Description

The current way this feature works, an authenticated user already impersonating another needs to exit impersonation before switching to another user. Otherwise, he'll hit:

First thing: I don't think a LogicException is the most suitable here, as it'll generate a 500.
Secondly, is there reasons to forbid this by default?

Then, what about allowing to configure this on the switch user listener? Different strategies might exist:

1. reject, with an appropriate 4XX exception
2. generate a response suggesting to exit & switch to the new user, out-of-the-box.
3. just switch, seamlessly.

Throwing a dedicated exception might allow to perform the second option in userland, but would miss an easy way to switch to the new user once exit.

Example

• Could be a switch_user listener option:

security:
    firewalls:
        # [...]
        main:
            # [...]
            switch_user:
                already_switching_strategy: ~ # one of reject, confirm or switch; reject as default.

• a query parameter to force switching
• or the custom exception coupled with error handling in userland. Would miss a native way to exit+switch to the new user though.