Symfony version(s) affected: 5.1.0-BETA1

Description

When the new 5.1 authenticator security is activated and you have always_authenticate_before_granting: true configured, a "is granted" call will lead to a null TypeError in TraceableAccessDecisionManager:

Argument 1 passed to Symfony\Component\Security\Core\Authorization\TraceableAccessDecisionManager::decide() must implement interface Symfony\Component\Security\Core\Authentication\Token\TokenInterface, null given, called in vendor/symfony/symfony/src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php on line 62

This is happening because AuthorizationChecker is re-authenticating the token

https://github.com/symfony/security-core/blob/eadb75975ee3099ffd1ac8773f088198dbf126bf/Authorization/AuthorizationChecker.php#L58-L60

with a NoopAuthenticationManager

https://github.com/symfony/symfony/blob/be3a9a93f0354ecc86c9ed157f132e799cc912f5/src/Symfony/Component/Security/Http/Authentication/NoopAuthenticationManager.php

returning nothing, therefore returning implict null. This is actually against the contract of AuthenticationManagerInterface, which states in its PhpDoc @return TokenInterface An authenticated TokenInterface instance, never null

How to reproduce

security:
    always_authenticate_before_granting: true
    enable_authenticator_manager: true

Have this in a Twig template that is rendered or do a isGranted() call from PHP.

{% if is_granted("ROLE_USER") %}

Possible Solution

As discussed with @wouterj on Slack:

• Return $token in NoopAuthenticationManager (not sure what the security implications could be)
• Or forbid always_authenticate_before_granting in combination with the new authenticator security