Description
Symfony version(s) affected: 4.3
Description
If a user is impersonating another user, the Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken is created. But then, a Authentication Provider cannot be found for this token if the always_authenticate_before_granting configuration option is set to true. This is causing a redirect loop as printed in the logfile:
security.INFO: An AuthenticationException was thrown; redirecting to authentication entry point. [...] ProviderNotFoundException: No Authentication Provider found for token of class SwitchUserToken at [...]AuthenticationProviderManager.php:107)"
This exception is not thrown if always_authenticate_before_granting is removed from the security.yaml file.
How to reproduce
- Set
always_authenticate_before_grantingto true - Impersonate a user
- Visit a URL that is behind a firewall
Possible Solution
I have no idea how to fix this. This issue #8974 is very similar to this one, but this is six years old.