src/EventSubscriber/OAuth2TokenResponseSubscriber.php line 31

Open in your IDE?
  1. <?php
  3. namespace App\EventSubscriber;
  5. use App\Entity\User;
  6. use App\Service\IdTokenGenerator;
  7. use Doctrine\ORM\EntityManagerInterface;
  8. use Lcobucci\JWT\Encoding\JoseEncoder;
  9. use Lcobucci\JWT\Token\Parser as TokenParser;
  10. use Psr\Log\LoggerInterface;
  11. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  12. use Symfony\Component\HttpFoundation\JsonResponse;
  13. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  14. use Symfony\Component\HttpKernel\KernelEvents;
  16. class OAuth2TokenResponseSubscriber implements EventSubscriberInterface
  17. {
  18.     public function __construct(
  19.         private IdTokenGenerator $idTokenGenerator,
  20.         private LoggerInterface $logger,
  21.         private EntityManagerInterface $entityManager,
  22.     ) {}
  24.     public static function getSubscribedEvents(): array
  25.     {
  26.         return [
  27.             KernelEvents::RESPONSE => 'onResponse',
  28.         ];
  29.     }
  31.     public function onResponse(ResponseEvent $event): void
  32.     {
  33.         $request $event->getRequest();
  34.         $response $event->getResponse();
  35.         
  36.         // Only intercept /token endpoint
  37.         if ($request->getPathInfo() !== '/token') {
  38.             return;
  39.         }
  40.         
  41.         // Only intercept successful responses
  42.         if ($response->getStatusCode() !== 200) {
  43.             return;
  44.         }
  45.         
  46.         $this->logger->info('[OAuth2TokenResponseSubscriber] Token endpoint intercepted');
  47.         
  48.         try {
  49.             $content $response->getContent();
  50.             $data json_decode($contenttrue);
  51.             
  52.             if (!is_array($data) || !isset($data['access_token'])) {
  53.                 $this->logger->warning('[OAuth2TokenResponseSubscriber] No access_token in response');
  54.                 return;
  55.             }
  57.             $accessToken $data['access_token'];
  58.             
  59.             // Parse JWT to extract claims and scopes
  60.             $parser = new TokenParser(new JoseEncoder());
  61.             $token $parser->parse($accessToken);
  62.             
  63.             if (!$token instanceof \Lcobucci\JWT\UnencryptedToken) {
  64.                 $this->logger->warning('[OAuth2TokenResponseSubscriber] Token is not unencrypted');
  65.                 return;
  66.             }
  68.             $claims = [];
  69.             $scopes = [];
  70.             $clientId null;
  71.             $allClaims $token->claims()->all();
  72.             
  73.             foreach ($allClaims as $key => $value) {
  74.                 if ($key === 'scopes') {
  75.                     $scopes is_array($value) ? $value : (array) $value;
  76.                 } elseif ($key === 'aud') {
  77.                     // audience = client_id
  78.                     $clientId is_array($value) ? $value[0] : $value;
  79.                     $claims[$key] = $value;
  80.                 } else {
  81.                     $claims[$key] = $value;
  82.                 }
  83.             }
  84.             
  85.             $this->logger->info('[OAuth2TokenResponseSubscriber] Scopes:', ['scopes' => $scopes]);
  86.             $this->logger->info('[OAuth2TokenResponseSubscriber] Client ID:', ['client_id' => $clientId]);
  87.             $this->logger->info('[OAuth2TokenResponseSubscriber] Original sub (email):', ['sub' => $claims['sub'] ?? 'none']);
  88.             
  89.             // Get user from database using email (sub contains email in access_token)
  90.             $userEmail $claims['sub'] ?? null;
  91.             if ($userEmail) {
  92.                 $user $this->entityManager->getRepository(User::class)->findOneBy(['email' => $userEmail]);
  93.                 if ($user) {
  94.                     // Replace sub with user ID for id_token generation
  95.                     $claims['sub'] = (string) $user->getId();
  96.                     $this->logger->info('[OAuth2TokenResponseSubscriber] Replaced sub with user ID:', ['sub' => $claims['sub']]);
  97.                 } else {
  98.                     $this->logger->warning('[OAuth2TokenResponseSubscriber] User not found for email:', ['email' => $userEmail]);
  99.                 }
  100.             }
  101.             
  102.             // Only generate client_id token if openid scope is requested
  103.             if (!in_array('openid'$scopes)) {
  104.                 $this->logger->info('[OAuth2TokenResponseSubscriber] openid scope not requested, skipping client_id generation');
  105.                 
  106.                 // Return response without modification
  107.                 $newResponse = new JsonResponse($data);
  108.                 $newResponse->headers->set('Content-Type''application/json');
  109.                 $event->setResponse($newResponse);
  110.                 return;
  111.             }
  113.             $this->logger->info('[OAuth2TokenResponseSubscriber] Generating id_token...', ['claims' => $claims]);
  115.             // Generate id_token with user claims
  116.             $idToken $this->idTokenGenerator->generateIdToken($claims$scopes);
  118.             if ($idToken) {
  119.                 $this->logger->info('[OAuth2TokenResponseSubscriber] id_token generated successfully');
  120.                 $data['id_token'] = $idToken;
  121.                 
  122.                 
  123.             } else {
  124.                 $this->logger->warning('[OAuth2TokenResponseSubscriber] Failed to generate id_token');
  125.             }
  126.             
  127.             // Return updated response
  128.             $newResponse = new JsonResponse($data);
  129.             $newResponse->headers->set('Content-Type''application/json');
  130.             $event->setResponse($newResponse);
  131.             
  132.         } catch (\Exception $e) {
  133.             $this->logger->error('[OAuth2TokenResponseSubscriber] Error: ' $e->getMessage(), [
  134.                 'exception' => $e,
  135.                 'trace' => $e->getTraceAsString()
  136.             ]);
  137.         }
  138.     }
  139. }