LexikJWTAuthenticationBundle
LexikJWTAuthenticationBundle copied to clipboard
lexik
Failed to get Impoersonated user JWT Token
Hi everyone, I have issue with impersonation to create the impersonated user JWT token.
Here is the contextt:
- I have Symfony 6.0 with LexikJWTAuthBundle enabled (v2.15.1). There is
/api/authenticationendpoint to create a JWT token to be used by other apps. - I followed the documentation here https://symfony.com/doc/current/security/impersonating_user.html and create the role_hierarchy and switch user parameter on firewall.
- assume I have
super_admin(ROLE_USER, ROLE_SUPER_ADMIN) andnormal_user(ROLE_USER) users, I logged in as super_admin to/api/authenticationand get the JWT Token forsuper_admin. - When I use the token (with bearer on http header) to generate the
normal_usertoken with impersonation (send a request to/api/authentication?_switch_user=normal_user), it doesn't work. When I try to send data on body request, it's always asking the real username and password, and never return the impersonated JWT Token - What I am trying to achieve is, when I already logged in as
super_adminuser (I have the JWT Token), I can create an Impersonated JWT Token for thenormal_user, or when there is no JWT Token yet, I can create an impersonated JWT Token with thesuper_admincredentials send to/api/authentication?_switch_user=normal_user.
Is there a bug or I missed something?
Below is my security.yaml file:
security:
enable_authenticator_manager: true
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
App\Entity\User\User:
algorithm: auto
providers:
app_user_provider:
entity:
class: App\Entity\User\User
property: username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/api/authentication$
stateless: true
provider: app_user_provider
json_login:
check_path: api_authentication
username_path: username
password_path: password
provider: app_user_provider
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
switch_user: { role: ROLE_ALLOWED_TO_SWITCH, parameter: _switch_user }
api:
pattern: ^/api/
stateless: true
provider: app_user_provider
entry_point: jwt
jwt: ~
refresh_jwt:
check_path: api_refresh_token
provider: app_user_provider
logout:
path: api_token_invalidate
switch_user: true
main:
lazy: true
provider: app_user_provider
logout:
path: app_logout
form_login:
login_path: login
check_path: login
json_login:
check_path: app_json_login
username_path: username
password_path: password
access_denied_url: app_index
switch_user: true
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/profile, roles: ROLE_USER }
- { path: ^/api/token/refresh, roles: PUBLIC_ACCESS }
- { path: ^/api/authentication, roles: PUBLIC_ACCESS }
- { path: ^/api, roles: PUBLIC_ACCESS }
when@test:
security:
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
algorithm: auto
cost: 4 # Lowest possible value for bcrypt
time_cost: 3 # Lowest possible value for argon
memory_cost: 10 # Lowest possible value for argon
Is is a bug on authentication?
Hello, we face the same issue and I'm trying to implement a fix. Were you able to do something?
Do you really need an impersonated token? You can simply use the admin token and pass the impersonation via a separate header with each request.
