I'm trying to authenticate against a ldap server using symfony 4.2 and its LdapUserProvider but I get the following error
[2019-08-09 17:40:52] security.DEBUG: Cannot refresh token because user has changed. {"username":"admin","provider":"Symfony\\Component\\Security\\Core\\User\\LdapUserProvider"} []
[2019-08-09 17:40:52] security.DEBUG: Token was deauthenticated after trying to refresh it. [] []
[2019-08-09 17:40:52] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2019-08-09 17:40:52] security.DEBUG: Access denied, the user is not fully authenticated; redirecting to authentication entry point. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException(code: 403): Access Denied.
I found that the refreshed user password is hard coded to null in the ldapProvider. This refreshed user is then evaluated not equal to the token user and this results in the deauthentification of the user.
vendor/symfony/security-core/User/LdapUserProvider.php
:
public function refreshUser(UserInterface $user)
{
if (!$user instanceof User) {
throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', \get_class($user)));
}
return new User($user->getUsername(), null, $user->getRoles());
}
vendor/symfony/security-http/Firewall/ContextListener.php
:
try {
$refreshedUser = $provider->refreshUser($user);
$newToken = clone $token;
$newToken->setUser($refreshedUser);
...
}
How can I solve this issue ?
Thanks