Fill roles[] (UserInterface) after authenticate (oauth2)

Hi all,

mezzio-authentication return a DefaultUser immutable for security reasons. I use it with mezzio-authentication-oauth2 and oauth2 do not use the roles[] attribute (UserInterface) but i need it to use mezzio-authorization-rbac or mezzio-authorization-acl to protect my api routes.

Because DefaultUser is immutable i cannot create my own middleware to alter the current psr-7 DefaultUser (db request to find the role of the identity and fill the roles[] attribute) just after Authentication\AuthenticationMiddleware::class in my route.

I’m stuck on it… How can i proceed in my case?

Thanks in advance!

maybe @matthew, @froschdesign or someone else can give me a advice with my problematic above? The goal is to use the default authorization modules provided with mezzio and to not reinvent the wheel. Thanks!

Why do you want to change the Mezzio\Authentication\DefaultUser::class? Set everything on creation.

Thanks for your answer @froschdesign. I probably miss or not understand something but in OAuth2Adapter.php (mezzio-authentication-oauth2) the roles attribute is not filled by default in authenticate method (line 65).

return ($this->userFactory)(
                    $userId,
                    [],  <---- HERE
                    [
                        'oauth_user_id' => $userId,
                        'oauth_client_id' => $clientId,
                        'oauth_access_token_id' => $result->getAttribute('oauth_access_token_id', null),
                        'oauth_scopes' => $result->getAttribute('oauth_scopes', null)
                    ]
                );

The documentation confirm this behavior. That’s ok because oauth2 do not use role.

The getRoles() method of the user instance always returns an empty array. (found in the docs)

But Mezzio\Authentication\DefaultUser::class is created here and i cannot alter this class later because is immutable. Right? My idea was to add a new middleware after Authentication\AuthenticationMiddleware::class in my routes to alter the DefaultUser::class and fill the roles array from a database request.

Am I completely wrong?

And right below you will find the following section: “Customize the user instance
Which means to replace the default user entity with your own implementation.

Don’t know why i haven’t seen this… :sweat_smile:. Sorry and thank you @froschdesign !

Thanks for the feedback and I hope it works for you now!