UserInterface is thightly coupled with password authentication #28365

Spomky · 2018-09-04T20:12:11Z

This is not an issue, but rather a forward-looking discussion about the user authentication topic.

Description
At the moment, the user interface is thighly coupled with an authentication based on a username/password pairs.
This not not a problem at all as 999‰ of the running applications use this authentication method.
However, with the coming Webauthn standard, passwords won’t be needed anymore. This standard allows user to associate an infinite number of security tokens that will mainly communicate through the USB, NFC, Bluetooth or an internal protocol.
Data that is supposed to be stored is credential IDs and associated cryptographic public keys instead of passwords and salts.
Therefore, the methods getPassword, getSalt and all the associated functionalities (e.g. password encoders) will become completely useless.

Possible Solution
This interface and the other classes that use/implement those methods may gradually evolve to take into account this new authentication scheme.
Methods could be renamed into getCredentials or another generic equivalent that is not specifically linked to a password.
In any cases, changes will undoubtedly affect several classes, associated logic (e.g. AbstractToken or SwitchUserListener) and the way application manage their user credentials.

Please, do not hesitate to participate and share here the way you imagine futur authentication architecture.

The text was updated successfully, but these errors were encountered:

curry684 · 2018-09-04T20:33:22Z

This not not a problem at all as 999‰ of the running applications use this authentication method.

This premise is already way off today. In just about every application I've designed and written over the past 2 years I've implemented UserInterface in an Identity class (which is what it should be) and left the getPassword and getSalt methods intentionally empty. The concept of a User itself is of course already way off today in a world of microservices using service/machine accounts and even OAuth2 being extended with Device Flow to support headless IoT devices. .NET actually got this right mostly with their notion of Principals rather than Users.

The issue has been discussed before that the authentication part of Symfony Security component is rather archaic and outdated (not authorization which is, apart from some painful bug-inviting design choices in Voter, generally fine). Specifically I recommend you read #21029 to the end, especially from my comment at #21029 (comment)

However I do think that issue should not have been closed at the time as the underlying issue is currently, months later, still not fixed or to my knowledge fundamentally being refactored into 2018 authentication paradigms, and 5.x is nearing fast if we want to do really breaking stuff.

I suggest we start a Project on this to get to a future proof implementation in time for 5.0 next year.

xabbuh · 2018-09-06T10:16:13Z

Thanks for the issue, but I think we should continue in #23081. :)

Spomky · 2018-09-06T12:45:20Z

Hi @curry684, I was way off the reality. Thank you for the links, I was not aware of ongoing discussions about this topic. Let's continue there.

chalasr added Security RFC RFC = Request For Comments (proposals about features that you want to be discussed) labels Sep 5, 2018

javiereguiluz added this to the next milestone Sep 5, 2018

xabbuh closed this as completed Sep 6, 2018

nicolas-grekas modified the milestones: next, 4.4 Oct 27, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

UserInterface is thightly coupled with password authentication #28365

UserInterface is thightly coupled with password authentication #28365