Symfony 5 firewall with JWT blocks access to some routes without login

2020-02-15 php symfony jwt

I'm using LexikJWTAuthenticationBundle to manage the token creation and all that jazz.

My security.yaml file looks like this(removed not relevant stuff):

            algorithm: auto
                class: App\Entity\User
                property: email
            pattern:  ^/api/login
            stateless: true
            anonymous: true
                check_path: /api/login_check
                success_handler: lexik_jwt_authentication.handler.authentication_success
                failure_handler: lexik_jwt_authentication.handler.authentication_failure
            pattern:   ^/api
            stateless: true
                    - lexik_jwt_authentication.jwt_token_authenticator
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
            anonymous: lazy
                    - App\Security\LoginFormAuthenticator
                path: logout
                target: /
                invalidate_session: true
                secret:   '%kernel.secret%'
                lifetime: 604800 # 1 week in seconds
                path:     /
                always_remember_me: true

         - { path: ^/admin, roles: ROLE_ADMIN }
         - { path: ^/profile, roles: ROLE_USER }
         - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/user, roles: ROLE_USER }
         - { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/api,       roles: IS_AUTHENTICATED_FULLY }

As far as JWT goes it works fine

Doing a simple curl

$ curl -X POST -H "Content-Type: application/json" http://localhost/api/\login_check -d '{"username":"someusername","password":"somepassword!"}'

Returns a token:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                             Dload  Upload   Total   Spent    Left  Speed
100   910  100   852  100    58    376     25  0:00:02  0:00:02 --:--:-- 376

Problem is, every other route responds with a 302 the immediately redirects to /

Request URL: http://localhost/register
Request Method: GET
Status Code: 302 Found
Remote Address: [::1]:80
Referrer Policy: no-referrer-when-downgrade

It's pretty clear that I've missconfigured something somewhere. But I can't seem to find. As far as I'm concerned the configs seem to be good.

Perhaps somebody with a better eye(and better experience) than myself can give me a hand.

I can only assume JWT expects X route to have a token, but, I'm clearly whitelisting certain paths in access_control.

Removing the bundle and reverting any changes will make all routes behave as expected.

Upon further investigation it seems to collide with a custom LoginFormAuthenticator


namespace App\Security;

use App\Entity\User;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
use Symfony\Component\Routing\RouterInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
use Symfony\Component\Security\Core\Security;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Csrf\CsrfToken;
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
use Symfony\Component\Security\Guard\Authenticator\AbstractFormLoginAuthenticator;
use Symfony\Component\Security\Guard\PasswordAuthenticatedInterface;
use Symfony\Component\Security\Http\Util\TargetPathTrait;

class LoginFormAuthenticator extends AbstractFormLoginAuthenticator implements PasswordAuthenticatedInterface
    use TargetPathTrait;

    private $entityManager;
    private $urlGenerator;
    private $csrfTokenManager;
    private $passwordEncoder;

    public function __construct(EntityManagerInterface $entityManager, UrlGeneratorInterface $urlGenerator, CsrfTokenManagerInterface $csrfTokenManager, UserPasswordEncoderInterface $passwordEncoder)
        $this->entityManager = $entityManager;
        $this->urlGenerator = $urlGenerator;
        $this->csrfTokenManager = $csrfTokenManager;
        $this->passwordEncoder = $passwordEncoder;

    public function supports(Request $request)
        return 'login_user' === $request->attributes->get('_route') && $request->isMethod('POST');

    public function getCredentials(Request $request)
        $credentials = [
            'email' => $request->request->get('email'),
            'password' => $request->request->get('password'),
            'csrf_token' => $request->request->get('_csrf_token'),

        return $credentials;

    public function getUser($credentials, UserProviderInterface $userProvider)
        $token = new CsrfToken('authenticate', $credentials['csrf_token']);
        if (!$this->csrfTokenManager->isTokenValid($token)) {
            throw new InvalidCsrfTokenException();

        $user = $this->entityManager->getRepository(User::class)->findOneBy(['email' => $credentials['email']]);

        if (!$user) {
            // fail authentication with a custom error
            throw new CustomUserMessageAuthenticationException('Email could not be found.');

        return $user;

    public function checkCredentials($credentials, UserInterface $user)
        return $this->passwordEncoder->isPasswordValid($user, $credentials['password']);

     * Used to upgrade (rehash) the user's password automatically over time.
    public function getPassword($credentials): ?string
        return $credentials['password'];

    public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
        if ($targetPath = $this->getTargetPath($request->getSession(), $providerKey)) {
            return new RedirectResponse($targetPath);

        return new RedirectResponse($this->urlGenerator->generate('index', [], RouterInterface::ABSOLUTE_URL));

    protected function getLoginUrl()
        return $this->urlGenerator->generate('login_user');

Why exactly this happens I'm not sure since they guards are in separate firewalls with clearly distinct routes. Not even the same prefix as far as I can tell.


So in your config you have the main firewall with the custom LoginFormAuthenticator, in which I do not see the whole point when you do not need an authenticator for the login when you are using LexikJWTAuthenticationBundle.

Also I noticed is that if you make a request for example to http://localhost/register it would use your LoginFormAuthenticator, which will not support the request because in its supports() function you declared to accept certain route.

return 'login_user' === $request->attributes->get('_route') ....

Another thing you can troubleshoot is your onAuthenticationSuccess function, especially I have suspicion about this line.

return new RedirectResponse($this->urlGenerator->generate('index', [], RouterInterface::ABSOLUTE_URL));

I would assume that you have a route,which is named index and has path "/" and if you use routes.yaml it would look something like this. (You have the same principle in the other types too)

    path: /
    controller: App\Controller\ACMEController::fooFunction

So basically you are telling your authenticator to redirect to "/". That would be my other guess. I hope I was helpful.