From 8bafd7e09af14e8d1d6b0fe8ec079d699d2e5dc5 Mon Sep 17 00:00:00 2001
From: Benjamin BOUDIER <benjamin.boudier@idci-consulting.fr>
Date: Tue, 28 Mar 2023 09:30:14 +0200
Subject: [PATCH] Fix: catch exception on refresh user

---
 Security/User/KeycloakBearerUserProvider.php | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/Security/User/KeycloakBearerUserProvider.php b/Security/User/KeycloakBearerUserProvider.php
index 326249b..7485d86 100644
--- a/Security/User/KeycloakBearerUserProvider.php
+++ b/Security/User/KeycloakBearerUserProvider.php
@@ -7,6 +7,7 @@
 use KnpU\OAuth2ClientBundle\Client\ClientRegistry;
 use KnpU\OAuth2ClientBundle\Client\OAuth2Client;
 use KnpU\OAuth2ClientBundle\Security\User\OAuthUserProvider;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
 use Symfony\Component\Security\Core\User\UserInterface;
@@ -37,9 +38,7 @@ public function loadUserByUsername($accessToken): UserInterface
         $provider = $this->getKeycloakClient()->getOAuth2Provider();
 
         if (!$provider instanceof Keycloak) {
-            throw new \RuntimeException(
-                sprintf('The OAuth2 client provider must be an instance of %s', Keycloak::class)
-            );
+            throw new \RuntimeException(sprintf('The OAuth2 client provider must be an instance of %s', Keycloak::class));
         }
 
         $response = (new Client())->request('POST', $provider->getTokenIntrospectionUrl(), [
@@ -57,12 +56,7 @@ public function loadUserByUsername($accessToken): UserInterface
         }
 
         if (!isset($jwt['resource_access'][$provider->getClientId()])) {
-            throw new \UnexpectedValueException(sprintf(
-                'The token does not have the necessary permissions. Configure roles in the client \'%s\' of the realm \'%s\' and associate them with the user \'%s\'',
-                $provider->getClientId(),
-                $provider->realm,
-                $jwt['username']
-            ));
+            throw new \UnexpectedValueException(sprintf('The token does not have the necessary permissions. Configure roles in the client \'%s\' of the realm \'%s\' and associate them with the user \'%s\'', $provider->getClientId(), $provider->realm, $jwt['username']));
         }
 
         return (new KeycloakBearerUser($jwt['username'], $jwt['resource_access'][$provider->getClientId()]['roles']))
@@ -81,10 +75,10 @@ public function refreshUser(UserInterface $user): UserInterface
             throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_class($user)));
         }
 
-        $user = $this->loadUserByUsername($user->getAccessToken());
-
-        if (!$user) {
-            throw new UsernameNotFoundException();
+        try {
+            $user = $this->loadUserByUsername($user->getAccessToken());
+        } catch (\Exception $e) {
+            throw new UsernameNotFoundException(sprintf('Error during token introspection: %s', $e->getMessage()));
         }
 
         return $user;