home/torsearch
1
0
Fork 0
Code Issues 22 Pull Requests 1 Actions 3 Packages Projects 4 Releases Wiki Activity

fix: creates new users on demand from idp

Browse Source
This commit is contained in:
brock
2025-07-11 15:40:19 -05:00
parent b74b563c56
commit 2fae99e24b
4 changed files with 6 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/packages/security.yaml
View File

@@ -31,6 +31,7 @@ security:
oidc:
login_path: '/login/oidc'
check_path: '/login/oidc/auth'
enable_end_session_listener: true
entry_point: form_login
# activate different ways to authenticate

61
config/security.yaml
View File

@@ -1,61 +0,0 @@
security:
# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
providers:
users_in_memory: { memory: null }
app_local:
entity:
class: App\User\Framework\Entity\User
property: email
app_ldap:
id: App\User\Framework\Security\LdapUserProvider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
lazy: true
provider: app_ldap
entry_point: form_login_ldap
form_login_ldap:
login_path: app_login
check_path: app_login
enable_csrf: true
service: Symfony\Component\Ldap\Ldap
dn_string: '%env(LDAP_DN_STRING)%'
form_login:
login_path: app_login
check_path: app_login
enable_csrf: true
logout:
path: app_logout
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#the-firewall
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
- { path: ^/reset-password, roles: PUBLIC_ACCESS }
- { path: ^/login, roles: PUBLIC_ACCESS }
- { path: ^/, roles: ROLE_USER } # Or ROLE_ADMIN, ROLE_SUPER_ADMIN,
when@test:
security:
password_hashers:
# By default, password hashers are resource intensive and take time. This is
# important to generate secure password hashes. In tests however, secure hashes
# are not important, waste resources and increase test times. The following
# reduces the work factor to the lowest possible values.
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
algorithm: auto
cost: 4 # Lowest possible value for bcrypt
time_cost: 3 # Lowest possible value for argon
memory_cost: 10 # Lowest possible value for argon

2
src/User/Framework/Controller/Web/LoginOidcController.php
View File

@@ -25,7 +25,7 @@ class LoginOidcController extends AbstractController
}
// Redirect to authorization @ OIDC provider
return $oidcClient->generateAuthorizationRedirect();
return $oidcClient->generateAuthorizationRedirect(scopes: ['openid', 'profile']);
}
#[Route('/login/oidc/auth', name: 'app_login_oidc_auth')]

6
src/User/Framework/Security/OidcUserProvider.php
View File

@@ -8,6 +8,7 @@ use Drenso\OidcBundle\Exception\OidcException;
use Drenso\OidcBundle\Model\OidcTokens;
use Drenso\OidcBundle\Model\OidcUserData;
use Drenso\OidcBundle\Security\UserProvider\OidcUserProviderInterface;
use Symfony\Component\PasswordHasher\PasswordHasherInterface;
use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
use Symfony\Component\Security\Core\Exception\UserNotFoundException;
use Symfony\Component\Security\Core\User\OidcUser;
@@ -25,8 +26,9 @@ class OidcUserProvider implements OidcUserProviderInterface
if (null === $user) {
$user = new User()
->setEmail($userData->getEmail())
->setName($userData->getFullName())
->setEmail(!empty($userData->getEmail()) ? $userData->getEmail() : $userData->getSub())
->setName(!empty($userData->getFullName()) ? $userData->getFullName() : $userData->getGivenName())
->setPassword('n/a')
;
$this->userRepository->getEntityManager()->persist($user);
$this->userRepository->getEntityManager()->flush();