Search code examples
authenticationsymfonysymfony4

Where is correct place to authenticate users from multiple places?


In my first Symfony 4.4 project, I need to authenticate users from database. Unfortunately, before user sign-in I need to check user status in remote API service. If user is active in this service and credentials are same as in my database, I can authenticate user in my app.

Where is best place to check that user is active before authentication in my app? I need to create custom guard? Custom user provider?

I use Lexik JWT authentication, there is my /config/packages/security.yaml

security:
    providers:

        app_user_provider:
            entity:
                class: App\Entity\User
                property: email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        authorization:
            pattern:  ^/api/v1/auth/
            stateless: true
            anonymous: true
            json_login:
                check_path: /api/v1/auth/sign-in/
                success_handler: lexik_jwt_authentication.handler.authentication_success
                failure_handler: lexik_jwt_authentication.handler.authentication_failure
                username_path: email
        api:
            pattern: ^/api/v1/(user|req)/
            stateless: true
            anonymous: false
            provider: app_user_provider
            guard:
                authenticators:
                    - lexik_jwt_authentication.jwt_token_authenticator


Solution

  • I haven't used Symfony after 4.1 so things might have changed recently. You just need to check.

    Where is best place to check that user is active before authentication in my app? I need to create custom guard? Custom user provider?

    User Provider is the answer. If you look at the UserProviderInterface it says "Internally, a user provider can load users from any source (databases, configuration, web service)."

    ... before user sign-in I need to check user status in remote API service. If user is active in this service and credentials are same as in my database, I can authenticate user in my app.

    So what you can do is to meet your requirement:

    • Implement a firewall in your serurity.yaml and make it use simple_preauth.
    • Implement your authenticator class that goes with simple_preauth. authenticator. This wires everything up as far as the authentication goes.
    • Implement you user provider that calls your remote API first to check if user is active then after that, check agains your local DB so on.

    Resources:

    • Make sure you understand the Symfony Auth flow before everything!
    • An example of JWT auth flow in Symfony.
    • There are a lot of Symfony security related examples here.
    • Also have a look at the Symfony Security doc where you will see plenty of info on whole subject.