Authorization Code grant to an organization via user authentication?

[LieutenantClone]

I want to use the authorization code flow but to connect a client to an organization instead of a user.

This would be the flow:

• User clicks "Connect" button on client website
• Redirect to /authorize
• Redirect to login form
• User enters their user login credentials
• User selects which organization to connect, if they have access to more than one
• User is asked for consent on behalf of the organization to the requested scopes => clicks allow
• The resulting authorization code is tied to the organization, instead of the user
• Redirect to client website with authorization code
• Client website calls /token to exchange authorization code for a token
• Requests using the token will impersonate the organization, not the user

Essentially, to connect the client a user must log in with their user credentials, to authorize the connection on behalf of the organization.
This is what GitHub does when it allows connecting an application to an organization.

I'm wondering if there is already a built-in way to handle this scenario in the bundle? The AuthorizationCode entity stores the user_identifier, for this use case I would need it to store the organization_id instead. But I don't see a way to override the AuthorizationCode entity (like the way it's possible to override the Client entity).

Any ideas how to do this?

[ajgarlag]

You could create a custom implementation of the UserConverterInterface that sets the organization identifier in the authorization request instead of the Symfony user identifier.

[LieutenantClone]

Hi @ajgarlag , thanks for that suggestion. I looked at the interface and that makes sense to me. But how do I tell oauth2-server-bundle to use my implementation of UserConverterInterface instead of the one in the bundle?

After that, I'm assuming that I'd need to create a Symfony UserProvider that would load the organization given the organization ID? Am I on the right track?