Last active January 23, 2022 09:54
RESTful API with Symfony 4.4 + FOSRestBundle + FOSOauthServerBundle + FOSUserBundle

To start writing RestFull API in symfony we will need bundles:

So let’s get started:

Firstly, we create a project in symfony. We will need a composer, which you can download and install from this page/website:

We can create skeleton project in symfony using command prompt:

create-project symfony/skeleton rest

But the easier way is to use a composer.json to create a project running command: composer install

Then we got a question Do you want to execute this recipe? Press y. After generating config files we correct them. To make it work properly you need to create some config files under the config/packages folder

      db_driver: orm # other valid values are 'mongodb' and 'couchdb'
      firewall_name: main
      user_class: App\Entity\User
        address: '' # for example your email
        sender_name: '' # for example your email


    db_driver: orm
    client_class:        App\Entity\Client
    access_token_class:  App\Entity\AccessToken
    refresh_token_class: App\Entity\RefreshToken
    auth_code_class:     App\Entity\AuthCode
        user_provider: fos_user.user_provider.username
            access_token_lifetime: 28800
        engine: twig

We use this class to be able to store the authocode and access the tokens to authorise via our API.

We also need to add to the framework.yml a templating engine:

        engines: ['twig', 'php']

And add nelmio_api_doc.yaml

            title: My App
            description: This is an awesome app!
            version: 1.0.0
    areas: # to filter documented areas
            - ^/api(?!/doc$) # Accepts routes under /api except /api/doc

Let’s create fos_oauth_server entity classes.

I figured out that the problem with mysql 8.0 in authentication using docker can be solved by adding a command in docker-compose.yaml

command: ['--character-set-server=utf8mb4', '--collation-server=utf8mb4_unicode_ci','--default-authentication-plugin=mysql_native_password']

The file doctrine.yaml will look like this

        # configure these for your database server
        driver: 'pdo_mysql'
        host: '%env(DB_HOST)%'
        port: '%env(DB_PORT)%'
        dbname: '%env(DB_DATABASE)%'
        user: '%env(DB_USERNAME)%'
        password: '%env(DB_PASSWORD)%'
        charset: utf8mb4
            charset: utf8mb4
            collate: utf8mb4_unicode_ci

AccessToken class:


namespace App\Entity;

use FOS\OAuthServerBundle\Entity\AccessToken as BaseAccessToken;
use Doctrine\ORM\Mapping as ORM;

 * @ORM\Table(name="oauth2_access_tokens")
 * @ORM\Entity
class AccessToken extends BaseAccessToken
     * @ORM\Id
     * @ORM\Column(type="integer")
     * @ORM\GeneratedValue(strategy="AUTO")
    protected $id;

     * @var Client
     * @ORM\ManyToOne(targetEntity="Client")
     * @ORM\JoinColumn(nullable=false)
    protected $client;

     * @var User
     * @ORM\ManyToOne(targetEntity="User")
    protected $user;

AuthCode class


namespace App\Entity;

use FOS\OAuthServerBundle\Entity\AuthCode as BaseAuthCode;
use Doctrine\ORM\Mapping as ORM;

 * @ORM\Table(name="oauth2_auth_codes")
 * @ORM\Entity
class AuthCode extends BaseAuthCode
     * @ORM\Id
     * @ORM\Column(type="integer")
     * @ORM\GeneratedValue(strategy="AUTO")
    protected $id;

     * @var Client
     * @ORM\ManyToOne(targetEntity="Client")
     * @ORM\JoinColumn(nullable=false)
    protected $client;

     * @var User
     * @ORM\ManyToOne(targetEntity="User")
    protected $user;

Client class


namespace App\Entity;

use FOS\OAuthServerBundle\Entity\Client as BaseClient;
use Doctrine\ORM\Mapping as ORM;

 * @ORM\Table(name="oauth2_clients")
 * @ORM\Entity
class Client extends BaseClient
     * @ORM\Id
     * @ORM\Column(type="integer")
     * @ORM\GeneratedValue(strategy="AUTO")
    protected $id;

     * @var string
     * @ORM\Column(name="type", type="string", length=150, nullable=true)
    protected $type;

Refresh token class

namespace App\Entity;

use FOS\OAuthServerBundle\Entity\RefreshToken as BaseRefreshToken;
use Doctrine\ORM\Mapping as ORM;

 * @ORM\Table(name="oauth2_refresh_tokens")
 * @ORM\Entity
class RefreshToken extends BaseRefreshToken
     * @ORM\Id
     * @ORM\Column(type="integer")
     * @ORM\GeneratedValue(strategy="AUTO")
    protected $id;

     * @var Client
     * @ORM\ManyToOne(targetEntity="Client")
     * @ORM\JoinColumn(nullable=false)
    protected $client;

     * @var User
     * @ORM\ManyToOne(targetEntity="User")
    protected $user;

These classes are simple. As you can see we also need to create the User class


namespace App\Entity;

use FOS\UserBundle\Model\User as BaseUser;
use Doctrine\ORM\Mapping as ORM;
use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
use Symfony\Component\Validator\Constraints as Assert;
use JMS\Serializer\Annotation as Serializer;

 * User
 * @ORM\Table(name="user", indexes={
 *     @ORM\Index(name="search_idx_username", columns={"username"}),
 *     @ORM\Index(name="search_idx_email", columns={"email"}),
 * })
 * @ORM\Entity(repositoryClass="App\Repository\UserRepository")
 * @UniqueEntity(fields={"email"}, message="EMAIL_IS_ALREADY_IN_USE")
 * @Serializer\ExclusionPolicy("all")
class User extends BaseUser
    const ROLE_ADMIN = "ROLE_ADMIN";
    const ROLE_USER = "ROLE_USER";

     * To validate supported roles
     * @var array
    static public $ROLES_SUPPORTED = array(
        self::ROLE_SUPER_ADMIN => self::ROLE_SUPER_ADMIN,
        self::ROLE_ADMIN => self::ROLE_ADMIN,
        self::ROLE_USER => self::ROLE_USER,

     * @var int
     * @ORM\Column(name="id", type="integer")
     * @ORM\Id
     * @ORM\GeneratedValue(strategy="AUTO")
    protected $id;

     * @var string
     * @Assert\NotBlank(message="FIELD_CAN_NOT_BE_EMPTY")
     * @Assert\Email(
     *     message = "INCORRECT_EMAIL_ADDRESS",
     *     checkMX = true
     * )
    protected $email;

     * @var string
     * @ORM\Column(name="first_name", type="string", length=100, nullable=true)
     * @Assert\Length(
     *      min = 1,
     *      max = 100,
     *      minMessage = "FIELD_LENGTH_TOO_SHORT",
     *      maxMessage = "FIELD_LENGTH_TOO_LONG"
     * )
    private $firstName;

     * @var string
     * @ORM\Column(name="last_name", type="string", length=100, nullable=true)
     * @Assert\Length(
     *      min = 1,
     *      max = 100,
     *      minMessage = "FIELD_LENGTH_TOO_SHORT",
     *      maxMessage = "FIELD_LENGTH_TOO_LONG"
     * )
    private $lastName;

     * @var boolean
     * @ORM\Column(name="deleted", type="boolean")
     * @Assert\Type(
     *     type="bool",
     *     message="FIELD_MUST_BE_BOOLEAN_TYPE"
     * )
    private $deleted;

     * User constructor.
    public function __construct()
        $this->deleted = false;

     * Get id
     * @return int
    public function getId()
        return $this->id;

     * Set firstName
     * @param string $firstName
     * @return User
    public function setFirstName($firstName)
        $this->firstName = $firstName;

        return $this;

     * Get firstName
     * @return string
    public function getFirstName()
        return $this->firstName;

     * Set lastName
     * @param string $lastName
     * @return User
    public function setLastName($lastName)
        $this->lastName = $lastName;

        return $this;

     * Get lastName
     * @return string
    public function getLastName()
        return $this->lastName;

     * Set deleted
     * @param boolean $deleted
     * @return User
    public function setDeleted($deleted)
        $this->deleted = $deleted;

        return $this;

     * Get deleted
     * @return boolean
    public function getDeleted()
        return $this->deleted;

And the UserRepository can be empty :)


namespace App\Repository;

use App\Entity\User;
use Doctrine\ORM\EntityRepository;

 * @method User|null find($id, $lockMode = null, $lockVersion = null)
 * @method User|null findOneBy(array $criteria, array $orderBy = null)
 * @method User[]    findAll()
 * @method User[]    findBy(array $criteria, array $orderBy = null, $limit = null, $offset = null)
class UserRepository extends EntityRepository

Let’s create some datafixtures

Run command : php bin/console make:fixtures

Here we create Oauth2ClientData.

Edit the file that we’ve just created.


namespace App\DataFixtures;

use App\Entity\Client;
use Doctrine\Bundle\FixturesBundle\Fixture;
use Doctrine\Common\Persistence\ObjectManager;
use Doctrine\ORM\Id\AssignedGenerator;
use Doctrine\ORM\Mapping\ClassMetadata;

class ClientData extends Fixture
    public function load(ObjectManager $manager)
        $oauth2Client = new Client();

        $oauth2Client->setAllowedGrantTypes(array('password', 'refresh_token'));


        /** @var ClassMetadata $metadata */
        $metadata = $manager->getClassMetadata(get_class($oauth2Client));

        $metadata->setIdGenerator(new AssignedGenerator());


Another one with the the user

php bin/console make:fixtures

Like in the previous one, edit the file that we’ve just created.


namespace App\DataFixtures;

use App\Entity\User;
use Doctrine\Bundle\FixturesBundle\Fixture;
use Doctrine\Common\Persistence\ObjectManager;
use FOS\UserBundle\Doctrine\UserManager;
use Symfony\Component\DependencyInjection\ContainerAwareInterface;
use Symfony\Component\DependencyInjection\ContainerInterface;

class UserData extends Fixture implements ContainerAwareInterface
    const USER_MANAGER = 'fos_user.user_manager';

     * @var ContainerInterface
    private $container;

     * @var UserManager
    private $userManager;

     * @param ContainerInterface|null $container
    public function setContainer(ContainerInterface $container = null)
        $this->container = $container;
        $this->userManager = $this->container->get(static::USER_MANAGER);

    public function load(ObjectManager $manager)
        /** @var User $user */
        $user = $this->userManager->createUser();


We also need to define a password encoder for the entity User. We can do it in security.yaml by adding these lines:

        FOS\UserBundle\Model\UserInterface: sha512

After this run commands

php bin/console doctrine:database:drop --force --if-exists
php bin/console make:migration
php bin/console doctrine:migrations:migrate
php bin/console doctrine:fixtures:load

to update database with datafixtures. We should also define routes routes.yaml

  resource: "@FOSOAuthServerBundle/Resources/config/routing/token.xml"

  resource: "@FOSOAuthServerBundle/Resources/config/routing/authorize.xml"

After this using f.e. built in in PHPStorm HTTPClient we can request a token from our OauthServer

Create POST query to path: /oauth/v2/token giving following parameters:

client_id:1_5w8zrdasdafr4tregd454cw0c0kswcgs0oks40g #notice that we add id_ before client_id which we create using datafixtures

You should get response like this:


If you get this result, your configuration is correct.

GrzegorzBandur commented Jun 6, 2019


Thanks for this nce tutorial.
While implementing it, i got this error, can you please help to fixe?

Unrecognized options "sandbox, swagger" under "nelmio_api_doc". Available options are "areas", "documentation", "models".

You probably use newer version of nelmio/api-doc-bundle which don't support sandbox in documentation. Try use the same like in this gist.

"nelmio/api-doc-bundle": "^2.13",

Wielkie dzięki Grzesiek, świetna robota! Zaoszczędziłeś mi mnóstwo czasu.

Cieszę się, że pomogłem.

Cieszę się, że pomogłem.

takouarnauld commented Jun 6, 2019

Thanks for the return.
Now i'm getting this error while proceding to the request with Postman :

"error": "invalid_request",
"error_description": "Invalid grant_type parameter or parameter missing"

But using a browser, i have this :
"error": "invalid_client",
"error_description": "The client credentials are invalid"

I used the id and secret present in the "oauth2_clients" table in my database

Thanks for the return.
Now i'm getting this error while proceding to the request with Postman :

"error": "invalid_request",
"error_description": "Invalid grant_type parameter or parameter missing"

But using a browser, i have this :
"error": "invalid_client",
"error_description": "The client credentials are invalid"

I used the id and secret present in the "oauth2_clients" table in my database

  1. By Postman you should use GET request, and set parameters by bulk edit (in example there is grant_type-password, which in my opinion isn't correct notation), it should looks like this:


  1. If you copypaste Fixtures and parameters, double check them - there is difference in "client_id" and "client_secret".

jessequinn commented Aug 15, 2019

I needed to update the bulk values:


However, i receive the following error afterwards:

"message": "Attempted to call an undefined method named \"findOneBy\" of class \"App\\Repository\\OAuth2\\UserRepository\".",
                "class": "Symfony\\Component\\Debug\\Exception\\UndefinedMethodException",


Depending on your User entity location


namespace App\Repository\OAuth2;

use App\Entity\OAuth2\User;
use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
use Symfony\Bridge\Doctrine\RegistryInterface;

 * @method User|null find($id, $lockMode = null, $lockVersion = null)
 * @method User|null findOneBy(array $criteria, array $orderBy = null)
 * @method User[]    findAll()
 * @method User[]    findBy(array $criteria, array $orderBy = null, $limit = null, $offset = null)
class UserRepository extends ServiceEntityRepository
    public function __construct(RegistryInterface $registry)
        parent::__construct($registry, User::class);

I am new to this and I would like to know how to do everything in basic tutorial mode to perform an api rest with symfony 4 and oauth2

Thanks of advances

Executing script cache:clear [KO]
Script cache:clear returned with error code 1
!!  In RegisterMappingsPass.php line 221:
!!    Could not find the manager name parameter in the container. Tried the follo
!!    wing parameter names: "fos_user.model_manager_name", "doctrine.default_enti
!!    ty_manager".
Script @auto-scripts was called via post-install-cmd

