0

In my UserProvider i want to check if the user that is in the session is still valid. Valid means, its access token (fetched from an external SSO provider) is not expired and valid in terms of signature.

I find the refreshUser() method an appropriate place for this check, since I want to know on every request if it is still valid.

I notice that I have three return possibilities for the method:

  1. Return the user -> means the user is still allowed to be logged in
  2. Throw a UserNameNotFoundException for "The user does not exist anymore"
  3. Throw a UnsupportedUserException for "This user provider does not support the user, try the next one"

I think, option 2. is the required one when the user expired.

But I also need to log out the user in this case from the SSO, so I have to redirect him to the logout page from the SSO provider.

How can I redirect the user, after the user from the refreshUser() method was invalidated?

At the moment symfony just return and the user is logged out in symfony.

Are there any events to work with?

yivi
  • 42,438
  • 18
  • 116
  • 138
Jim Panse
  • 2,220
  • 12
  • 34
  • The UserProvider is the wrong place to concern about redirections. That method can only return a user or throw an exception, that's it.. You'd need to do higher in the chain and do it in the security system, redirecting the user on logout. – yivi Sep 14 '21 at 10:12
  • Yeah, i know ... but if the refreshUser does not find the user anymore, i assume he will be logged out automatically or doesn't he? If yes, where is the place to redirect? – Jim Panse Sep 14 '21 at 10:13
  • **Not** on the `refreshUser()` method. Have you searched for "redirect on logout on symfony", for example? Tried any of those solutions? – yivi Sep 14 '21 at 10:14
  • Yes i did but when i throw the usernamenotfound exception i just get redirected to the home page ... throwing an authentication exception also just calls the start method of the authenticator – Jim Panse Sep 14 '21 at 10:25
  • Its pretty obvious that i dont want to redirect in the refreshUser method itself ... but It seems there is no possibility to notice if the refreshUser Method kicked out the user so that i can react on this "event" somewhere else ... – Jim Panse Sep 14 '21 at 10:31
  • Why this answer was closed? There is no redirect to some logout target url after the user "refreshed" ... – Jim Panse Sep 14 '21 at 11:04
  • 1
    It was closed because well Stackoverflow. But I think what you want is the [User\EquatableInterface](https://symfony.com/doc/current/security/user_provider.html#comparing-users-manually-with-equatableinterface). There is not much written on this but basically you add an isEqualTo method to your user class and returning false will log you out. And consider trying the official [Symfony Discussion Board](https://github.com/symfony/symfony/discussions) at least until your frustration passes. – Cerad Sep 14 '21 at 12:24
  • Hi @Cerad ... okay, so i maybe could add an expire time to the user and update it with a new token expire time. I would then return false in the compare function when it expires to simulate the "change" ... thanks a lot, this was one of the useful comments and might point me in the right direction ... of course, symfony board is better place than stackoverflow for this ... – Jim Panse Sep 14 '21 at 12:37

0 Answers0