless:  true
        anonymous:  false # can be omitted as its default value

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin/, role: ROLE_ADMIN }
    - { path: ^/api, roles: [ IS_AUTHENTICATED_FULLY ] }

The problem is that the API and the OAuth firewalls are under the main ^/ so it reminds me to the login page when I try to access to localhost:8000/api/articles without been logged in, instead of give me the OAuth autentication error:

{"error":"access_denied","error_description":"OAuth2 authentication required"}

For example.

Or once I've got the access token, when I try to access to the resources like:

http://localhost:8000/app.php/api/article/?access_token=THISISMYACCESSTOKEN

I get the fos_login instead the resources.

If I modify the main firewall to ^/secured/ everything works fine but I get problems to the web autentication.

All the controller of my application are under /secured/ path so change the main firewall it's not a problem, if I let unprotected form the firewall the ^/ pattern several errors form FOSUserBundle. Should I create a specific firewall for the login/login_check/logout operation e put the main firewall from /secured/ or is there another way to exclude the OAuth & API firewalls form the main firewall?

Answer 1

Pretty old question but I guess it was due to this line :

- { path: ^/api, roles: [ IS_AUTHENTICATED_FULLY ] }

No matter what you call with "http://localhost:8000/app.php/api/...", you will be redirected to the login page.