Prevent empty userIdentifier

ajgarlag · ajgarlag · commit dc89d463985f · 2025-10-15T12:48:18.000+02:00
diff --git a/src/Security/Authenticator/OAuth2Authenticator.php b/src/Security/Authenticator/OAuth2Authenticator.php
@@ -16,6 +16,8 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\User\AttributesBasedUserProviderInterface;
+use Symfony\Component\Security\Core\User\ChainUserProvider;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
@@ -70,6 +72,14 @@ public function authenticate(Request $request): Passport
 
         /** @var string $userIdentifier */
         $userIdentifier = $psr7Request->getAttribute('oauth_user_id', '');
+        if ('' === $userIdentifier) {
+            /**
+             * BC layer for Symfony < 8.0
+             */
+            if (is_a(ChainUserProvider::class, AttributesBasedUserProviderInterface::class, true)) {
+                throw OAuth2AuthenticationFailedException::create('The access token has either an empty or missing "oauth_user_id" attribute.');
+            }
+        }
 
         /** @var string $accessTokenId */
         $accessTokenId = $psr7Request->getAttribute('oauth_access_token_id');
@@ -81,7 +91,10 @@ public function authenticate(Request $request): Passport
         $oauthClientId = $psr7Request->getAttribute('oauth_client_id', '');
 
         $userLoader = function (string $userIdentifier) use ($oauthClientId): UserInterface {
-            if ('' === $userIdentifier || $oauthClientId === $userIdentifier) {
+            if (
+                $oauthClientId === $userIdentifier
+                || ('' === $userIdentifier && is_a(ChainUserProvider::class, AttributesBasedUserProviderInterface::class, true)) // BC layer for Symfony < 8.0
+            ) {
                 return new ClientCredentialsUser($oauthClientId);
             }
 
diff --git a/tests/Unit/OAuth2AuthenticatorTest.php b/tests/Unit/OAuth2AuthenticatorTest.php
@@ -97,6 +97,8 @@ public function testAuthenticateCreatePassportWithClientCredentialsUser(): void
     {
         $serverRequest = (new ServerRequest('GET', '/foo'))
             ->withAttribute('oauth_access_token_id', 'accessTokenId')
+            ->withAttribute('oauth_user_id', 'clientId')
+            ->withAttribute('oauth_client_id', 'clientId')
         ;
 
         $httpMessageFactory = $this->createMock(HttpMessageFactoryInterface::class);

Original file line number	Diff line number	Diff line change
`@@ -97,6 +97,8 @@ public function testAuthenticateCreatePassportWithClientCredentialsUser(): void`
`97`	`97`	`{`
`98`	`98`	`$serverRequest = (new ServerRequest('GET', '/foo'))`
`99`	`99`	`->withAttribute('oauth_access_token_id', 'accessTokenId')`
	`100`	`+ ->withAttribute('oauth_user_id', 'clientId')`
	`101`	`+ ->withAttribute('oauth_client_id', 'clientId')`
`100`	`102`	`;`
`101`	`103`
`102`	`104`	`$httpMessageFactory = $this->createMock(HttpMessageFactoryInterface::class);`