認証認可の関連仕様について

[nanasess]

以下の3点を分けて考える必要がある

• SPA のログイン(認証)
• ログイン後の GraphQL による個人情報取得、更新(ログインしたユーザーに認可されたAPIを使用する)
• セッションの永続化

課題

• ステートレスセッション or ステートフルセッション
  • サーバーサイドでの強制ログアウトが必要か？
  • https://www.docswell.com/s/ockeghem/ZM6VNK-phpconf2021-spa-security#p79
• JWT の形式(JWS, JWK を使用する？)
  • JWS - 署名付きの JWT。改竄検知
  • JWK - 公開鍵を公開するための形式
    • https://www.googleapis.com/oauth2/v3/certs
• トークンの受け渡し方法
  • Authorization ヘッダ？ Cookie?
• 認証/認可関連の API
  • OAuth2.0/OpenID Connect の API は RESTful 形式
  • Salesforce の例
    • https://qiita.com/syunyama/items/89b204486ace9fd10440
    • 認証自体は Basic authentication
    • APIプラグインで使用している league/oauth2-server は client_secret 必須らしい。grant を拡張する必要があるかも
      • https://oauth2.thephpleague.com/authorization-server/resource-owner-password-credentials-grant/
      • Password grant for SPA's thephpleague/oauth2-server#889
        • --public オプションで client_secret 不要になる模様
        • https://github.com/thephpleague/oauth2-server-bundle/blob/552d8eee9faf46435408e6fc94e353c198095756/docs/basic-setup.md?plain=1#L27
  • Shopify は事例自体が少ない模様
    • https://www.non-standardworld.co.jp/23823/
  • Sylius は ID/Password を POST すると Bearer token が返ってくる(ステートフル)
    • https://github.com/Sylius/ShopApiPlugin/blob/1170f965f3f7cf1d6ef9d08816b47bcafa450f01/doc/swagger.yml#L1696-L1711

参考サイト

• JWTデバッガー(便利) https://jwt.io/
• 徳丸先生の SPA で JWT を使う話(一番よくまとまってる) https://www.docswell.com/s/ockeghem/ZM6VNK-phpconf2021-spa-security
• トークンベースの認証とは？ 仕様とJWTのメリット、デメリット https://www.okta.com/jp/identity-101/what-is-token-based-authentication/
• JWK(公開鍵のエンコード方式) https://openid-foundation-japan.github.io/rfc7517.ja.html
• OpenID Connect https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html

[nanasess]

API プラグインに以下のパッチを適用することで、 Resource owner password credentials grant でアクセストークンを取得可能なのを確認。ただし client_secret は必須の模様

diff --git a/Controller/Admin/OAuthController.php b/Controller/Admin/OAuthController.php
index ab49663..0234969 100644
--- a/Controller/Admin/OAuthController.php
+++ b/Controller/Admin/OAuthController.php
@@ -17,7 +17,7 @@ use Eccube\Controller\AbstractController;
 use Exception;
 use Plugin\Api42\Form\Type\Admin\ClientType;
 use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template;
-use Symfony\Component\Form\FormInterface;
+use Eccube\Form\Form;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Annotation\Route;
@@ -108,7 +108,7 @@ class OAuthController extends AbstractController
             $secret = $form->get('secret')->getData();

             try {
-                $client = new Client($name, $identifier, $secret);
+                $client = new Client($name, $identifier, null);
                 $client = $this->updateClientFromForm($client, $form);

                 $this->clientManager->save($client);
@@ -193,11 +193,11 @@ class OAuthController extends AbstractController

     /**
      * @param Client $client
-     * @param FormInterface $form
+     * @param Form $form
      *
      * @return Client
      */
-    private function updateClientFromForm(Client $client, FormInterface $form): Client
+    private function updateClientFromForm(Client $client, Form $form): Client
     {
         $client->setActive(true);

@@ -209,16 +209,21 @@ class OAuthController extends AbstractController
         );
         $client->setRedirectUris(...$redirectUris);

-        $grants = array_map(
-            function (string $grant): Grant {
-                return new Grant($grant);
-            },
-            $form->get('grants')->getData()
-        );
+        // $grants = array_map(
+        //     function (string $grant): Grant {
+        //         return new Grant($grant);
+        //     },
+        //     $form->get('grants')->getData()
+        // );
         // authorization code grant が選択されていた場合には refresh token grant も付与
-        if (in_array(OAuth2Grants::AUTHORIZATION_CODE, $grants)) {
-            array_push($grants, new Grant(OAuth2Grants::REFRESH_TOKEN));
-        }
+        // if (in_array(OAuth2Grants::AUTHORIZATION_CODE, $grants)) {
+        //     array_push($grants, new Grant(OAuth2Grants::REFRESH_TOKEN));
+        // }
+        $grants = [
+            new Grant(OAuth2Grants::PASSWORD),
+            new Grant(OAuth2Grants::REFRESH_TOKEN)
+        ];
+        array_push($grants, new Grant(OAuth2Grants::REFRESH_TOKEN));
         $client->setGrants(...$grants);

         $scopes = array_map(
diff --git a/Resource/config/services.yaml b/Resource/config/services.yaml
index a562b9b..33363a1 100644
--- a/Resource/config/services.yaml
+++ b/Resource/config/services.yaml
@@ -17,7 +17,7 @@ league_oauth2_server:
         enable_client_credentials_grant: false

       # Whether to enable the password grant
-        enable_password_grant: false
+        enable_password_grant: true

       # Whether to enable the refresh token grant
         enable_refresh_token_grant: true
@@ -41,7 +41,7 @@ league_oauth2_server:
 services:
     Plugin\Api42\EventListener\UserResolveListener:
         arguments:
-            - '@Eccube\Security\Core\User\MemberProvider'
+            - '@Eccube\Security\Core\User\CustomerProvider'
             - '@Eccube\Security\Core\User\UserPasswordHasher'
         tags:
             - { name: kernel.event_listener, event: league.oauth2_server.event.user_resolve, method: onUserResolve }

curl  --request POST 'http://localhost:8080/token' \
 --header 'Content-Type: application/x-www-form-urlencoded' \
 --data-urlencode 'grant_type=password' \
 --data-urlencode 'client_id=5505f99fec016090ffec3145968d13b5' \
 --data-urlencode 'scope=read write' \
 --data-urlencode '[email protected]' \
 --data-urlencode 'password=password' -v | jq
Note: Unnecessary use of -X or --request, POST is already inferred.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> POST /token HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.0.1
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 150
>
} [150 bytes data]
< HTTP/1.1 200 OK
< Date: Mon, 24 Jul 2023 00:21:19 GMT
< Server: Apache/2.4.56 (Debian)
< X-Frame-Options: SAMEORIGIN
< X-Powered-By: PHP/8.1.19
< pragma: no-cache
< Cache-Control: max-age=0, must-revalidate, no-store, private
< X-Debug-Token: e6c84a
< X-Debug-Token-Link: http://localhost:8080/_profiler/e6c84a
< X-Robots-Tag: noindex
< Expires: Mon, 24 Jul 2023 00:21:19 GMT
< Set-Cookie: maintenance_token=deleted; expires=Sun, 24-Jul-2022 00:21:18 GMT; Max-Age=0; path=/; httponly
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Transfer-Encoding: chunked
< Content-Type: application/json; charset=UTF-8
<
{ [2058 bytes data]
100  2201    0  2051  100   150   3743    273 --:--:-- --:--:-- --:--:--  4023
* Connection #0 to host localhost left intact
{
  "token_type": "Bearer",
  "expires_in": 3600,
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI1NTA1Zjk5ZmVjMDE2MDkwZmZlYzMxNDU5NjhkMTNiNSIsImp0aSI6ImNlMTkyZTM0YTZlOGNjNmU5NDQwYTU3YjNiM2JhMDhkNzRlYWEyN2Y2N2Y0YTMxZjM4YzhhZjE4NzAwNzA1MWFmNDNlNGUzYjhlZGJjOGI3IiwiaWF0IjoxNjkwMTU4MDc5LjgwMTgzNiwibmJmIjoxNjkwMTU4MDc5LjgwMTgzNywiZXhwIjoxNjkwMTYxNjc5Ljc5NDM1Mywic3ViIjoiMTY4OTgyMjEyMC41NjE5LnNhc2FraS5uYW5hbWlAZXhhbXBsZS5uZXQiLCJzY29wZXMiOlsicmVhZCIsIndyaXRlIl19.ZmDgrZtVkcLv9Ko9YQlfqG-TTgL1nyypZXtIct_hUQcSJ1Cr2ayYs9Fs9noEPscf-y3m8CX7nxsFNknD5gB8AKndEt2tQu-rSo6zoh3cjOjG56uP6IA_U5mkTIuTz8PL47vwEqo46u2KWhhU_4AQZ8P4D_-jJEgbf8NRH9XOSvnL2myAs1D6XYuOWdhst6rD7KZUJGoa2E4XgaEBwCu6yIM83iI0yIOGFEeNJ1Oihywrm4MhG9DfhQqfamJbNjnMHmIVivPMwurSllimKee7ENQ-tnDS4zi_BwafH4lW_3oA6paILOBZ0WAIEvOCEcdeZ6BwIUr5Db269GYDETHDLUcmqOxTiYAknqh-6-t5uRaAMNo64wQ1A4u843kuFyLjA2COqTjAD37Irm6t-da8nYFGtKZQFJwIMNEFEnRMR-eevP80Xq5pQBfdVT2HoW8Ayie8-jVsRIOSRPjNOc0slO0x12zRD_7Ua_X7kE8uKKHtPJFQ3fs-uLThA2yqJ3CGk_Ni7jhA8FaABR_OWqBfmkzw2Syg-hJxs9J1bOsg8M6EyNusXQZd9-SzEIJITEaeuYZJOsp6meY1MgLBjo03HBOarLRlI2jwsdHnCfI_Y5JCBv-EIQVBhz9L2oMLQglHu08aS7FJ8bzOVFhSoazO36R5rMGMZ-lHiWJR-Alpsfc",
  "refresh_token": "def5020056662e9b06562766cdd857f4c74c72f7f325542ae74802ad89285fd160a7401b5d9ff566f5b863f5bf61124caf2eecf13099e8faf3501971a663fc6e6f80f8c579e8c2f1f69bd760cdda9755bbf80b61b4269acc44ee499b7adb2e6343c08355be202ece96c58040b84021ed3ceb23b2e6ebe9a9d731eeb57fe9229b288b5b88dc2e7380962a3570fc52fc8d1fd2db55749e423056865f6945fb47bcbfb95911da53bebd030218213d048d387c46666e806f66b3170cb84b502b80d560eb9d8c955f38918cb87e44eb6c77ebd964f219bae2d914fa07d322a4b89f208960883f4e6107157b57697beb80f12b5c4be0d715af5d5a718dcb649cbf20272982d6226e5609a16b3b574defe04a7a505fc260d5d9aaff5e4a1a6db552a69efdc10a36fe6b6f2db433aa536892fdd11002c1d9c387cb73dc7223b1236edb26ffe4fce020a3a016648bf0138e9e42e6bbc4b680a81db7232e8ce0c91260c3e5a83dae9e0a49d819435ae361615b5d936d151ceb5e6ba0f68f488365abacfbaa554f08c6b1e1ab661ad170ed3f59a1ed0f11c2cb7f9e71d6ce414b679887c398b99481aba4e12fa17d1cb5e07a9518365cb5bc17adf50195"
}

[nanasess]

password grant は使うなという話
https://zenn.dev/ritou/articles/f88cbb888cb5c9142e74
https://ritou.hatenablog.com/entry/2019/03/03/023431