LexikJWTAuthenticationBundle with multiple providers

Question

I 2 part of applications - first for admins (admin panel) and second API. For API I want to use another model to check credentials and that retrieve a token. I thought that it could be achieved by specified check_path route where I can verify the provided data and then return manually token.

But It seems that the application doesn't event go to this endpoint because I haven`t seen any debug message from the response - only 401 error code. Here is my security.yml config:

security:
    encoders:
        App\Entity\Security\AdminUser:
            algorithm: bcrypt
        Lexik\Bundle\JWTAuthenticationBundle\Security\User\JWTUser:
            algorithm: bcrypt

role_hierarchy:
    ROLE_ADMIN:       ROLE_USER
    ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
    fos_userbundle:
        id: fos_user.user_provider.username_email
    jwt:
        lexik_jwt: ~

firewalls:
    api:
        provider: jwt
        pattern:  ^/api/
        stateless: true
        anonymous: true
        guard:
            authenticators:
                - 'jwt.token.authenticator'
        json_login:
            check_path: api.v1.0.token.get
            username_path: passwordName
            success_handler: lexik_jwt_authentication.handler.authentication_success
            failure_handler: lexik_jwt_authentication.handler.authentication_failure
    dev:
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false
    main:
        context: 'main'
        pattern: ^/
        form_login:
            provider: fos_userbundle
            default_target_path: easyadmin
            csrf_token_generator: security.csrf.token_manager

        logout:       true
        anonymous:    true


access_control:
    - { path: ^/api/doc, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/v1.0/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api,       roles: IS_AUTHENTICATED_FULLY }

And here is my action where I tried to debug:

class TokenController extends AbstractController
{
/**
 * @Route("/login", name="api.v1.0.token.get", methods={"POST"})
 * @param Request $request
 */
public function obtainToken(Request $request, JWTEncoderInterface $encoder, SiteRepository $siteRepository)
  {
      dd(123); // I don`t see this message - only 401 error

  }
}

Answer 1

First, I'm not sure what you're trying to do with your obtainToken function but if you need to either create a token programatically or manipulate / customize its content before returning it, I highly suggest that you have a look at their documentation first as you'll have all the tools to achieve what you want to do:

• here for the customization through events
• here for manual creation

Otherwise, the bundle will handle that for you.

Now, assuming that you simply want to protect your api with JWT, you'll need to separate your api firewall into two different ones:

First one to login, like so:

login:
  pattern: ^/api/login
  stateless: true
  anonymous: true
  json_login:
    check_path: /api/login_check
    success_handler: lexik_jwt_authentication.handler.authentication_success
    failure_handler: lexik_jwt_authentication.handler.authentication_failure

And don't forget to update the access control to make sure your users can access it anonymously:

- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }

This will allow you to hit /api/login_check with the credentials to authenticate and obtain your token.

---

Then, protect the rest of your public api by defining the JWT guard authenticator, like so:

api:
  pattern: ^/api
  stateless: true
  # /!\ shouldn't be anonymous: true here
  provider: jwt
  guard:
    authenticators:
    - lexik_jwt_authentication.jwt_token_authenticator

And the access control too:

- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }

If you need to create an account, you can define your own route and create the token programmatically upon success.

---

Some other things to mention:

• check_path: api.v1.0.token.get : I actually never tried but I don't think you can define a path by its route name like so, you better specify the path directly.
• username_path: passwordName : here you're telling the bundle to use 'passwordName' as the username, which sounds weird.

If you want to specify custom identifiers for both username and password, you better use something like this:

username_path: email # (or whatever field you use for the authentication)
password_path: password