Maybe I chose an over-complicated implementation (over here) and got a rather unusual use case (is it even?) - a login form that is displayed by an ordinary controller and a login action that expects the login attempt data as JSON.

Before manually defining an entry_point, I just kept getting an AccessDeniedException along with the message Full authentication is required to access this resource - which wasn't very helpful - whenever I visited an existing URL without being logged in.

It took me a long time until I finally found out that I have to define an entry_point and that this setting even exists because there is no mention of it on the Security docs entry point (!) at https://symfony.com/doc/current/security.html.

Not sure what could be done here, just thought maybe we can save other poor souls from getting lost like this as well.