What's the issue in terms of real-world use case? Here is the answer about lazy: disabling laziness will make HTTP caches incompatible with firewalls again. Not sure this is what we want.

What's the issue in terms of real-world use case?

I think a normal login form won't work anymore. When the user does a POST /login_check, if I understand correctly, there is nothing that will cause the authenticator to be called. The request will continue to the controller, which will just render the login form again. This is effectively how MakerBundle tests noticed the change.

The request will continue to the controller, which will just render the login form again.

Interesting. Does the reproducer above showcase this? Could you update it to do so otherwise please?

It does:

git clone git@github.com:weaverryan/symfony-anonymous-lazy-reproducer.git
cd symfony-anonymous-lazy-reproducer
composer install
symfony serve -d
curl https://127.0.0.1:8000

When you try this, you'll hit DefaultController::index() (the homepage controller). But you should NOT, because AppCustomAuthenticator::supports() has a die() statement in it. Change to anonymous: true and try the curl request again and you'll hit the supports() method in the authenticator.

Let me know if it's not clear - I'm not very educated about the anonymous: lazy yet - so apologies.

I'd prefer a real guard: the die is just a symptom, I'd prefer not fixing the symptom without understanding the full lifecycle.

I've the same problem in an app I'm upgrading:

            json_login:
                check_path: login
                success_handler: Dunglas\UserBundle\Handler\JsonLoginSuccessHandler

    public function testBadLogin(): void
    {
        $client = static::createClient();
        $response = $client->request('POST',
            '/login',
            (new HttpOptions())->setJson([
                'username' => 'dunglas@gmail.com',
                'password' => 'badPassword',
            ])->toArray()
        );
        $this->assertSame(401, $response->getStatusCode()); // Now, it's a 404
    }

Fair enough :). Let's try this again:

git clone git@github.com:weaverryan/symfony-anonymous-lazy-reproducer.git
cd symfony-anonymous-lazy-reproducer
composer install
symfony serve -d

This now has a standard login form (from make:auth). Go to /login and fill out the form. You will see the login form again with no errors. This is because the LoginFormAuthenticator is never called.

If you (as you know) even do one thing on your page to access auth (even an app.user reference in the template), it WILL trigger the system. So now I understand that this is the desired behavior of the anonymous: lazy system. I'm still worried the behavior is too strange. Here's another problematic example: OAuth. When an OAuth server redirects back to my site, I typically have an authenticator for that URL that fetches the access token, does work, then redirects. That authenticator will no longer be called.