Symfony api platform ignore jwt token

Question

Iam creating symfony api (api platform) with jwt (LexikJWTAuthenticationBundle)

Login works great. I added this into security.yaml

login:
        pattern: ^/api/login
        stateless: true
        json_login:
            check_path: /api/login_check
            success_handler: lexik_jwt_authentication.handler.authentication_success
            failure_handler: lexik_jwt_authentication.handler.authentication_failure

Server return me token. But when I create secure source like

- { path: ^/api/notes, roles: IS_AUTHENTICATED_FULLY }

And send request with token with authorization like

Bearer --token--

Server ignore it and return "Full authentication is required to access this resource."

How can i recognize whats wrong? I spent 5 hours with it, but I dont know, what I can do.

I Run server with symfony server:start

When I created test controller like

 #[Route('/test', name: 'test')]
public function index(Request $request): Response
{
    $auth = $request->headers->get("Authorization");
    return new Response("Authorization: ". "'".$auth."'");
}

It works, server print me token

Authorization: 'Bearer eyJ0eXAiOiJKV1QiLCJh.....'

score 1 · Answer 1 · answered Feb 22 '22 at 08:30

I think you're missing some configuration. You only configured the json_login options, so that the Lexik bundle is now responsible for handling the logging in of your users and issuing JWTs. By default, API platform will still authenticate requests based on session-based cookies, not through the Authorization header. You have to tell API Platform to authenticate requests based on your JWTs.

I believe that it should be enough to add this to your security.yml, but I haven't checked this:

firewalls:
    main:
        stateless: true
        provider: app_user_provider <-- this has to point to your user provider
        json_login:
            check_path: /api/login_check
            success_handler: lexik_jwt_authentication.handler.authentication_success
            failure_handler: lexik_jwt_authentication.handler.authentication_failure
        jwt: ~

(drop the pattern, change login to json_login and add jwt: ~)

Have a look at this documentation: https://api-platform.com/docs/core/jwt/ where it shows how to secure the API platform with JWTs.

score 0 · Answer 2 · answered Dec 02 '22 at 08:50

I had the same issue API Platform by Sylius and a second GraphQL API /api/v2/graphql (in addition to the Api platform REST API /api/v2).

In the Symfony profiler the security section was disabled for graphQL requests.

The graphql endpoint needs its own firewall :

In security.yaml

security:
    firewalls:
        graphql_shop_user:
            pattern: "%sylius.security.new_api_route%/graphql"
            provider: sylius_api_shop_user_provider
            stateless: true
            anonymous: true
            guard:
                authenticators:
                    - lexik_jwt_authentication.jwt_token_authenticator

Symfony api platform ignore jwt token

2 Answers2