1

I'm exploring the new system for User Authentication using the new AbstractAuthenticator class in my symfony 5 project.

My symfony app will contain a mix of routes, some will only be accessible to authenticated users and some for unauthenticated users (public access)

My security.yaml file looks something like this:

security:

    enable_authenticator_manager: true

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
          custom_authenticators:
            - App\Security\JwtAuthenticator

    access_control:
      - { path: ^/auth/login, roles: PUBLIC_ACCESS }
      - { path: ^/auth, roles: ROLE_USER }

I have also setup a route to auth/login

However, when I access the url https://myapp.test/auth/login I get the following message:

{"message":"Invalid credentials."}

If I remove the custom authenticator directive from security.yaml the url loads as expected.

Below is the authenticate function from the Authenticator class:

public function authenticate(Request $request): PassportInterface
{
    return new SelfValidatingPassport(new UserBadge($request->get('email));
}

if I access /auth/login with a valid user matching the email address provided and with the ROLE_USER role, the page will load as expected. If I access it without providing an email address, the page will return the following (from the onAuthenticationFailure method):

{"message":"Invalid credentials."}

If I understand correctly, as stated in Symfony docs, the PUBLIC_ACCESS should skip authenticating the user and load the /auth/login route, while everything else under /auth/ should be protected. But I cannot get the PUBLIC_ACCESS directive to work.

Improve this question
6
  • When you say the page is not displayed do you mean you get a blank page? If so then that implies that you are not running in the usual development/debug mode. I assume you are not posting your complete security.yaml file? Typically you would only need the PUBLIC_ACCESS if you are trying to access something that is already protected. Like if you had ^/auth ROLE_ADMIN. In any event I suspect the real problem is your authenticator. Does it work without any access_control? Commented Jul 10, 2021 at 12:53
  • If I remove the access control directive, I still get the blank page. So the auth/login controller code is never executed. If I remove the firewall altogether in security.yaml the page will load just fine. My understanding was that declaring the route as public_access would bypass the firewall altogether. Is this not the case? do I need to add anything in my AbstractAuthenticator class which would let this route load without any security checks? Commented Jul 10, 2021 at 13:58
  • I do think you are misunderstanding PUBLIC_ACCESS. There is a section in the docs on it. The example says that anything under /admin needs a ROLE_ADMIN except for /admin/login. Bottom line is that you should not need any access_control to get your app working. The first thing to solve is why you are getting a blank page. You should be running in development mode and you should be using the Symfony development server. You should never get a blank page but rather some big 'exception' type page. I suppose you could try checking the logs. Commented Jul 10, 2021 at 14:04
  • Did you use make:auth to get started? I ask because your posted main firewall configuration does not match the default configuration. Commented Jul 10, 2021 at 14:06
  • 2
    Have you managed to figure this out? I am having the same issue. Commented Mar 24, 2022 at 17:12

1 Answer 1

Reset to default
2

I resolved it by changing the location of custom_authenticators like that:

security:
    enable_authenticator_manager: true

    firewalls:
     main:
            json_login:                   # that is my login for rest api
                provider: user_provider
                check_path: api_login
     api:
            pattern: ^/api
            custom_authenticators:        # here is the location for my custom authenticator
                - App\Security\Authenticator
            stateless: true

     access_control:
        - { path: ^/login, roles: PUBLIC_ACCESS }

I hope it helps!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.