[RFC] Symfony Security rework tracking issue #30914

curry684 · 2019-04-06T15:28:22Z

After discussions at EU FOSSA Hackathon we have some ideas on how to rework the Security component. I'm writing this "tracker issue" to gather up the info and choices made thus far.

The biggest functional issues have been discussed frequently over the years (#10316 and others) that the authentication makes some shortcut assumptions no longer valid in 2019:

The object of security considerations is not always a user, it may be a device, a computer, an API key, or any number of other abstract things. In the security world the concept of "something that can participate in security questions" is called a Principal.
There should be a functional separation between the Principal performing an action and the Context he is in while doing so. Authorization decisions should be based on the presented Context. This solves many practical issues like impersonation and "act as company".
Principals may be authenticated by various means, and be oblivious themselves on the subject. Principals should therefore not expose functionality to get passwords or roles as they may not have any. Tokens handle authentication.

The Symfony Security component was originally based on the Java Spring Security framework, but has deviated over the years. Today Spring Security has both fixed some structural issues that Symfony has (the notion of principals versus users and no central assumption that passwords and roles exist) and has some features that are currently lacking or hacky at best (structural support for OpenID/OAuth, support for 2FA). Conclusion for now is that most of the current Security component, especially authorization, is mostly fine and does not need a lot of work, and it wouldn't be all that hard to fix the authentication parts, and more strongly decouple authentication and authorization, by taking some current inspiration from Spring again.

Once these changes are propagated a lot of other features related to authentication should be easier to implement. Wishlists have been assembled:

Authentication

Authorization

"Access control" to set permissions over web site sections using regexps not affected by Security changes
Native @Security annotation to set the permissions of controller classes and/or actions not affected by Security changes
Grant or deny permissions based on trust levels, such as whether 2FA is enabled or "sudo mode" is required
Having an opinionated way to set up object-level control mechanism (CRUD). Voters tend to be a little bit too general in my opinion, making necessary to set up per project conventions (ie, you have to check for “EDIT” attribute…), which can’t be enforced programmatically now.

Users

Dropping the notion of users at the lowest level must not mean DX suffers and developers need to write a lot of boilerplate again. In fact directly implementing PrincipalInterface should likely be considered an advanced subject, and we should provide a layer with abstract and stock implementation of common user-based scenarios:

Non-wishlist

As we are committed to using voters for authorization, and do not want to have/support 2 mechanisms serving similar or mostly identical purposes we will not implement ACLs again

/cc @wouterj @derrabus @linaori @sstok

The text was updated successfully, but these errors were encountered:

quentinus95 · 2019-04-08T06:33:29Z

Following your comment on #28868, I wanted to add what I wrote there about authentication.

The current implementation considers authentication as a binary state (authenticated / not authenticated), and we use additional roles and rules (IS_AUTHENTICATED_FULLY) to determine the amount of trust we give to the authenticated principal.

The main issue is that we use authorization to describe something purely related to authentication. Something interesting could be to change this idea of binary status and replace it with a level of trust (e.g. an authentication through a form_login gives you 100 points). Having a 2FA form / using the remember me feature / having multiple factors could have an impact on this level of trust (e.g. using login_form + 2fa gives you a total of 150 points, using remember me gives you a total of 80 points, ...).

We could use this mecanism to ease authentication controls by defining, for instance, a minimal level of trust either using firewalls or path based security rules. This would give a lot of flexibility to craft advanced authentication mecanisms.

curry684 · 2019-04-08T08:29:30Z

@quentinus95 interesting thoughts. You should however remember that the process of authentication itself is handled by Tokens, so the process of how an authentication chain ends up at a certain level of trust should be handled there. This is even already being improved by the proposal at #30765.

In a nutshell right now we're pretty limited with the RememberMeToken granting IS_AUTHENTICATED_REMEMBERED, and just about every other one ends up with IS_AUTHENTICATED_FULLY. We'll need more granular control there to indeed implement some of the scenarios you describe and are also in some form in the to-do list of this RFC, specifically

Require 2FA to be enabled for the user for certain highly dangerous actions
Implement "sudo mode", requiring reauthentication to temporarily get into an "elevated" authentication

curry684 · 2019-04-08T09:05:51Z

Updated RFC with some minor things:

Added trust levels to authorization section
Renamed Identity to Context to comply with Spring terminology and to reduce confusion with .NET which implement Identity a bit differently)
Clarified object level permission description to explicitly mention CRUD, there should be some easily usable extension to Voters to implement CRUD functionality at object/entity levels

vudaltsov · 2019-04-08T11:36:42Z

@curry684 , this is a great list, thank you!

I have some thoughts:

Manual authentication. Useful when authenticating user right after he has signed up. This is a common question which is usually solved by copying https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Security/LoginManager.php and a hackish compiler pass for remember me into the project.
A centralized token invalidation mechanism. It seems that tokens should not validate themselves — it's not flexible and extensible. Consider a scenario, when some security issue happens at the website, and you need to invalidate all logins after a fix. Currently there's no easy way to deactivate RememberMeTokens. Once in Slack I proposed to add a TokenValidatorInterface.
```
interface TokenValidatorInterface
{
    public function supports(TokenInterface $token): bool;

    public function isValid(TokenInterface $token/*, $someOtherArgs */): bool;
}
```
By the way, the code from AbstractToken::hasUserChanged() could be implemented under such an interface easily.

teohhanhui · 2019-04-11T15:53:01Z

Relevant comment on password rehashing: #31019 (comment)

curry684 · 2019-04-12T07:01:16Z

@vudaltsov first one is already on the list as manual authentication, second one added, thanks!

@teohhanhui given that in that issue "the framework" has made a choice on the subject I'm not seeing an RFC item there. It's of course a valid discussion but not something to have here right now I think.

teohhanhui · 2019-04-12T10:30:12Z

@curry684 Not the PR, but my comment. Well, I should just put it here:

https://docs.spring.io/spring-security/site/docs/5.1.5.RELEASE/reference/html5/#pe-dpe
https://docs.spring.io/spring-security/site/docs/5.1.5.RELEASE/api/org/springframework/security/crypto/password/DelegatingPasswordEncoder.html
https://docs.spring.io/spring-security/site/docs/5.1.5.RELEASE/api/org/springframework/security/crypto/factory/PasswordEncoderFactories.html#createDelegatingPasswordEncoder--

curry684 · 2019-04-12T10:47:02Z

Hmm interesting, thanks 👍

rpkamp · 2019-05-25T12:02:45Z

For login throttling you could also consider device cookies: https://www.owasp.org/index.php/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies

That would need some state about logins saved somewhere, but I suppose implementing the functionality and leaving an interface for the user to implement storage -possibly with adding defaults in e.g. DoctrineBridge- might work.

Guikingone · 2019-05-28T08:01:00Z

Hi 👋

I was thinking about the OAuth provider, what about using the HttpClient and provide a default system similar to what is available in PHPLeague: https://github.com/thephpleague/oauth2-client ? 🤔

Any idea?

stephanvierkant · 2019-06-03T14:04:55Z

Is this the right issue to note that \Symfony\Component\Security\Core\User\UserInterface::getSalt() makes no sense with modern hashing functions?

chalasr · 2019-06-11T13:31:45Z

I'm going to work on the JWT part.

ro0NL · 2019-07-31T18:05:41Z

Is this the right issue to note that \Symfony\Component\Security\Core\User\UserInterface::getSalt() makes no sense with modern hashing functions?

for this id like to propose a new contract, as we're heading for encodePassword($pass, null) and have this useless arg

hktr92 · 2019-10-24T07:16:12Z

I have an internal web app at work that requires impersonation chaining. the current impl supports only one impersonation and there are issues when you impersonate yourself (you shouldn't be allowed to do so). so it might be useful to be in the wild, but defaulting to allow a single impersonation in the chain.

I'll try to experim this feature internally (and bug fixing) and if it were to be implemented in the base code, i'll be willing to implement it in the component.

hkdobrev · 2020-03-23T19:37:14Z

Could we have new Symfony contracts for the token interface and the user interface if applicable? What do you think?

linaori · 2020-03-24T08:06:34Z

@hkdobrev see #35237, unless there's a very good reason, I don't think it will happen

wouterj · 2020-04-22T18:53:33Z

With the merge of the new experimental security (ref #33558), the following boxes can be ticked 😃

Authentication

User checkers (allow to make checks after user has logged in to block the log in if needed)
Support pre-authentication mechanisms (e.g. X.509 certificates, Request-Header authentication, etc.)
Easy to add new authentication mechanisms (as Guard currently offers)
Easy customization of provided authentication mechanisms
More events: at least having an event before a login is attempted, which could be used to implement custom rate-limiting mechanism

Users

Allow to log in users programmatically in an easy way (e.g. $security->login(‘username’))
Make it trivial to test protected resources (logging in a user in tests should be very easy) (implemented by [DX][Testing] Added a loginUser() method to test protected resources #35997)

curry684 · 2020-04-22T20:17:03Z

Nice work! I don't think you need me to physically tick them right? edit: ticked them off in case you do 😉

wouterj · 2020-04-22T20:20:08Z

@curry684 I don't have special permissions for the symfony/symfony repository. So either you or a core team member can tick them.

edit: thanks a lot for the quick response!

jrushlow · 2020-05-05T06:59:43Z

From the original post:

"I forgot my password" (provide a default implementation for that or simplify a lot its implementation) (Note: currently under review in the MakerBundle)

This feature has been implemented in the maker bundle make:reset-password using symfonycasts/reset-password-bundle

https://github.com/symfonycasts/reset-password-bundle

jrushlow · 2020-05-05T07:03:37Z

Another user related function would be email verification. This is also a WIP and should be ready soon.

symfony/maker-bundle#542

curry684 · 2020-05-06T10:36:30Z

Cheers, updated OP!

jrushlow · 2020-05-29T15:19:43Z

Another user related function would be email verification. This is also a WIP and should be ready soon.

symfony/maker-bundle#542

@curry684 We just merged this in a few moments ago - another check mark on the list

curry684 · 2020-05-30T22:02:38Z

@jrushlow checked off 😄

wouterj · 2021-06-08T17:21:00Z

So after a long ride, I think it's time to close this issue. Starting with this issue, the security component has received lots of attention the past 2 years. I'm happy to see that almost all items on this list are ticked off. The remaining ones are either on the list for 5.4 in specialized issues or already fixed by a community bundle (which we may or may not merge in Symfony one day).

Thanks a lot for everyone that has in some way been part of this long journey!

stof · 2021-06-08T17:39:21Z

Regarding password validators, I think we can consider it covered too:

compromised passwords are covered in the core
min length is covered in the core
password complexity requirements are explicitly discouraged by the latest NIST password guidelines, so I'm fine with not having them in the core. For projects that still want to use them, there is https://packagist.org/packages/rollerworks/password-strength-bundle

curry684 · 2021-06-08T18:43:13Z

It's been a happy ride indeed 👍

See you next FOSSA event 😉

password complexity requirements are explicitly discouraged by the latest NIST password guidelines

@stof is the discouragement explicit and complete now? I'm fully aware requiring 'complex passwords' has been discouraged for good reasons for several years in most policies, however to my knowledge it has always been recommended to require some basic level of entropy by disallowing dictionary words, excessively short passwords and common 'canned' passwords like qwerty, nimda or 1234.

wouterj · 2021-06-08T19:56:33Z

@curry684 see https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. [...]
Verifiers SHOULD offer guidance to the subscriber, such as a password-strength meter [Meters], to assist the user in choosing a strong memorized secret. [...]
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. [...]

curry684 · 2021-06-09T08:11:01Z

From the same link I was actually right:

Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length.
[...]
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
Passwords obtained from previous breach corpuses.
Dictionary words.
Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
Context-specific words, such as the name of the service, the username, and derivatives thereof.
If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value.

Given that we cover minimum length and breach lists I agree it's enough and the rest is optionally pluggable. The confusion was in what 'complexity' entails, I consider disallowing dictionary words a complexity thing.

pbowyer · 2021-06-09T10:14:17Z

Thank you to everyone who's contributed, it's great to have these improvements in Symfony!

michaelcullum added the ⭐️ EUFOSSA Hackathon label Apr 6, 2019

This was referenced Apr 6, 2019

[Security] getUsername in UserInterface is confusing #10316

Closed

Inability to update a user's roles after login #12025

Closed

[Security] Split tokens in authentication-request and authenticated ones #30765

Closed

nicolas-grekas pinned this issue Apr 7, 2019

nicolas-grekas changed the title ~~[WiP] Symfony Security rework tracking issue~~ [RFC] Symfony Security rework tracking issue Apr 7, 2019

nicolas-grekas added the RFC RFC = Request For Comments (proposals about features that you want to be discussed) label Apr 7, 2019

curry684 mentioned this issue Apr 7, 2019

[Security] Native support for 2FA #28868

Closed

kaznovac mentioned this issue Apr 7, 2019

[SecurityBundle][DX] http://symfony.com/schema/dic/security schema is missing #28141

Closed

teohhanhui mentioned this issue Apr 11, 2019

[Security] Replace Argon2*PasswordEncoder by SodiumPasswordEncoder #31019

Merged

teohhanhui mentioned this issue Apr 17, 2019

Built-in password hash migrations #31139

Closed

chalasr mentioned this issue Apr 18, 2019

[Security/Http] Make UserValueResolver accept any subtype of UserInterface #30401

Closed

chalasr mentioned this issue Apr 26, 2019

[Security] Dispatch an event when "logout user on change" steps in #31138

Merged

This was referenced Jun 7, 2019

[FEAT] [SECURITY] OAuth component #31937

Closed

[WIP][Security] OAuth2 component #31952

Closed

fabpot removed the ⭐️ EUFOSSA Hackathon label Jun 16, 2019

chalasr mentioned this issue Jul 31, 2019

[Security] add support for opportunistic password migrations #31843

Merged

wouterj mentioned this issue Dec 1, 2019

[Security] Deprecate isGranted()/decide() on more than one attribute #33584

Merged

scheb mentioned this issue Mar 24, 2020

Extended support for various pre login checks scheb/two-factor-bundle#278

Closed

simonberger mentioned this issue Apr 25, 2020

[Security] Removed anonymous in the new security system #36574

Merged

wouterj mentioned this issue Jun 4, 2020

PasswordValidator #37093

Closed

simonberger mentioned this issue Jun 14, 2020

Login throttling #37266

Closed

fabpot unpinned this issue Jul 24, 2020

wouterj mentioned this issue Dec 4, 2020

[Security] The road to a stable authenticator-based authentication #39308

Closed

symfony deleted a comment from mynameisbogdan Feb 23, 2021

symfony deleted a comment from wouterj Feb 23, 2021

wouterj closed this as completed Jun 8, 2021

chalasr mentioned this issue May 21, 2022

[Security] Add Bearer Authenticator #45844

Closed

Spomky mentioned this issue May 15, 2023

[Security] OAuth2 Introspection Endpoint (RFC7662) #50027

Merged

Spomky mentioned this issue Nov 1, 2023

[Security] Facilitate the management of user sessions #52412

Closed

5 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[RFC] Symfony Security rework tracking issue #30914

[RFC] Symfony Security rework tracking issue #30914