i am okay with that if the AdvancedUserInterface is removed.

what more changes need to be done for stuff like FOSUser or SonataUser?
they need to implement their wanted methods, and meed their own user checker?

Iltar, what would be the impact for the most common use case? Simple app with no fancy needs that only wants a User class to represent their users which log in via a login form and don't have anything special: just a username + password + a bunch of properties (the username may be the email).

The most common use-case would probably be an entity with the UserInterface. If you wish to use the Symfony user, you have to have a customer user provider and custom logic to transform a username into that user. I believe that's actually more work than actually using an entity. However, my PoV is pretty limited as I've never seen the need to have either of the two options.

@javiereguiluz simple apps with no fancy needs don't need a user checker at all (just like they don't need to use the AdvancedUserInterface features today, and the built-in user checker is a no-op for non-advanced implementations)

@stof yes ... and no. For example I consider the feature to mark a user account locked/expired/enabled (whatever you call it in your app) a very basic feature ... but it was provided in the AdvancedUserInterface.

I just wanted to say: OK if you want to improve the advanced case ... but please, don't make the simple case even harder. Thanks 🙏

For example I consider the feature to mark a user account locked/expired/enabled (whatever you call it in your app) a very basic feature ... but it was provided in the AdvancedUserInterface.

@javiereguiluz that case has already been made more "difficult" for custom user objects. The User in Symfony is final and none of the standard implementations have support for this. To use the User, you have to implement a lot more code. It would be easier to just create your own UserChecker and method for this. Writing those these few lines of code is maybe 5 minutes of work, as opposed to roughly 30 to 60 minutes (or more if you don't know how the security component works), just to write your own user provider.

Pinging @symfony/deciders whether or not I should work on this for Symfony 4.2+. It's a bit too much to do in a single PR and I don't want to do only half of the proposal 😄

I'm hoping to have covered all the upgrade paths in the initial post, but feel free to spew out more possible problems.

edit: seems like the deciders highlight is not working :(

• I'm very much 👍 for most of the things you mention in here. In the end, I think the whole concept of user needs to be removed from the Security component. Doing this seems like a sensible step to make User and UserInterface less relevant.
• I'm sure we can remove most of the methods from the UserInterface. However, I'm not so sure on how we can do things, while still perserving BC.

I just wanted to say: OK if you want to improve the advanced case ... but please, don't make the simple case even harder. Thanks pray

The simple case of a login form with just the User class will remain exactly the same. The only change is that users now get an InMemoryUser extending User (for BC) instead of User. So the only impact are the cases that explicitly typehint for User instead of UserInterface, which is never a good idea (and also redundant, as all methods of User are in the UserInterface).

The basic features of locking/enabling/whatever users has never been a simple feature in Symfony (that's why most people use FOSUserBundle). That's however completely unrelated to this RFC.

I'm sure we can remove most of the methods from the UserInterface. However, I'm not so sure on how we can do things, while still perserving BC.

Personally I would like to see the UserInterface (or the majority thereof) being used for the internal security process, I just would like to prevent it from being stored in the token, storing the identifier only. But something has to be created to fetch the current domain user (usually an entity), see #26971 (comment).

Thank you for this suggestion.
There has not been a lot of activity here for a while. Would you still like to see this feature?

Could I get an answer? If I do not hear anything I will assume this issue is resolved or abandoned. Please get back to me <3

Create an LdapUser, exclusively used by the LdapUserProvider. For BC it can extend the User for instanceof checks. Would only receive the currently used fields.

Done in #32824.
Help needed to make the remaining changes proposed here.

See #40443