We have a custom user provider created based on this documentation and a custom authenticator based on this documentation. Furthermore we trigger the firewall ourselves during our routing, because we have dynamic firewalls depending on dynamic page paths and settings.

Now with cookie based session authentication, the ContextListener calls refreshUser() on the provider.

The token is still not authenticated here. Only a first authorization request such as configured access directives on the route or a call to isGranted() will cause the token to be authenticated, which is fine, we can still manually authenticate the token if need be.

However, upon authentication the authenticator will call loadUserByUsername(), loading the user again, despite the refreshUser() before.

What is the intended workflow here? Is the documentation faulty? Should the authenticator not load the user again? Or should the ContextListener not refresh the user? Because right now the only thing the refresh does is finding out if the user was deleted, but all the other checks, like the user's isActive-flag, are only checked during authentication. Maybe the ContextListener should immediately authenticate the user?