From 6cb1ca8cfec938a596a8a5d3587908d5c4d61d6d Mon Sep 17 00:00:00 2001
From: Alexandre Daubois <alex.daubois@gmail.com>
Date: Thu, 9 Nov 2023 11:44:40 +0100
Subject: [PATCH] [SecurityBundle] Improve support for authenticators that
 don't need a user provider

---
 security/access_token.rst | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/security/access_token.rst b/security/access_token.rst
index 922e6906f58..85655d8d670 100644
--- a/security/access_token.rst
+++ b/security/access_token.rst
@@ -709,6 +709,25 @@ create your own User from the claims, you must
         }
     }
 
+Using Self-Claimed Tokens
+-------------------------
+
+You may use tokens that are self-claimed, meaning that they contain all
+the information needed to authenticate the user. This happens when a security
+token doesn't need a user provider to get all needed information about the
+user. For instance, a JWT can be self-claimed when it contains a username as
+well as the roles of the user.
+
+When using self-claimed tokens with stateless firewalls, you can omit to
+configure a user provider. The token authenticator will use the token to
+create a user object with the claims of the token. This means that you can
+skip creating your own user provider.
+
+.. versionadded:: 6.3
+
+    The possibility to omit the user provider in case of stateless firewalls
+    and self-claimed tokens was introduced in Symfony 6.3.
+
 .. _`JSON Web Tokens (JWT)`: https://datatracker.ietf.org/doc/html/rfc7519
 .. _`SAML2 (XML structures)`: https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html
 .. _`RFC6750`: https://datatracker.ietf.org/doc/html/rfc6750