The update from 3.4.6 to 3.4.7 is producing a fatal error in the SimpleAuthenticationProvider class when an anonymous token is returned from the authenticator.

The specific change that I believe causes the issue is cb9c92d06553f60a0b7b6b036c4b2a3c1813e738

I have a custom authenticator that implements the SimplePreAuthenticatorInterface as documented in the How to Authenticate Users with API Keys docs. that may return an anonymous token. When the token is anonymous, the getUser() method on the token returns "anon.". The SimpleAuthenticationProvider then attempts to pass this string to the userChecker->checkPreAuth($user); method which requires a UserInterface instance as an argument.

In versions < 3.4.7 the anonymous token would be returned, or an exception thrown if no token was found. In 3.4.7 the above commit now does some pre/post user checks which do not support anonymous tokens.