I have a Symfony 2.8 web app made like an API with FosUserBundle for users entities and Fosoauthserver for authentication.
My security.yml is this:
security:
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: [ROLE_USER, ROLE_ALLOWED_TO_SWITCH]
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
oauth_token:
pattern: ^/oauth/v2/token
security: false
oauth_authorize:
pattern: ^/oauth/v2/auth
form_login:
provider: fos_userbundle
check_path: /oauth/v2/auth_login_check
login_path: /oauth/v2/auth_login
anonymous: true
api:
pattern: ^/v1
fos_oauth: true
stateless: true
switch_user_stateless: true
anonymous: false
access_control:
- { path: ^/v1/register, role: IS_AUTHENTICAIS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/v1/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/v1, role: IS_AUTHENTICATED_FULLY }
I can register an user and login, getting the access_token correctly, but when I try to access to any end point of my API I can access without login.
Even, if I set the right Access token in the headers, if I do $this->getUser() I get null because in any point my app is doing the authentication check.
Any idea? I made differente APIs and never I had this problem. Thanks!