Contributed by
Florent Morselli
in #46428.
Access tokens, also called bearer tokens, are defined in RFC6750 and are popular when working with APIs. Any party in possession of an access token can use it to get access to the associated resources. That's why these tokens need to be protected from disclosure in storage and in transport.
In Symfony 6.2 we're adding a new authenticator which is able to fetch access tokens and retrieve the associated user identifier. The new authenticator can extract tokens from the request header (RFC6750 Section 2.1), the query string (RFC6750 Section 2.2) and the request body (RFC6750 Section 2.3).
To use this authenticator, define a firewall in your application and add the
access_token option to it:
# config/packages/security.yaml
security:
# ...
firewalls:
main:
pattern: ^/
access_token:
token_handler: App\Security\AccessTokenHandlerThe token_handler option is the only mandatory option and defines the service
that will handle the token (e.g. validate it) to retrieve the user associated
to it. This service must implement AccessTokenHandlerInterface. For example:
// src/Security/AccessTokenHandler.php
namespace App\Security;
use App\Repository\AccessTokenRepository;
use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
class AccessTokenHandler implements AccessTokenHandlerInterface
{
public function __construct(
private readonly SomeTokenRepository $repository,
) {
}
public function getUserIdentifierFrom(string $token): string
{
$accessToken = $this->repository->findOneByValue($token);
if ($accessToken === null || !$accessToken->isValid()) {
throw new BadCredentialsException('Invalid credentials.');
}
return $accessToken->getUserId();
}
}Inside your token handler you must validate the given token. For example, if you use opaque tokens such as random strings stored in a database, check if they exist in the database; if you use self-contained tokens such as JWT, SAML2, etc. validate those according to their specs.
The new authenticator defines many config options which are explained in the Symfony Documentation, such as restricting where to look for tokens in the request, customizing the response for successful and failing authentication, etc.
<hr style="margin-bottom: 5px" />
<div style="font-size: 90%">
<a href="https://symfony.com/sponsor">Sponsor</a> the Symfony project.
</div>Accedi per aggiungere un commento
Altri post in questo gruppo
We were absolutely thrilled to gather with the incredible Symfony community for the first time in Vienna, Austria, from December 5th to 6th, surrounded by the warm and festive atmosphere of the
SymfonyLive Paris 2025, conference in French language only, will take place from March 27 to 28! The schedule is currently being revealed as we go along. More details are available here.
💻
Symfony has been active on X, Mastodon, and Bluesky for some time, but until recently, not all platforms received equal attention. Since Twitter (now X) was our first social network, all blog posts we
SymfonyLive Berlin 2025, conference held in English, will take place from April 1 to 4! The schedule is being revealed gradually. More details are available here.
As we are now unveiling th
Affected versions
Twig versions >=3.16.0,<3.19.0 are affected by this security issue.
The issue has been fixed in Twig 3.19.0.
Description
When using the null coalesce operator (??), output esc
Symfony 6.4.18 has just been released. Here is the list of the most important changes since 6.4.17:
bug #58889 [Serializer] Handle default context in Serializer (@Valmonzo)bug #59631 [HttpClient
Symfony 7.1.11 has just been released. Here is the list of the most important changes since 7.1.10:
bug #58889 [Serializer] Handle default context in Serializer (@Valmonzo)bug #59631 [HttpClient
