Contributed by
Florent Morselli
in #46428.
Access tokens, also called bearer tokens, are defined in RFC6750 and are popular when working with APIs. Any party in possession of an access token can use it to get access to the associated resources. That's why these tokens need to be protected from disclosure in storage and in transport.
In Symfony 6.2 we're adding a new authenticator which is able to fetch access tokens and retrieve the associated user identifier. The new authenticator can extract tokens from the request header (RFC6750 Section 2.1), the query string (RFC6750 Section 2.2) and the request body (RFC6750 Section 2.3).
To use this authenticator, define a firewall in your application and add the
access_token option to it:
# config/packages/security.yaml
security:
# ...
firewalls:
main:
pattern: ^/
access_token:
token_handler: App\Security\AccessTokenHandlerThe token_handler option is the only mandatory option and defines the service
that will handle the token (e.g. validate it) to retrieve the user associated
to it. This service must implement AccessTokenHandlerInterface. For example:
// src/Security/AccessTokenHandler.php
namespace App\Security;
use App\Repository\AccessTokenRepository;
use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
class AccessTokenHandler implements AccessTokenHandlerInterface
{
public function __construct(
private readonly SomeTokenRepository $repository,
) {
}
public function getUserIdentifierFrom(string $token): string
{
$accessToken = $this->repository->findOneByValue($token);
if ($accessToken === null || !$accessToken->isValid()) {
throw new BadCredentialsException('Invalid credentials.');
}
return $accessToken->getUserId();
}
}Inside your token handler you must validate the given token. For example, if you use opaque tokens such as random strings stored in a database, check if they exist in the database; if you use self-contained tokens such as JWT, SAML2, etc. validate those according to their specs.
The new authenticator defines many config options which are explained in the Symfony Documentation, such as restricting where to look for tokens in the request, customizing the response for successful and failing authentication, etc.
<hr style="margin-bottom: 5px" />
<div style="font-size: 90%">
<a href="https://symfony.com/sponsor">Sponsor</a> the Symfony project.
</div>Melden Sie sich an, um einen Kommentar hinzuzufügen
Andere Beiträge in dieser Gruppe
This week, development activity was intense, with many bug fixes in the maintained branches, numerous deprecation removals in the 8.0 branch, and new features added to the 7.4 branch, including tighte
Thank you for joining us at SymfonyOnline June 2025!
What a great edition of SymfonyOnline we’ve just wrapped up! 🎉
We were thrilled to welcome 300 participants from 35 different countries—a
This week, Symfony celebrated the SymfonyOnline June 2025 conference with great success. Meanwhile, development efforts focused on improving invokable commands for the upcoming Symfony 7.4 version. Th
This week, development activity focused on the upcoming Symfony 7.4 and 8.0 versions, which will deprecate and remove many features. In addition, we published a case study about Yousign. Finally, we'r
As digital signatures become the norm in modern business, Yousign has established itself as a trusted leader across Europe. Behind its simple, intuitive interface is a powerful technical engine, handl
Get ready for the exciting SymfonyOnline June 2025, kicking off in a few days only! There’s still time to register and join the international online Symfony conference—along with pre-conferenc
This week, Symfony released the stable version of Symfony 7.3, which includes lots of amazing new features. We also published the maintenance versions 6.4.22 and 7.2.7.
Symfony development highlights
