Skip to content

[Security] Authenticator methods description #20090

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Dec 6, 2024
Merged

[Security] Authenticator methods description #20090

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 15 additions & 12 deletions security/custom_authenticator.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,22 +153,25 @@ or there was something wrong (e.g. incorrect password). The authenticator
can define what happens in these cases:

``onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response``
If the user is authenticated, this method is called with the
authenticated ``$token``. This method can return a response (e.g.
redirect the user to some page).
If authentication is successful, this method is called with the
authenticated ``$token``.

If ``null`` is returned, the request continues like normal (i.e. the
controller matching the login route is called). This is useful for API
routes where each route is protected by an API key header.
This method can return a response (e.g. redirect the user to some page).

If ``null`` is returned, the current request will continue (and the
user will be authenticated). This is useful for API routes where each
route is protected by an API key header.

``onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response``
If an ``AuthenticationException`` is thrown during authentication, the
process fails and this method is called. This method can return a
response (e.g. to return a 401 Unauthorized response in API routes).
If authentication failed (e. g. wrong username password), this method
is called with the ``AuthenticationException`` thrown.

This method can return a response (e.g. send a 401 Unauthorized in API
routes).

If ``null`` is returned, the request continues like normal. This is
useful for e.g. login forms, where the login controller is run again
with the login errors.
If ``null`` is returned, the request continues (but the user will **not**
be authenticated). This is useful for login forms, where the login
controller is run again with the login errors.

If you're using :ref:`login throttling <security-login-throttling>`,
you can check if ``$exception`` is an instance of
Expand Down
Loading