README

Installation

This package does not have Symfony Flex recipe. However, that is planned for future releases.

Step 1

Run composer require robert-kampas/symfony-graph-authenticator

Step 2

Add the line SymfonyGraphAuthenticator\GraphAuth\GraphAuth::class => ['all' => true] to config/bundles.php array.

Step 3

Create file graph_auth.yaml file in config/packages/ folder and populate it with bundle configuration. Refer to Package Configuration section for this step.

Step 4

Edit security.yaml file in config/packages/ folder. Add new user provider, e.g.

providers: microsoft_graph_provider: id: symfony_graph_auth.user_provider

and register new firewall, e.g.

firewalls: main: provider: microsoft_graph_provider guard: authenticators: - symfony_graph_auth.authenticator

Also, you might want to add logout handler which will make sure that user account is truly logged out.

firewalls: main: logout: success_handler: symfony_graph_auth.logout_listener

Step 5

Extend your User entity with SymfonyGraphAuthenticator\GraphAuth\Entity\AbstractUser abstract class. This class has all user entity methods required by the bundle. You will need to run php bin/console doctrine:schema:update --force to create user table with all required columns.

User entity requirements:

User entity class must be called User and must be in App\Entity\User namespace.

be called and be in namespace. User accounts must be stored in user table.

What's Next?

Once bundle is setup users can login with their Microsoft account. Upon successfull login user account is created in the databse and user token in stored in session attribute called access_token . You can use microsoft/microsoft-graph (included with this bundle) to query Microsoft Graph. For example,

$graph = new Graph(); $graph->setAccessToken($session->get('access_token')); $user = $graph ->createRequest('GET', '/me') ->setReturnType(Model\User::class) ->execute();

Package Configuration

Registering New Application

To acquire application id, secret and other configuration values you will need to register new application on your Microsoft Azure account.

Login to Microsoft Azure portal. Go to App registrations page. Click on "New registration" and complete new application registration.

You can find more information about registering new applications here.

Configuration Parameters

Parameter Name Required Type Default Value Notes application_id Yes string n/a Also referred to as client ID. The application ID that the Azure app registration portal assigned to your app. application_secret Yes string n/a Can be found in "Certificates & secrets" tab. directory_id Yes string n/a Also referred to as tenant id. The directory tenant that you want to request permission from. This can be in GUID or friendly name format. If you don't know which tenant the user belongs to and you want to let them sign in with any tenant, use common as parameter value. callback_uri Yes string n/a The redirect URI where you want the response to be sent for your app to handle. It must exactly match one of the redirect URIs that you registered in the "Authentication" tab. Controller handling this URI does not need to have any special code. It can be any valid URI in your application as long as it is protected by microsoft_graph_provider firewall. post_logout_redirect_uri No string null The URL that the user should be redirected to after successful sign out. If post_logout_redirect_uri is not included, the user is shown a generic message. However, Microsoft does not always redirect user to provided URL (even if it is correct). Under some conditions Microsoft will just show generic message but will not redirect user back. scopes No array[string] [] Scopes are Microsoft Graph permission names. You can find list of all available scopes here. first_user_role No string ROLE_SUPER_ADMIN Role automatically assigned to the very first user in the database. default_user_role No string ROLE_USER Role automatically assigned to every user who successfully logs in with Microsoft account.

Scopes

Scopes openid , offline_access , profile and user.read are required for bundle to work. Therefore, these scopes are automatically appended to requested scopes array. This means that these scopes do not have to be added as values to scopes parameter. Although, adding them will not cause any errors.

Example Bundle Configuration File

graph_auth: application_id: b8753c4-3f876-9863-88765-88634mk2df3 application_secret: '2dd[nJ*//ewr00-pfdelL0872.oiw_T' directory_id: d8763h-3552-9870a-b38a-ee987388j callback_uri: https://my-application.com post_logout_redirect_uri: https://my-application.com/login scopes: - calendars.read first_user_role: ROLE_DEVELOPER default_user_role: NO_ACCESS

Example Security Configuration File

security: role_hierarchy: ROLE_DEVELOPER: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH] ROLE_ADMIN: [ROLE_USER] ROLE_USER: [] providers: microsoft_graph_provider: id: symfony_graph_auth.user_provider firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false main: provider: microsoft_graph_provider anonymous: true switch_user: true pattern: ^/ logout: path: /logout invalidate_session: true success_handler: symfony_graph_auth.logout_listener guard: authenticators: - symfony_graph_auth.authenticator access_control: - { path: ^/logout, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/, role: ROLE_USER }

Example User Entity File