Symfony api平台忽略jwt令牌
我正在使用 jwt (LexikJWTAuthenticationBundle) 创建 symfony api (api 平台)
登录效果很好。我将其添加到 security.yaml
login:
pattern: ^/api/login
stateless: true
json_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
服务器返回我令牌。但是,当我创建安全源(如“
- { path: ^/api/notes, roles: IS_AUTHENTICATED_FULLY }
并使用带有授权的令牌发送请求”(如
Bearer --token--
“服务器”)时,忽略它并返回 “访问此资源需要完全身份验证。”
我怎样才能识别出了什么问题?我花了5个小时,但我不知道我能做什么。
我使用 symfony server:start 运行服务器
当我创建测试控制器时,
#[Route('/test', name: 'test')]
public function index(Request $request): Response
{
$auth = $request->headers->get("Authorization");
return new Response("Authorization: ". "'".$auth."'");
}
它可以工作,服务器打印我的令牌
Authorization: 'Bearer eyJ0eXAiOiJKV1QiLCJh.....'
Iam creating symfony api (api platform) with jwt (LexikJWTAuthenticationBundle)
Login works great. I added this into security.yaml
login:
pattern: ^/api/login
stateless: true
json_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
Server return me token. But when I create secure source like
- { path: ^/api/notes, roles: IS_AUTHENTICATED_FULLY }
And send request with token with authorization like
Bearer --token--
Server ignore it and return
"Full authentication is required to access this resource."
How can i recognize whats wrong? I spent 5 hours with it, but I dont know, what I can do.
I Run server with symfony server:start
When I created test controller like
#[Route('/test', name: 'test')]
public function index(Request $request): Response
{
$auth = $request->headers->get("Authorization");
return new Response("Authorization: ". "'".$auth."'");
}
It works, server print me token
Authorization: 'Bearer eyJ0eXAiOiJKV1QiLCJh.....'
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我认为你缺少一些配置。您仅配置了 json_login 选项,以便 Lexik 包现在负责处理用户登录并发出 JWT。默认情况下,API 平台仍将基于基于会话的 cookie 来验证请求,而不是通过 Authorization 标头。您必须告诉 API 平台根据您的 JWT 对请求进行身份验证。
我相信将其添加到您的
security.yml中应该足够了,但我还没有检查这一点:(删除
pattern,更改login 到json_login并添加jwt: ~)请查看此文档:https://api-platform.com/docs/core/jwt/ 其中展示了如何使用 JWT 保护 API 平台。
I think you're missing some configuration. You only configured the json_login options, so that the Lexik bundle is now responsible for handling the logging in of your users and issuing JWTs. By default, API platform will still authenticate requests based on session-based cookies, not through the Authorization header. You have to tell API Platform to authenticate requests based on your JWTs.
I believe that it should be enough to add this to your
security.yml, but I haven't checked this:(drop the
pattern, changelogintojson_loginand addjwt: ~)Have a look at this documentation: https://api-platform.com/docs/core/jwt/ where it shows how to secure the API platform with JWTs.
我遇到了同样的问题 Sylius 的 API Platform 和第二个 GraphQL API
/api/v2/graphql(除了 Api 平台 REST API/api/v2)。在 Symfony 分析器中,graphQL 请求的安全部分被禁用。
graphql 端点需要自己的防火墙:
在
security.yaml中I had the same issue API Platform by Sylius and a second GraphQL API
/api/v2/graphql(in addition to the Api platform REST API/api/v2).In the Symfony profiler the security section was disabled for graphQL requests.
The graphql endpoint needs its own firewall :
In
security.yaml