Symfony version(s) affected: 5.0.0

Description
The interface of TokenBasedRememberMeServices::generateCookieValue() expects username and password to be string.

UserInterface and User from Security-Core have unmatching signatures.
In UserInterface there are no defined return types, only phpdocs for string|null in case of getPassword() and string in case of getUserName()
These mismatch with what the TokenBasedRememberMeServices expect.

How to reproduce
I experience this with code losely based on the example from KnpUniversity\Oauth2ClientBundle.
I'm using a User class which returns null in getPassword().

Possible Solution
The signature and expectations should be aligned, either by enforcing string throughout the UserInterface and User class or by allowing null in TokenBasedRememberMeServices::generateCookieValue() and a typecast inside generateCookieHash .

I'm not sure, but I think it's a security issue to allow remember-me with users that do not have passwords (the hash will only be based on class, username and expires). If it is, this should be clarified in the docs and there must be a more meaningful exception when the password is null or an empty string.
Or, to degrade gracefully, the cookie should not be set, when the password is empty.

Additional context