When are you calling this helper? Looking at the deprecation, it only gets triggered if $container->get('request_stack')->getMainRequest() returns null, which would mean something is calling the token storage before a request is set in the stack.

This service is basically called in a controller before to create a view.

Can you provide a reproducer? We will need that to help.

I guess i have found the issue. The Security service is called from a kernel event listener (kernel.terminate) and not only from a simple service.
The purpose of this listener is to save informations from user-agent request header (browser, os etc...) for each request. Is there a best practice to do that ?

use the untracked storage in that listener

could you please provide some details to do that ? thank u

Use the security.untracked_token_storage service, as explained in the error message that you pasted in your issue.

The container is not injected in this listener. So i can't access to security.untracked_token_storage from this listener.
I don't see how to do that.

Workaround found.

1. Inject TokenStorageInterface in the listener constructor :

public function __construct(TokenStorageInterface $tokenStorage) { $this->tokenStorage = $tokenStorage; }

2. Disable Usage Tracking before to get token

public function onKernelTerminate(TerminateEvent $event) { $this->tokenStorage->disableUsageTracking(); $token = $this->tokenStorage->getToken(); }

3. Get user

$user = $token->getUser();

Many thanks !

I've got similar deprecation triggered when using the Symfony\Component\Security\Core\Security helper outside a request (ie, in a Monolog Processor)

/**
 * Adds user information to a record.
*/
class UserProcessor implements ProcessorInterface
{
    public function __construct(private Security $security) {}

    public function __invoke(array $record): array
    {
        $user = $this->security->getUser();
        if (!$user) {
            return $record;
        }

        if (method_exists($user, 'getUserIdentifier')) {
            $record['username'] = $user->getUserIdentifier();
        } else {
            $record['username'] = $user->getUsername();
        }

        return $record;
    }
}

We can not call disableUsageTracking because we won't be able to restore the previous state (we don't have isUsageTracked method).

The only solution is to inject security.untracked_token_storage instead of security but this is sad to

• not be able to use the Helper
• having to configure the services manually (no autowire)

I think the helper should handle this case internally: #43235

I'm wondering whether the helper should handle this, or whether UsageTrackingTokenStorage should instead accept getting a token from it outside request contexts.

I'm wondering whether the helper should handle this, or whether UsageTrackingTokenStorage should instead accept getting a token from it outside request contexts.

Same feeling for me.. Removing the deprecation (and let the method returning null) would work for me

If we can get rid of that notice while keeping the BC layer efficient enough, I'm all for removing it. I'm going to investigate