Integrating Authorization Enabler

Edit on GitHub

This document describes how to integrate the Authorization Enabler into a Spryker project.

Prerequisites

To start the integration, review and install the necessary features:

NAME VERSION
Spryker Core master

1) Install the required modules using Composer

  1. Install the required modules:
composer require spryker/authorization spryker/glue-application-authorization-connector --update-with-dependencies
  1. Optional: Install or update modules with endpoint authorization:
composer require spryker/orders-rest-api:"^4.10.0" spryker/availability-notifications-rest-api:"^1.1.0" spryker/carts-rest-api:"^5.16.0" spryker/customers-rest-api:"^1.19.0" --update-with-dependencies
Verificaiton

Ensure that the following modules have been installed in vendor/spryker:

MODULE EXPECTED DIRECTORY
Authorization vendor/spryker/authorization
GlueApplicationAuthorizationConnector vendor/spryker/glue-application-authorization-connector
AuthorizationExtension vendor/spryker/authorization-extension
GlueApplicationExtension vendor/spryker/glue-application-extension
GlueApplicationAuthorizationConnectorExtension vendor/spryker/glue-application-authorization-connector-extension

2) Set up transfer objects

Generate transfer changes:

console transfer:generate
Verificaiton

Make sure that the following changes have been applied in transfer objects:

TRANSFER TYPE EVENT PATH
AuthorizationRequestTransfer class created src/Generated/Shared/Transfer/AuthorizationRequestTransfer.php
AuthorizationResponseTransfer class created src/Generated/Shared/Transfer/AuthorizationResponseTransfer.php
AuthorizationIdentityTransfer class created src/Generated/Shared/Transfer/AuthorizationIdentityTransfer.php
AuthorizationEntityTransfer class created src/Generated/Shared/Transfer/AuthorizationEntityTransfer.php
RouteAuthorizationConfigTransfer class created src/Generated/Shared/Transfer/RouteAuthorizationConfigTransfer.php
RestErrorMessageTransfer class created src/Generated/Shared/Transfer/RestErrorMessageTransfer.php

3) Set up behavior

Set up the following behaviors.

Enable authorization plugins

Activate the following plugins:

PLUGIN SPECIFICATION NAMESPACE
CustomerReferenceMatchingEntityIdAuthorizationStrategyPlugin Authorization rule for the route that uses the current strategy. Spryker\Client\Customer\Plugin
AuthorizationRestUserValidatorPlugin Validates a request if the route implements the authorization interface. Spryker\Glue\GlueApplicationAuthorizationConnector\Plugin\GlueApplication
AuthorizationRouterParameterExpanderPlugin Expands a route with additional parameters. Spryker\Glue\GlueApplicationAuthorizationConnector\Plugin\GlueApplication
src/Pyz/Client/Authorization/AuthorizationDependencyProvider.php
<?php

namespace Pyz\Client\Authorization;

use Spryker\Client\Authorization\AuthorizationDependencyProvider as SprykerAuthorizationDependencyProvider;
use Spryker\Client\Customer\Plugin\Authorization\CustomerReferenceMatchingEntityIdAuthorizationStrategyPlugin;

class AuthorizationDependencyProvider extends SprykerAuthorizationDependencyProvider
{
    /**
     * @return \Spryker\Client\AuthorizationExtension\Dependency\Plugin\AuthorizationStrategyPluginInterface[]
     */
    protected function getAuthorizationStrategyPlugins(): array
    {
        return [
            new CustomerReferenceMatchingEntityIdAuthorizationStrategyPlugin(),
        ];
    }
}
rc/Pyz/Glue/GlueApplication/GlueApplicationDependencyProvider.php
<?php

namespace Pyz\Glue\GlueApplication;

....
use Spryker\Glue\GlueApplicationAuthorizationConnector\Plugin\GlueApplication\AuthorizationRestUserValidatorPlugin;
use Spryker\Glue\GlueApplicationAuthorizationConnector\Plugin\GlueApplication\AuthorizationRouterParameterExpanderPlugin;
....

class GlueApplicationDependencyProvider extends SprykerAuthorizationDependencyProvider
{
    /**
     * @return @return \Spryker\Glue\GlueApplicationExtension\Dependency\Plugin\RestUserValidatorPluginInterface[]
     */
    protected function getRestUserValidatorPlugins(): array
    {
        return [
            new AuthorizationRestUserValidatorPlugin(),
        ];
    }

    /**
     * @return \Spryker\Glue\GlueApplicationExtension\Dependency\Plugin\RouterParameterExpanderPluginInterface[]
     */
    protected function getRouterParameterExpanderPlugins(): array
    {
        return [
            new AuthorizationRouterParameterExpanderPlugin(),
        ];
    }
}
Verificaiton

To make sure that the plugins are activated, send a request with incorrect authentication details to a protected resource and check that it returns an authorization error.