@@ -21,14 +21,8 @@ this is not yet the case.
21211) Configure the Access Token Authenticator
2222~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2323
24- The access token authenticator can be configured using three different options:
25-
26- * ``header_token ``: the token is sent through the request header. Usually ``Authorization `` with the ``Bearer `` scheme.
27- * ``query_token ``: the token is part of the query string. Usually ``access_token ``.
28- * ``body_token ``: the token is part of the request body during a POST request. Usually ``access_token ``.
29-
30- You must configure a ``token_handler `` when enabling this authenticator.
31- The token handler is a service that is able to load and verify the token (e.g. expiration, digital signature...)
24+ To use the access token authenticator, you must configure a ``token_handler ``.
25+ The token handler is a service that is able to load and verify the access token (e.g. expiration, digital signature...)
3226and return the associated user identifier.
3327
3428.. configuration-block ::
@@ -42,16 +36,10 @@ and return the associated user identifier.
4236 header_token :
4337 token_handler : App\Security\AccessTokenHandler
4438
45-
46- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
47-
48- Now that the authenticator is able to check the access tokens, you must
49- create your access token handler.
50-
5139
5240:class: `Symfony\\ Component\\ Security\\ Http\\ Authenticator\\ AccessTokenHandlerInterface `.
5341In the following example, the handler will retrieve the token from a database
54- using a fictive Doctrine repository.
42+ using a fictive repository.
5543
5644.. configuration-block ::
5745
@@ -101,13 +89,54 @@ where participating browsers do not have access to the "Authorization" request h
10189
10290In other words: ``query_token `` and ``body_token` authenticators are not recommended.
10391
104- Customizing the Authenticators
105- ------------------------------
92+ Customizing the Authenticator
93+ -----------------------------
94+
95+ 1) Access Token Extractors
96+
97+ By default, the access token is read from the request header parameter ``Authorization `` with the scheme `Bearer``.
98+ You can change the behavior and send the access token through different ways.
99+
100+ This authenticator provides services able to extract the access token as per the RFC6750:
101+
102+ - ``security.access_token_extractor.header ``: the token is sent through the request header. Usually ``Authorization `` with the ``Bearer `` scheme.
103+ - ``security.access_token_extractor.query_string ``: the token is part of the query string. Usually ``access_token ``.
104+ - ``security.access_token_extractor.request_body ``: the token is part of the request body during a POST request. Usually ``access_token ``.
105+
106+ You can also create a custom extractor. The class shall implement the interface
107+ :class: `Symfony\\ Component\\ Security\\ Http\\ Authenticator\\ AccessToken\\ AccessTokenExtractorInterface `.
108+
109+ .. configuration-block ::
110+
111+ .. code-block :: yaml
112+
113+ # config/packages/security.yaml
114+ security :
115+ firewalls :
116+ main :
117+ header_token :
118+ token_handler : App\Security\AccessTokenHandler
119+ token_extractors : ' my_custom_access_token_extractor'
120+
121+
122+ In this case, the order is important: the first in the list is called first.
106123
124+ .. configuration-block ::
107125
126+ .. code-block :: yaml
127+
128+ # config/packages/security.yaml
129+ security :
130+ firewalls :
131+ main :
132+ header_token :
133+ token_handler : App\Security\AccessTokenHandler
134+ token_extractors :
135+ - ' security.access_token_extractor.header'
136+ - ' security.access_token_extractor.request_body'
137+ - ' security.access_token_extractor.query_string'
108138
109- Customizing the Success Handler
110- -------------------------------
139+
111140
112141Sometimes, the default success handling does not fit your use-case (e.g.
113142when you need to generate and return additional response header parameters).
0 commit comments