Issue when combining the JWTUserProvider with other (statefull firewall) UserProviders

[jeroendk]

So not sure if it is a 'bug' or just misconfiguration on my end, but I am running into some issues when combining multiple authentication mechanisms on the same User object.

The authentication part is working fine, the problems occur when Symfony tries to refresh the user from the session. The Symfony\Component\Security\Http\Firewall\ContextListener::refreshUser loops over every provider that supports the User class, this includes the JWTUserProvider. Not a problem if the user is still valid, our custom provider comes first so that one will provide the user.

However, when the logged-in user is no longer valid (for example when the password changes), the JWTUserProvider overwrites the deactivated state of the user by providing a valid user.

JWTUserProvider::supportsClass is only called by the refresh user method if I am right, so because this provider is always linked to a stateless firewall, this method might as well return false. Or will this introduce other problems?

[chalasr]

Thanks for the report, this makes sense to me. PR welcome!