[Security] Authenticating users with api keys using SimplePreAuthenticatorInterface

[jaytaph]

Issue originally posted by @mseshachalam at symfony/symfony#13330:

In the doc http://symfony.com/doc/current/cookbook/security/api_key_authentication.html ,
the below method's second parameter is user provider.

public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey)

When we make the ApiKeyAuthenticator service, the same class will have a class level user provider variable.

Could some please explain the difference between these two user provider variables ?

Thanks

[jaytaph]

The first code snippet seems wrong here. A _construct() is added with the user provider argument and line 43 uses this user provider property, even though a user provider is passed to this method.

The whole idea is that the SimpleFormAuthenticator and SimplePreAuthenticator call the authenticate() method from your custom authenticator, and it will pass the user provider for you.

It will by default use the user provider configured by the firewall (and if none is specified, the first user provider you have configured in your providers section), but it can be overridden by defining the user-provider manually, which is what you want to do here, as you are using a custom provider (to fetch users from api-keys):

    # app/config/security.yml
    security:
        firewalls:
            secured_area:
                pattern: ^/admin
                stateless: false
                simple_preauth:
                    authenticator: apikey_authenticator
                    provider: apikey_userprovider_service

So, unless i'm mistaken, the code snippet doesn't exactly use the simple*authenticators as they should be..

[weaverryan]

See #5255, which discusses this

[weaverryan]

This should now be fixed :). Closing - and thanks @jaytaph!