When I set 'deny_by_default' ('zf-mvc-auth' component) to true, I get 403 "Forbidden" on all pages of the site

I am trying to use oauth2 with apigility within zf3 project too. At current moment I have faced with next situation: when I am setting ‘deny_by_default’ to true, I get 403 “Forbiddeb” on all pages of the site even at non API urls. I mean, the home page of my site shows 403 too.

This is my config:

'zf-mvc-auth' => [
        'authentication' => [
            'map' => [
                '\\Admin\\Module\\User\\V1' => 'oauth2_pdo',
        'authorization' => [
            'deny_by_default' => true,
            '\\Admin\\Module\\User\\V1\\Rest\\Item\\Controller' => [
                'collection' => [
                    'GET' => true,
                    'POST' => true,
                    'PUT' => false,
                    'PATCH' => false,
                    'DELETE' => false,
                'entity' => [
                    'GET' => true,
                    'POST' => false,
                    'PUT' => true,
                    'PATCH' => true,
                    'DELETE' => true,

I have apigility admin at the another project and generate there what I need. After that I copy generated config to my project.
It looks like I have missed something. When I remove deny_by_default or set it to false everything works as before but my API is allowed to see without authentication.

I have this json response on all pages (at home page too):


How to fix this?

This article may help: https://blog.tomhanderson.com/2017/10/using-zf-mvc-auth-for-custom.html

It’s not as easy as just a config variable but once all your ACL is in place you’ll have better control of your permissions.

1 Like

I followed by this tutorial https://apigility.org/documentation/auth/user-differentiation but your example contains doctrine which is exactly what I need. Thank you!

Also I have figured out why I had 403 everywhere. I had to add acl resources to the authorization listener.

I have fixed 403 at nonAPI pages but still have 403 at all REST API links.

Tom, can you clear for me one moment from your blog post at https://blog.tomhanderson.com/2017/10/using-zf-mvc-auth-for-custom.html?
At first you have wrote this:

'zf-mvc-auth' => array(
        'authentication' => array(
            'adapters' => array(
                'user' => [
                    'adapter' => 'User\\Authentication\\Adapter\\DoctrineAdapter',
                    'storage' => [

where the name of adapter is “DoctrineAdapter”. Later at that post you have mentioned this:

final class AuthenticationAdapter implements

Is the “AuthenticationAdapter” the same as “DoctrineAdapter” from config?

Also, at this page https://apigility.org/documentation/auth/user-differentiation have mentioned about “final class SessionAdapter” but later at that docs is this code:

// Add Authentication Adapter for session
        $defaultAuthenticationListener = $container->get(DefaultAuthenticationListener::class);
        $defaultAuthenticationListener->attach(new Authentication\AuthenticationAdapter());

Is “SessionAdapter” and “AuthenticationAdapter” the same thing? Because, I used it as same and rename second class to first class.

@testuser I don’t get what you’re asking. If you’re still working on this add some links to the code with your question.

Hi, Tom! Thank you for replaying!
I have figured out this issue.

@testuser it is customary to describe what the issue was and how you solved it for those who come here later looking for help

@xerkus , I don’t remember exactly but If I am not mistaken the issue was related to that fact that ‘deny_by_default’ and ‘zf-mvc-auth’ was related only to guest users. And I was trying to config apigility for admin user.

I have created additional authorization listener and added something like this:

    $entityMehtods = [
    $authorization->allow('admin', '\\Admin\\Module\\News\\V1\\Rest\\Item\\Controller' . '::entity', $entityMehtods);

This works for me.

1 Like

could you please share your solution.

i have followed both tutorials:


And could not make it work. thanks in advance

The deny_by_default flag, when set to boolean true, does exactly what it says: it denies access to API endpoints un-identified users. You MUST pass credentials with your request in order to access any API endpoints. (Non-API endpoints are not affected.)

Your ACL rules may specify further restrictions, but this is the first line in making your API private by default. If you don’t want that behavior, toggle the flag back to false, and then restrict only the endpoints that will require a credentialed user.