[RFC][Security] Simplify custom anon/remember token extension point. #26940
Description
| Q | A |
|---|---|
| Bug report? | no |
| Feature request? | no |
| BC Break report? | no |
| RFC? | yes |
| Symfony version | 4.2+ |
The default implementation of the authentication trust resolver accepts 2 arguments, which are used to check the instance of the token via isAnonymous, isRememberMe and isFullFledged. Changing those classes can lead to unclear side effects so I would highly recommend to never do this.
class
service arguments
This feature is not documented and has no clear extension point, as you have to change parameters. Besides of obvious things that will suddenly start failing if you change those values while not extending the current implementations, it's simply not really that useful while adding extra complexity to the component. I didn't even know this "extension point" existed until @aschempp mentioned it in #26871 (comment).
Proposal
I propose to deprecate passing arguments to this class that are different from the current parameter values in 4.2. For 5.0 we can then inline the class references in the instanceof and make sure it always works. To support the edge-case where a custom token class is desired to be used, developers should extend the existing classes, which will ensure the instanceof will remain functional. As this is an actual feature, it should therefore be documented. While I don't think it's a good idea to extend them and provide a custom implementation, there might be existing use-cases that otherwise break.
Symfony\Component\Security\Core\Authentication\Token\AnonymousTokenSymfony\Component\Security\Core\Authentication\Token\RememberMeToken