Symfony Multiple guard Auth bearer token won't work redirecting in login

Question

I am strugling to make the multi guard auth working on my preprod server.

I have set up the multiple guard authenticator on a project. One authenticator is for the normal form "login, password" Second is for an auth by request with a Bearer token. I have followed the documentation here : https://symfony.com/index.php/doc/4.4/security/multiple_guard_authenticators.html

Everything work fine with the local symfony server. If i curl like this :

curl --location --request GET 'http://127.0.0.1:8000/' \
--header 'Authorization: Bearer 867504f2ff8e03672db2a5aee8f04f8bc17d60f62226d7c97aadb34012599c528f0047959f5ee22d251b3ca0c884bbf659e76a2b668fa9d2608b1fe8' \
--header 'Cookie: PHPSESSID=hd1ea3imfa77fmo5nsuheolmu2'

I am nicely auth and redirect to the index. (or a fail respons : token expired or so..) But on my preproduction server, its just not working. No guard is launch and i am automatically 302 redirect to /login (login form)

Here is my security.yaml

security:
    providers:
       our_db_provider:
            entity:
                class: App\Entity\User
                property: apikey
    encoders:
        custom_sodium:
            id: 'encoder_service'

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            anonymous: ~
            http_basic: ~
            form_login:
               login_path: login
               check_path: login
            logout:
               path:       logout
               target:     login
            logout_on_user_change: true


            guard:
                authenticators:
                    - App\Security\ApiTokenAuthenticator
                    - App\Security\LoginAuthAuthenticator

                entry_point: App\Security\LoginFormAuthenticator


    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        - { path: ^/provider, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/action/createproposition, roles: ROLE_USER }
        - { path: ^/admin, roles: ROLE_ADMIN }
        - { path: ^/api/, roles: ROLE_USER }
        - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/, roles: ROLE_USER }



    role_hierarchy:
        ROLE_ADMIN: [ROLE_USER]

I tried many things as trying to log the use of the Auth guard with monologue

On the local server, i can see that symfony call the authenticator to find out which one to use, and access the proper one. On my preprod server i have no log who popup. So it look like no guard is used and it just redirect to /login because /^ is ROLE_USER

I also suspect the .htaccess conf to cause the problem, but i really don't know how to fix it..

Kindly, Naqued

Answer 1

After a lot of struggle i find out the problem this thread help me a lot :

Authorization header missing in PHP POST request

I figured out that the Authorization key in the header was missing (logger on the host server)

The problem was that on local server, there is no .htaccess On a server with apache2, in the .htaccess

there was the rewriteEngine On So apache rewrite the header and don't write the authorization Key in the header of the request

Solution : In your .htaccess put

RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

This work perfectly :)

Kindly, Naqued