Symfony security: authentication made simple (well, maybe!)

Symfony authentication demystified: a guide to understanding the security component

The Symfony2 security component has the fame of being one of the most complex in the framework. I tend to believe that’s partially true, not because the component is really that complex, but because there are (really) a lot of concepts involved and it may be difficult to understand them all at once and have a clear vision as a whole.

I am in the process of writing an OAuth bundle and I faced the need to deeply understand how the authentication process work in Symfony2 to being able to integrate the OAuth protocol with the Symfony authentication component. Notice that I know there are a lot of great and stable OAuth bundles out there (have a look at the great HWIOAuthBundle to which I had chance to submit small contributions in the past). My intention is not to build a better one, but I want to build my own bundle with some peculiar features and use it as a way to experiment and learn new things. But I am getting off topic!

Going back to the Symfony2 security component, the point is that I found out difficult at first glance to get a clear idea of what is going on behind the scenes and what I need to write to create a custom authentication mechanism.

So in this post I will try to collect few interesting resources that helped me understanding it better and a graph I drawn to resume what I learned.

I highly suggest you to read them in the proposed order.

  • Symfony Security component documentation: must read! The official documentation about the security component. It covers both authentication and authorization. Be warned that it will probably not make things clear at first, but I believe you must start your learning from there!
  • Diving into security layer: a great blog post from Francesco Tassi of Screenfony. It carefully describes which classes and interfaces are involved in the authentication layer and how they are wired togheter. He does not present any example of code, but in my opinion this is one of the most interesting and clarifying post about this topic.
  • Love and Loss: A Symfony Security Play: slides by the great Kris Wallsmith from the Symfony Live 2013 in Portland. Also a Video is available. That’s a great resource because Kris tries to explain with visual graphs how the various components are tied together and how the whole flow goes from request to response. Very clarifying!
  • Symfony2: Introduction to The Security Component Part I, Part II & Part III: a series of articles by Matthias Noback that cover the various aspect of the Symfony security (both about authentication and authorization). They have been merged to the official documentation, so read it fast as a good way to recap ideas.
  • Security in real life: A video from the Symfony Live Paris 2012 by Johannes Schmitt. Johannes explains some common problems people face with the Symfony security component. He also provides a great introduction describing the most important classes and how they are tied together.
  • Custom authentication provider: a cookbook article from the official documentation that presents a code example on how to write a custom authentication provider to integrate the WSSE protocol in Symfony. Great code example!
  • How to Authenticate Users with API Keys: another great cookbook article that will shed some light on the topic by providing a simple example.
  • How to Create a Custom Form Password Authenticator: yet another interesting cookbook article with a code example on how to modify the authentication logic behind the form (username/password) based authenticator.
  • Code of the RememberMe Listener: the code of the RememberMeListener class. A great and simple example on how to write a security authentication listener.

Symfony Authentication graph

Notice that the following graph tries to represent the classical schema available in the Symfony Standard Edition. As the framework is extensible at any given point you are free to change the whole logic. The generic idea is that you start with a Request object and you should check if it can be used to produce an AuthenticatedToken according to some authentication logic.

Symfony Authentication chart

Get the image in full resolution on Google Drive (you can also propose edits with comments if you want) or Download the PDF.

That’s all, I hope this post has been useful. If you have interesting link related to this topic feel free to add them in the comment box and I will add them into the article.

Sharing is caring!

If you got value from this article, please consider sharing it with your friends and colleagues.

Found a typo or something that can be improved?

In the spirit of Open Source, you can contribute to this article by submitting a PR on GitHub.

You might also like

Cover picture for a blog post titled 6 Rules of thumb to build blazing fast web server applications

6 Rules of thumb to build blazing fast web server applications

This post highlights 6 important rules to keep in mind when developing performant web applications: avoid premature optimization, do the minimum required work, defer non-critical tasks, leverage caching, avoid N+1 queries, and design for horizontal scaling. Following these guidelines will help you write efficient code from the start and build apps ready to handle growth.

Calendar Icon

Cover picture for a blog post titled Symfony, edit the Response globally using the Kernel Response event

Symfony, edit the Response globally using the Kernel Response event

The Symfony HttpKernel Component allows interacting with the response generation through events. The Kernel Response event permits modifying the response before sending it out. Two examples show how to use it to add custom headers and cookies without touching controller logic.

Calendar Icon

Cover picture for a blog post titled Transparent pixel response with Symfony, how to track email opening

Transparent pixel response with Symfony, how to track email opening

This blog post explains how to implement email open tracking in Symfony using a transparent tracking pixel. It provides code examples for generating a tracking image response and handling the tracking logic in a controller.

Calendar Icon

Cover picture for a blog post titled Write a console application using Symfony and Pimple

Write a console application using Symfony and Pimple

This article shows how to build a simple command line application using the Symfony Console component and Pimple dependency injection container. It provides a step-by-step guide on structuring the code, defining services, configuring parameters and wiring everything together to create a executable console app.

Calendar Icon

Cover picture for a blog post titled Integrating Twig.js and BazingaJsTranslationBundle

Integrating Twig.js and BazingaJsTranslationBundle

The post explains how to integrate twig.js with BazingaJsTranslationBundle to handle translations consistently between PHP and JavaScript. It shows how to build a custom Twig extension to translate strings with the Bazinga Translator object and handle differences in parameter formatting.

Calendar Icon

Cover picture for a blog post titled Using Let’s Encrypt and Certbot to automate the creation of certificates for OpenVPN

Using Let’s Encrypt and Certbot to automate the creation of certificates for OpenVPN

This post explains how to use Let's Encrypt and Certbot to automatically generate and renew SSL certificates for OpenVPN. It provides a complete Terraform setup as a practical example.

Calendar Icon