| description | Customize user authentication. |
|---|---|
| month_change | true |
Symfony provides native support for [multiple user providers]([[= symfony_doc =]]/security/user_providers.html). This makes it easier to integrate any kind of login handlers, including SSO and existing third party bundles (for example, FR3DLdapBundle, HWIOauthBundle, FOSUserBundle, or BeSimpleSsoAuthBundle).
However, to be able to use external user providers with [[= product_name =]], a valid Ibexa user needs to be injected into the repository. This is mainly for the kernel to be able to manage content-related permissions (but not limited to this).
Depending on your context, you either want to create and return an Ibexa user, or return an existing user, even a generic one.
Whenever a user is matched and authenticated, Symfony initiates an AuthenticationTokenCreatedEvent.
Every service listening to this event receives an object which contains the original security token (that holds the matched user) and a [passport]([[= symfony_doc =]]/security/custom_authenticator.html#security-passports).
Then, it's up to a listener to retrieve an Ibexa user from the repository.
This Ibexa user can be
- embedded into
Ibexa\Core\MVC\Symfony\Security\Userwhile forgetting about the original user - wrapped into
Ibexa\Core\MVC\Symfony\Security\UserWrappedwith the original user if needed
Finally, this user is assigned back into the event's token for the rest of the process.
The following example uses the [memory user provider]([[= symfony_doc =]]/security/user_providers.html#memory-user-provider), maps memory user to Ibexa repository user, and [chains]([[= symfony_doc =]]/security/user_providers.html#chain-user-provider) with the Ibexa user provider to be able to use both:
Create as src/EventSubscriber/AuthenticationTokenCreatedSubscriber.php subscribing to the AuthenticationTokenCreatedEvent event
and mapping when needed an in-memory authenticated user to an Ibexa user:
[[= include_file('code_samples/user_management/in_memory/src/EventSubscriber/AuthenticationTokenCreatedSubscriber.php') =]]In config/packages/security.yaml,
add the memory and chain user providers,
store some in-memory users with their passwords in plain text and a basic role,
set a plaintext password encoder for the memory provider's InMemoryUser,
and configure the firewall to use the chain provider:
[[= include_file('code_samples/user_management/in_memory/config/packages/security.yaml') =]]In the config/services.yaml file, declare the subscriber as a service to pass your user map
(it's automatically tagged kernel.event_subscriber as implementing the EventSubscriberInterface, the config resolver and user service injections are auto-wired):
[[= include_file('code_samples/user_management/in_memory/config/services.yaml') =]]You can list the subscribers with the following command to check their order:
php bin/console debug:event-dispatcher AuthenticationTokenCreatedEventNotice that the example subscriber priority is 11 so it's executed before
the Ibexa\Core\MVC\Symfony\Security\Authentication\EventSubscriber\OnAuthenticationTokenCreatedRepositoryUserSubscriber
which set the Ibexa user as the current user.
From the back office, create the mapped users.
For the example, a new user with the login generic_customer and a random password for the mapping to work,
this account can be in the Customers or the Anonymous users group.
You can now log in with an in-memory user.
In the Symfony debug toolbar, you should see the in-memory user as this example uses UserWrapped.