Security: User provider is mandatory, even if I don't need it. #21998
Comments
|
As I understand it's not a bug but something mandatory that may not be. Also it's present in any version of Symfony as it's a "missing feature". Right ? |
|
Well… it's hard to tell. I updated the Q/A table. It is a bug in a sense that I cannot use authenticator which don't use users, but there is nothing really broken. It is just an unnecessary constraint. |
|
"There is nothing really broken. It is just an unnecessary constraint." LMFTFY:
|
|
If this part is being refactored I'd suggest taking it larger, as a lot of Symfony's configuration in this area is pretty outdated in practice. When implementing APIs or external authentication mechanisms I commonly have implementations of UserInterface around that are not about users at all, and have a ton of empty methods around that are not relevant. The UserProvider/UserInterface subsystem is geared far too much towards the classical user/password website login, and hence also stem 'weirdish' things like the one mentioned here with a UserProvider being mandatory. |
|
Exactly. As far as I understand, there is no need for UserProvider unless AuthenticationListener requires one. When a different paradigm is used for authentication, this entire UserProvider infrastructure is not used at all. Firewall and AuthenticationListeners are fine and generic enough. Tokens are a bit confusing and there is an unnecessary bound to sessions, but thats for another story. Questionable is the rest of the infrastructure above the AuthenticationListeners. So, let's make UserProviders optional. It would allow us to build a new lighter and simpler infrastructure while keeping the old one in place until the new is ready. |
This PR was squashed before being merged into the 4.1-dev branch (closes #26787). Discussion ---------- [Security] Make security.providers optional | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #21998 | License | MIT Don't really know if it's viable but I just hit #21998 so I would like to tackle this. Commits ------- ee54bfa [Security] Make security.providers optional
I use custom authentication which stands on tokens without users. Therefore, I don't use UserProvider. But configuration loader requires me to provide at least one user provider.
Please make user provider optional. When some component asks for user from user provider, it should crash, so I know there is something wrong.
The text was updated successfully, but these errors were encountered: