Skip to content

[POC][Security] Split tokens in request token + authentication token (towards making tokens first-class citizens) #21068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

[POC][Security] Split tokens in request token + authentication token (towards making tokens first-class citizens) #21068

wants to merge 4 commits into from

Conversation

wouterj
Copy link
Member

@wouterj wouterj commented Dec 27, 2016

Q A
Branch? master
Bug fix? no
New feature? yes
BC breaks? no
Deprecations? yes
Tests pass? yes
Fixed tickets #
License MIT
Doc PR todo

Started a long time ago with this branch, so I thought it was time to create a POC PR to get the opinion of core teammembers and contributors on this topic.

NOTE This PR is just to give an insight in the idea. Please don't review the details (e.g. the version numbers in deprecations), I know there is work left to do 😄.

The Story: Removing UserInterface

The Security system currently manages users with 2 types of classes: UserInterface and TokenInterface. The devs using Symfony most of the time end up using UserInterface as their user object in the application. This has some drawbacks:

Probably more than a year back, @iltar, @weaverryan and me had a discussion about this on IRC. A nice idea was born there:

  • Make Token the first-class citizen of the Security system. All information that the security system needs to know about the user should be saved in the token.
  • The Token will be serialized in the session
  • There still is a user/identity object in the token, to allow the very conventient getUser() method and app.user var. This user object should have a getIdentifier() method, returning an identifier for the user which is saved in the serialized token.

This Pull Request

In order to store all security information in a token, the token needs to be split into 2 seperate tokens: Authentication request tokens and Authenticated tokens. The authentication request token contains all information before authenticating (such as the username and password passed through the login form). The authenticated token contains the identifier (see previous section) of the logged in user and the roles bound to this token.

Splitting the token also has other major advantages:

  • The weird "user has to be a string, UserInterface or object with __toString()" thing in the security system is removed. Users are now always an object instance of UserInterface in authenticated tokens.
  • The 2 types of tokens are actually very different. It doesn't make much sense to use the same class to represent them (e.g. unauthenticated tokens don't have roles, there is no concept of user in unauthenticated tokens, etc.).

The Future

In follow-up pull requests, the rest of the story of removing the UserInterface can be done.

@javiereguiluz
Copy link
Member

Quick comment: although you give some reasons for creating two types of tokens, I'm still not convinced about that. e.g. unauthenticated tokens don't have roles -> then return null or an empty array; there is no concept of user in unauthenticated tokens then return null or an anonymous user; etc.

@nicolas-grekas nicolas-grekas added this to the 3.x milestone Jan 2, 2017
@wouterj
Copy link
Member Author

wouterj commented Feb 2, 2017

Can more core team members give some opinions on this idea/PR? I would like to continue working on this PR, but I would first love to get a pre-+1 on this to avoid wasting time.

@andersonamuller
Copy link
Contributor

Why not name the unauthenticated tokens as Credential e.g UserPasswordCredential (from OAuth2) and authenticated tokens as just Token, token can then contain Claims (from JWT).

@wouterj
Copy link
Member Author

wouterj commented Mar 16, 2017

Ping?

@javiereguiluz
Copy link
Member

Personal opinion: we should wait a bit before making a decision here. In the Symfony Community Survey 2017 we're getting a lot of comments about the Security component ... and I think we need to define first a complete roadmap for the component.

@wouterj wouterj closed this May 26, 2017
@wouterj wouterj deleted the security-split_tokens branch May 26, 2017 07:48
@wouterj wouterj mentioned this pull request Sep 29, 2017
Closed
@ghost ghost mentioned this pull request Mar 18, 2018
Closed
@wouterj wouterj mentioned this pull request Mar 29, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Deprecation Feature Security Status: Needs Review
Projects
None yet
Milestone
3.4
Development

Successfully merging this pull request may close these issues.
5 participants
@wouterj @javiereguiluz @andersonamuller @nicolas-grekas @carsonbot