I'm trying to authenticate against a ldap server using symfony 4.2 and its LdapUserProvider but I get the following error
[2019-08-09 17:40:52] security.DEBUG: Cannot refresh token because user has changed. {"username":"admin","provider":"Symfony\\Component\\Security\\Core\\User\\LdapUserProvider"} []
[2019-08-09 17:40:52] security.DEBUG: Token was deauthenticated after trying to refresh it. [] []
[2019-08-09 17:40:52] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2019-08-09 17:40:52] security.DEBUG: Access denied, the user is not fully authenticated; redirecting to authentication entry point. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException(code: 403): Access Denied.
I found that the refreshed user password is hard coded to null in the ldapProvider. This refreshed user is then evaluated not equal to the token user and this results in the deauthentification of the user.
vendor/symfony/security-core/User/LdapUserProvider.php:
public function refreshUser(UserInterface $user)
{
if (!$user instanceof User) {
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', \get_class($user)));
}
return new User($user->getUsername(), null, $user->getRoles());
}
vendor/symfony/security-http/Firewall/ContextListener.php:
try {
$refreshedUser = $provider->refreshUser($user);
$newToken = clone $token;
$newToken->setUser($refreshedUser);
...
}
How can I solve this issue ?
Thanks
This issue has been fixed in symfony 4.4, in symfony/src/Symfony/Component/Ldap/Security/LdapUserProvider.php
the password is not set to null anymore
public function refreshUser(UserInterface $user)
{
if (!$user instanceof LdapUser) {
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', \get_class($user)));
}
return new LdapUser($user->getEntry(), $user->getUsername(), $user->getPassword(), $user->getRoles());
}