Fix breaking change in AccessTokenAuthenticator

guillaumesmo · guillaumesmo · commit 99a217ff8590 · 2023-07-26T00:29:46.000+02:00
fixes #50511
diff --git a/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php b/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php
@@ -27,6 +27,7 @@
 use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
 use Symfony\Component\Security\Http\AccessToken\Oidc\Exception\InvalidSignatureException;
 use Symfony\Component\Security\Http\AccessToken\Oidc\Exception\MissingClaimException;
+use Symfony\Component\Security\Http\Authenticator\FallbackUserLoader;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 
 /**
@@ -93,7 +94,7 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
             }
 
             // UserLoader argument can be overridden by a UserProvider on AccessTokenAuthenticator::authenticate
-            return new UserBadge($claims[$this->claim], fn () => $this->createUser($claims), $claims);
+            return new UserBadge($claims[$this->claim], new FallbackUserLoader(fn () => $this->createUser($claims)), $claims);
         } catch (\Exception $e) {
             $this->logger?->error('An error occurred while decoding and validating the token.', [
                 'error' => $e->getMessage(),
diff --git a/src/Symfony/Component/Security/Http/Authenticator/AccessTokenAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/AccessTokenAuthenticator.php
@@ -59,7 +59,7 @@ public function authenticate(Request $request): Passport
         }
 
         $userBadge = $this->accessTokenHandler->getUserBadgeFrom($accessToken);
-        if ($this->userProvider) {
+        if ($this->userProvider && (null === $userBadge->getUserLoader() || $userBadge->getUserLoader() instanceof FallbackUserLoader)) {
             $userBadge->setUserLoader($this->userProvider->loadUserByIdentifier(...));
         }
 
diff --git a/src/Symfony/Component/Security/Http/Authenticator/FallbackUserLoader.php b/src/Symfony/Component/Security/Http/Authenticator/FallbackUserLoader.php
@@ -0,0 +1,30 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Authenticator;
+
+/**
+ * This wrapper serves as a marker interface to indicate badge user loaders that should not be overridden by the
+ * default user provider.
+ *
+ * @internal
+ */
+final class FallbackUserLoader
+{
+    public function __construct(private $inner)
+    {
+    }
+
+    public function __invoke()
+    {
+        return ($this->inner)(...\func_get_args());
+    }
+}
diff --git a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php
@@ -21,6 +21,7 @@
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\User\OidcUser;
 use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenHandler;
+use Symfony\Component\Security\Http\Authenticator\FallbackUserLoader;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 
 /**
@@ -61,7 +62,7 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp
         ))->getUserBadgeFrom($token);
         $actualUser = $userBadge->getUserLoader()();
 
-        $this->assertEquals(new UserBadge($expected, fn () => $expectedUser, $claims), $userBadge);
+        $this->assertEquals(new UserBadge($expected, new FallbackUserLoader(fn () => $expectedUser), $claims), $userBadge);
         $this->assertInstanceOf(OidcUser::class, $actualUser);
         $this->assertEquals($expectedUser, $actualUser);
         $this->assertEquals($claims, $userBadge->getAttributes());

Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ public function authenticate(Request $request): Passport`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`$userBadge = $this->accessTokenHandler->getUserBadgeFrom($accessToken);`
`62`		`- if ($this->userProvider) {`
	`62`	`+ if ($this->userProvider && (null === $userBadge->getUserLoader() \|\| $userBadge->getUserLoader() instanceof FallbackUserLoader)) {`
`63`	`63`	`$userBadge->setUserLoader($this->userProvider->loadUserByIdentifier(...));`
`64`	`64`	`}`
`65`	`65`