Merge branch '6.3' into 6.4

OskarStark · OskarStark · commit af8cf4b79dc8 · 2023-12-09T19:02:26.000+01:00
* 6.3: [Form] Document using TranslatableMessage in form Fields [symfony#19122] Reword [SecurityBundle] Improve support for authenticators that don't need a user provider
diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst
@@ -1025,6 +1025,8 @@ multiple firewalls, the "context" could actually be shared:
     ignored and you won't be able to authenticate on multiple firewalls at the
     same time.
 
+.. _reference-security-stateless:
+
 stateless
 ~~~~~~~~~
 
diff --git a/reference/forms/types/options/button_label.rst.inc b/reference/forms/types/options/button_label.rst.inc
@@ -1,7 +1,7 @@
 ``label``
 ~~~~~~~~~
 
-**type**: ``string`` **default**: The label is "guessed" from the field name
+**type**: ``string`` or ``TranslatableMessage`` **default**: The label is "guessed" from the field name
 
 Sets the label that will be displayed on the button. The label can also
 be directly set inside the template:
diff --git a/reference/forms/types/options/placeholder.rst.inc b/reference/forms/types/options/placeholder.rst.inc
@@ -1,7 +1,7 @@
 ``placeholder``
 ~~~~~~~~~~~~~~~
 
-**type**: ``string`` or ``boolean``
+**type**: ``string`` or ``TranslatableMessage`` or ``boolean``
 
 This option determines whether or not a special "empty" option (e.g. "Choose
 an option") will appear at the top of a select widget. This option only
@@ -14,6 +14,9 @@ applies if the ``multiple`` option is set to false.
 
     $builder->add('states', ChoiceType::class, [
         'placeholder' => 'Choose an option',
+
+        // or if you want to translate the text
+        'placeholder' => new TranslatableMessage('form.placeholder.select_option', [], 'form'),
     ]);
 
 * Guarantee that no "empty" value option is displayed::
diff --git a/security/access_token.rst b/security/access_token.rst
@@ -705,6 +705,41 @@ create your own User from the claims, you must
         }
     }
 
+Creating Users from Token
+-------------------------
+
+.. versionadded:: 6.3
+
+    The possibility to omit the user provider in case of stateless firewalls
+    was introduced in Symfony 6.3.
+
+Some types of tokens (for instance OIDC) contain all information required
+to create a user entity (e.g. username and roles). In this case, you don't
+need a user provider to create a user from the database::
+
+    // src/Security/AccessTokenHandler.php
+    namespace App\Security;
+
+    // ...
+    class AccessTokenHandler implements AccessTokenHandlerInterface
+    {
+        // ...
+
+        public function getUserBadgeFrom(string $accessToken): UserBadge
+        {
+            // get the data from the token
+            $payload = ...;
+
+            return new UserBadge(
+                $payload->getUserId(),
+                fn (string $userIdentifier) => new User($userIdentifier, $payload->getRoles())
+            );
+        }
+    }
+
+When using this strategy, you can omit the ``user_provider`` configuration
+for :ref:`stateless firewalls <reference-security-stateless>`.
+
 .. _`JSON Web Tokens (JWT)`: https://datatracker.ietf.org/doc/html/rfc7519
 .. _`SAML2 (XML structures)`: https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html
 .. _`RFC6750`: https://datatracker.ietf.org/doc/html/rfc6750
