We Keep Coding

Symfony, security.yaml : using both form and token authentication for same uri

My Symfony 5 app provides:
api endpoints like api/entry/get/1 (secured with oauth2)
admin pages like users/list (secured with database user provider)
For this purpose, my security.yaml uses two firewalls:
firewalls:
api:
pattern: ^/api(?!/doc$)
security: true
stateless: true
oauth2: true
main:
lazy: true
provider: app_user_provider
form_login:
login_path: app_login
check_path: app_login
enable_csrf: true
default_target_path: app_index
use_referer: true
logout:
path: app_logout
target: app_index
Is this possible to also access api endpoints like api/entry/get/1 when connected as an admin (ie not with a token but through regular form login with credentials) ?
This would make using a swagger sandbox much easier.

Is this possible to also access api endpoints like api/entry/get/1 when connected as an admin (ie not with a token but through regular form login with credentials) ?
I'd say in your current configuration, the answer is no.
Since you api firewall is sateless: true there's only one way to tell symfony that request should be considered as authenticated. The presence of Bearer token (it's probably a JWT) in each request. Without a valid token, all request to /api would be considered as unauthorized
In other words: symfony just do not check session/cookies for possible (previously) logged in (admin) user to allow/deny access for all /api routes.
Unfortunately, I hadn't an opportunity to work with OAuth2ServerBundle. So maybe there's a configuration for that.
BUT:
Try to play around with staless and context
about stateless
about context
However, RESTful APIs are stateless by design, it's not just a fancy buzzword.
There is also a way to add "Authorize" button to your swagger doc/playgroung so anyone who has access to swaggerUI, could paste a valid auth-token (JWT) and all further request from swaggerUI would be authorized. See Swagger and JWT Token Authentication
I also had a wonderful experience with Insomnia http-client especially when I need to test/play with my apis.
It has great OAuth v.2 support. Free tier is more than enough for local development / quick testing. Just specify your token path, select GrantType as "Resource Owner" paste username/password of your admin user and insomnia will handle the rest automagically each time you hit a protected /api/entry/get/1

Portainer CE with OAuth2 using Azure AD

I would like to ask how to properly setup the authentication for Portainer CE v2.9.3 using OAuth2 with Azure AD.
The following fields in the Custom OAuth2 UI needs to be filled:
Client ID
Client secret
Authorization URL
Access token URL
Resource URL
Redirect URL
Logout URL
User identifier
Scopes
Currently, I use the following values:
Client ID: <tentant id>
Client secret: <created secret for the app in Azure AD>
Authorization URL: https://login.microsoftonline.com/``/oauth2/v2.0/authorize
Access token URL: https://login.microsoftonline.com/``/oauth2/v2.0/token
Resource URL: https://graph.microsoft.com/oidc/userinfo
Redirect URL: <our internal URL for the Portainer deployment>
Logout URL: <our internal URL for the Portainer deployment>
User identifier: email
Scopes: <Application ID URI>
When using these values, I get the following error:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure. Invalid audience.",
"innerError": {
"date": <some date>,
"request-id": <some request id>,
"client-request-id": <some client request id>
}
}
}
I need to use Portainer CE with the Customer OAuth Provider.
Thank you for any usefull advice.

Possible causes of Audience invalid error and workarounds
Client ID must be either the ApplicationId or ApplicationIdUri
depending on the app configuration.(not tenant Id)
Note :first try clientId:<Application Id> and if that is giving the
same error , change clientId to ApplicationIdUri i.e; clientId:api://<Application Id>
Scope is something that you see under add a scope blade .
When you click on add a scope ,you can mention any permission and it appears as a scope like below:
This scope must be in scopes value
Make sure to grant admin consent if required if app registration has permissions.
Example:
Another is the end point from which you are getting the token maybe different . Try to decode access token in https://jwt.io and see “ISS” value has v2 endpoint .If it has V2 endpoint,
in azure Active directory, Go to Manifest and change “accessTokenAcceptedVersion”:2 .Also check that Audience value i.e; “AUD” must match the client Id .The audience invalid occurs if they doesn’t match.
Reference

Using basic authentication with the gate service

I'm trying to integrate an automated tool with spinnaker through the gate API. Right now I have oauth2 enabled for the regular UI flow and am looking how to setup basic auth for my tool.
I couldn't find on the docs how or if this is possible at all. I've also tried reusing a session token but it doesn't work as the cookie can be reset when spinnaker redeploys.

You can enable basic authentication by changing the file .hal/<deployment-name>/profiles/gate-local.yml:
security:
basicform:
enabled: true
user:
name: <username you want>
password: <password you want>
and the file .hal/<deployment-name>/profiles/settings-local.js:
window.spinnakerSettings.authEnabled = true;

hosted login page with AUTH0 V9 API not working

I am using AUTH0 V9 API to host the login page on my website and use API to login user via AUTH0. I am using https://auth0.com/docs/libraries/auth0js document as a reference. I installed the auth0-js npm package via the following command
npm install auth0-js
Then initialized the AUTH0 via the following code
<script type="text/javascript">
var webAuth = new auth0.WebAuth({
domain: 'YOUR_DOMAIN',
clientID: 'YOUR_CLIENT_ID'
redirectUri: "http://localhost:3000/login",
responseType: "code",
responseMode: "form_post",
scope: "openid profile email",
});
</script>
Then I using login() method as following
webAuth.login({
realm: 'tests',
username: 'testuser',
password: 'testpass',
});
But this above login code is not working. It's redirecting me to some other URL and not to "http://localhost:3000/login" which I provided while initializing AUTH0 object.
This method also has a reference to "Custom Domain". Do I need to purchase AUTH0 subscription for managing V9 API or I am doing something wrong that's why I am getting the wrong redirect. Please help.
========
Some strange thing I discovered that the same code is working with my personal account but not with my client's business account.

The same code mentioned above worked with my personal account but not with my client's business account and the problem was that client had set up custom error pages in the tenant settings. Whosoever is working with custom login, please check out two things.
Your callback URL is exactly what you are mentioning in your custom login code via AUTH0 V9.
Custom error pages are off in the tenant settings. "Tenant settings -> General Pages -> Error".

No auth token on service query even after success login

I have a setup of nuxtjs ssr using vuex featherjs recommended example, feathersjs as the api.
Authentication using JWT & Local strategy works, I receive the access token
but querying user service using nuxtjs gives me an error.
ERROR NotAuthenticated
{type: "FeathersError", name: "NotAuthenticated", message: "No auth token", code: 401, className: "not-authenticated", …}
Querying using postman works but querying using nuxtjs returns the message No auth token.
I have already opened a ticket on github repo.