Authentication

Authentication

When a request points to a secured area, and one of the listeners from the firewall map is able to extract the user’s credentials from the current Symfony\Component\HttpFoundation\Request object, it should create a token, containing these credentials. The next thing the listener should do is ask the authentication manager to validate the given token, and return an authenticated token if the supplied credentials were found to be valid. The listener should then store the authenticated token using the token storage:

  1. use Symfony\Component\HttpKernel\Event\RequestEvent;
  2. use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
  3. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  4. use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
  6. class SomeAuthenticationListener
  7. {
  8.     /**
  9.      * @var TokenStorageInterface
  10.      */
  11.     private $tokenStorage;
  13.     /**
  14.      * @var AuthenticationManagerInterface
  15.      */
  16.     private $authenticationManager;
  18.     /**
  19.      * @var string Uniquely identifies the secured area
  20.      */
  21.     private $providerKey;
  23.     // ...
  25.     public function __invoke(RequestEvent $event)
  26.     {
  27.         $request = $event->getRequest();
  29.         $username = ...;
  30.         $password = ...;
  32.         $unauthenticatedToken = new UsernamePasswordToken(
  33.             $username,
  34.             $password,
  35.             $this->providerKey
  36.         );
  38.         $authenticatedToken = $this
  39.             ->authenticationManager
  40.             ->authenticate($unauthenticatedToken);
  42.         $this->tokenStorage->setToken($authenticatedToken);
  43.     }
  44. }

Note

A token can be of any class, as long as it implements Symfony\Component\Security\Core\Authentication\Token\TokenInterface.

The Authentication Manager

The default authentication manager is an instance of Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager:

  1. use Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager;
  2. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  4. // instances of Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface
  5. $providers = [...];
  7. $authenticationManager = new AuthenticationProviderManager($providers);
  9. try {
  10.     $authenticatedToken = $authenticationManager
  11.         ->authenticate($unauthenticatedToken);
  12. } catch (AuthenticationException $exception) {
  13.     // authentication failed
  14. }

The AuthenticationProviderManager, when instantiated, receives several authentication providers, each supporting a different type of token.

Note

You may write your own authentication manager, the only requirement is that it implements Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface.

Authentication Providers

Each provider (since it implements Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface) has a [supports()](https://github.com/symfony/symfony/blob/4.4/src/Symfony/Component/Security/Core/Authentication/Provider/AuthenticationProviderInterface.php "Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface::supports()") method by which the AuthenticationProviderManager can determine if it supports the given token. If this is the case, the manager then calls the provider’s [authenticate()](https://github.com/symfony/symfony/blob/4.4/src/Symfony/Component/Security/Core/Authentication/Provider/AuthenticationProviderInterface.php "Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface::authenticate()") method. This method should return an authenticated token or throw an Symfony\Component\Security\Core\Exception\AuthenticationException (or any other exception extending it).

Authenticating Users by their Username and Password

An authentication provider will attempt to authenticate a user based on the credentials they provided. Usually these are a username and a password. Most web applications store their user’s username and a hash of the user’s password combined with a randomly generated salt. This means that the average authentication would consist of fetching the salt and the hashed password from the user data storage, hash the password the user has just provided (e.g. using a login form) with the salt and compare both to determine if the given password is valid.

This functionality is offered by the Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider. It fetches the user’s data from a Symfony\Component\Security\Core\User\UserProviderInterface, uses a Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface to create a hash of the password and returns an authenticated token if the password was valid:

  1. use Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider;
  2. use Symfony\Component\Security\Core\Encoder\EncoderFactory;
  3. use Symfony\Component\Security\Core\User\InMemoryUserProvider;
  4. use Symfony\Component\Security\Core\User\UserChecker;
  6. $userProvider = new InMemoryUserProvider(
  7.     [
  8.         'admin' => [
  9.             // password is "foo"
  10.             'password' => '5FZ2Z8QIkA7UTZ4BYkoC+GsReLf569mSKDsfods6LYQ8t+a8EW9oaircfMpmaLbPBh4FOBiiFyLfuZmTSUwzZg==',
  11.             'roles'    => ['ROLE_ADMIN'],
  12.         ],
  13.     ]
  14. );
  16. // for some extra checks: is account enabled, locked, expired, etc.
  17. $userChecker = new UserChecker();
  19. // an array of password encoders (see below)
  20. $encoderFactory = new EncoderFactory(...);
  22. $daoProvider = new DaoAuthenticationProvider(
  23.     $userProvider,
  24.     $userChecker,
  25.     'secured_area',
  26.     $encoderFactory
  27. );
  29. $daoProvider->authenticate($unauthenticatedToken);

Note

The example above demonstrates the use of the “in-memory” user provider, but you may use any user provider, as long as it implements Symfony\Component\Security\Core\User\UserProviderInterface. It is also possible to let multiple user providers try to find the user’s data, using the Symfony\Component\Security\Core\User\ChainUserProvider.

The Password Encoder Factory

The Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider uses an encoder factory to create a password encoder for a given type of user. This allows you to use different encoding strategies for different types of users. The default Symfony\Component\Security\Core\Encoder\EncoderFactory receives an array of encoders:

  1. use Acme\Entity\LegacyUser;
  2. use Symfony\Component\Security\Core\Encoder\EncoderFactory;
  3. use Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder;
  4. use Symfony\Component\Security\Core\User\User;
  6. $defaultEncoder = new MessageDigestPasswordEncoder('sha512', true, 5000);
  7. $weakEncoder = new MessageDigestPasswordEncoder('md5', true, 1);
  9. $encoders = [
  10.     User::class       => $defaultEncoder,
  11.     LegacyUser::class => $weakEncoder,
  12.     // ...
  13. ];
  14. $encoderFactory = new EncoderFactory($encoders);

Each encoder should implement Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface or be an array with a class and an arguments key, which allows the encoder factory to construct the encoder only when it is needed.

Creating a custom Password Encoder

There are many built-in password encoders. But if you need to create your own, it needs to follow these rules:

  1. The class must implement Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface (you can also extend Symfony\Component\Security\Core\Encoder\BasePasswordEncoder);

  2. The implementations of [encodePassword()](https://github.com/symfony/symfony/blob/4.4/src/Symfony/Component/Security/Core/Encoder/PasswordEncoderInterface.php "Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface::encodePassword()") and [isPasswordValid()](https://github.com/symfony/symfony/blob/4.4/src/Symfony/Component/Security/Core/Encoder/PasswordEncoderInterface.php "Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface::isPasswordValid()") must first of all make sure the password is not too long, i.e. the password length is no longer than 4096 characters. This is for security reasons (see CVE-2013-5750), and you can use the [isPasswordTooLong()](https://github.com/symfony/symfony/blob/4.4/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php "Symfony\Component\Security\Core\Encoder\BasePasswordEncoder::isPasswordTooLong()") method for this check:

    1. use Symfony\Component\Security\Core\Encoder\BasePasswordEncoder;
    2. use Symfony\Component\Security\Core\Exception\BadCredentialsException;
    4. class FoobarEncoder extends BasePasswordEncoder
    5. {
    6.     public function encodePassword($raw, $salt)
    7.     {
    8.         if ($this->isPasswordTooLong($raw)) {
    9.             throw new BadCredentialsException('Invalid password.');
    10.         }
    12.         // ...
    13.     }
    15.     public function isPasswordValid($encoded, $raw, $salt)
    16.     {
    17.         if ($this->isPasswordTooLong($raw)) {
    18.             return false;
    19.         }
    21.         // ...
    22.     }
    23. }

Using Password Encoders

When the [getEncoder()](https://github.com/symfony/symfony/blob/4.4/src/Symfony/Component/Security/Core/Encoder/EncoderFactory.php "Symfony\Component\Security\Core\Encoder\EncoderFactory::getEncoder()") method of the password encoder factory is called with the user object as its first argument, it will return an encoder of type Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface which should be used to encode this user’s password:

  1. // a Acme\Entity\LegacyUser instance
  2. $user = ...;
  4. // the password that was submitted, e.g. when registering
  5. $plainPassword = ...;
  7. $encoder = $encoderFactory->getEncoder($user);
  9. // returns $weakEncoder (see above)
  10. $encodedPassword = $encoder->encodePassword($plainPassword, $user->getSalt());
  12. $user->setPassword($encodedPassword);
  14. // ... save the user

Now, when you want to check if the submitted password (e.g. when trying to log in) is correct, you can use:

  1. // fetch the Acme\Entity\LegacyUser
  2. $user = ...;
  4. // the submitted password, e.g. from the login form
  5. $plainPassword = ...;
  7. $validPassword = $encoder->isPasswordValid(
  8.     $user->getPassword(), // the encoded password
  9.     $plainPassword,       // the submitted password
  10.     $user->getSalt()
  11. );

Authentication Events

The security component provides the following authentication events:

NameEvent ConstantArgument Passed to the Listener
security.authentication.successAuthenticationEvents::AUTHENTICATION_SUCCESSSymfony\Component\Security\Core\Event\AuthenticationSuccessEvent
security.authentication.failureAuthenticationEvents::AUTHENTICATION_FAILURESymfony\Component\Security\Core\Event\AuthenticationFailureEvent
security.interactive_loginSecurityEvents::INTERACTIVE_LOGINSymfony\Component\Security\Http\Event\InteractiveLoginEvent
security.switch_userSecurityEvents::SWITCH_USERSymfony\Component\Security\Http\Event\SwitchUserEvent
security.logout_on_changeSymfony\Component\Security\Http\Event\DeauthenticatedEvent::classSymfony\Component\Security\Http\Event\DeauthenticatedEvent

Authentication Success and Failure Events

When a provider authenticates the user, a security.authentication.success event is dispatched. But beware - this event may fire, for example, on every request if you have session-based authentication, if always_authenticate_before_granting is enabled or if token is not authenticated before AccessListener is invoked. See security.interactive_login below if you need to do something when a user actually logs in.

When a provider attempts authentication but fails (i.e. throws an AuthenticationException), a security.authentication.failure event is dispatched. You could listen on the security.authentication.failure event, for example, in order to log failed login attempts.

Security Events

The security.interactive_login event is triggered after a user has actively logged into your website. It is important to distinguish this action from non-interactive authentication methods, such as:

  • authentication based on your session.
  • authentication using a HTTP basic header.

You could listen on the security.interactive_login event, for example, in order to give your user a welcome flash message every time they log in.

The security.switch_user event is triggered every time you activate the switch_user firewall listener.

The Symfony\Component\Security\Http\Event\DeauthenticatedEvent event is triggered when a token has been deauthenticated because of a user change, it can help you doing some clean-up task.

New in version 4.3: The Symfony\Component\Security\Http\Event\DeauthenticatedEvent event was introduced in Symfony 4.3.

See also

For more information on switching users, see How to Impersonate a User.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.