[Security][SecurityBundle] Add access_token.default_roles option that allows overwriting user's default roles

[nxtpge]

Q	A
Branch?	8.1
Bug fix?	no
New feature?	yes
Deprecations?	no
Issues
License	MIT

This pull request allows to overwrite the default roles provided to a user as part of the Access Token Authentication regardless of the token handler used (currently cas, oauth2, oidc, and oidc_user_info).

Thanks to the addition of the access_token.default_roles option, a developer will be able to quickly customize these roles without complexity:

# config/packages/security.yaml
security:
    firewalls:
        main:
            access_token:
                token_handler:
                    oidc_user_info: "https://gitlab.com/oauth/userinfo"
                default_roles: "ROLE_GITLAB" # Or ["ROLE_GITLAB"]

In this example, we could allow a GitLab CI/CD pipeline to access the application in order to do specific tasks.

My apologies for the size of this pull request but I think it was necessary to handle this feature for all protocols (and not one after another). Besides, I did not find a way to enforce properly the access_token.default_roles only for specific protocols.

Important changes

Class	Description
TokenHandlerFactoryInterface	An optional $defaultRoles argument was added to the create method.
AccessTokenFactory	The createTokenHandler method had an unused $userProviderId. I replaced it by an optional $defaultRoles one.
CompleteConfigurationTestCase	Both CAS and OAuth 2.0 Token Introspection protocols are not supported by the XML configuration format. I skipped the tests for this format.
CasUser	Enable the AccessTokenAuthenticator::authenticate method to return a passport holding a user containing the default roles in the case of the CAS protocol. This class could be a breaking change since the Cas2Handler returns a different UserBadge from this point forward. The opened pull request #59951 will conflict with this one.
Cas2HandlerTest	I skipped both existing and new tests since the CasUser is not known yet by Symfony. Let me know if I need to remove the markTestSkipped calls. Also, I modified the testWithValidTicket method because comparing (assertEquals) two objects containing a closure seems to not be possible with PHP. I am open for an explanation for this one.

Questions

• Do you think there is some tests to add in the AccessTokenAuthenticatorTest file?
• Do you think, in another pull request, we should move the Cas2Handler service registration from the factory to the security_authenticator_access_token.php configuration file as it was done for the others protocols?

[Spomky]

Hi @nxtpge

Thanks for the PR and the work behind it.
However, I’m not in favour of adding default_roles at the authentication level.
In Symfony, ROLE_* is an authorization concept, not an authentication one. Mixing both layers would blur responsibilities.

It is better to do it after authentication, via a user provider or custom authorization logic.

[nxtpge]

@Spomky Never mind my previous message, I made the subject more complex than necessary.

For the user provider, did you mean to do something like the LDAP one?

If that is the case, I will split this pull request into several ones, each related to a specific protocol.