2

I'm developing a symfony4 webapp. Users accounts are stored on a DB accessible via an API.

I want to implement this UserProviderInterface as it is advised by the symfony4 documentation to use the symfony4 security module features.

If I understand, implementing this interface requires the API (or service, or db...) to return data (for example hashed password / salt) that will be checked by symfony security.

Is there a way to use the symfony security module without getting such data from the user provider ?

For example to send username and password entered in login form by the user to the api, which will check if it is correct and return a bool ?

Improve this question
1
  • Do you want to proxy username/password to another API and grant access depending on the remote API's response ... instead of validating username/password with providers and security encoders provided by symfony? Commented Jan 25, 2018 at 12:01

1 Answer 1

Reset to default
1

You can implement your own Guard Authenticator to perform the authentication checks manually.

There is a good example implementation described in the documentation chapter:

How to Create a Custom Authentication System with Guard

An example configuration would look like this:

security:
  firewalls:
    firewall_api:
      pattern: '^/(.*)+$'
      host:    '^api\.mypage\.com$'
      stateless: true
      anonymous: false
      guard:
        # list of authenticators to try
        authenticators:
          - 'My\Bridge\Symfony\Security\Authenticator\Guard\JWTTokenAuthenticator'
          - 'My\Bridge\Symfony\Security\Authenticator\Guard\FacebookAuthenticator'
        # This authenticator's start() method is called
        entry_point: 'My\Bridge\Symfony\Security\Authenticator\Guard\JWTTokenAuthenticator'
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Thanks for answering, but I don't really get how to use guard with a form login to check if api accepts credentials
What do you mean by API accepts credentials? What API - the one you're building? What shall happen after authentication - set a session-cookie, return an authentication-token for re-use? Do you want to authenticate by POSTing a simple form with username/password or authenticate via a JSON payload? Or do you just want to know how to validate a username/password combination against a provider inside a controller/service? :)
it is a custom API that returns a json user authentication-token for re-use if credentials are accepted. I would like to post to it at login and then re-use it to allow the user to browse the site and make other requests to the api to display data.
If I understand I need 1) to implement a user provider that posts to the api to get a token and then 2) to use guard to validate the user's token when he browses the application ? What I still don't get is how to post username/password to the api if I can only access username in github.com/symfony/security-core/blob/master/User/…
You sent a link to a UserProvider. A user provider is responsible for fetching a UserInterface by given username. Not more not less. I already pointed you towards a custom Guard Authenticator in my answer. You can inspect the current request for username and password inside the getCredentials(Request $request) method easily.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.