Edit

Firewall

How to register and authenticate my users?

Security Bundle

To authenticate or register your users with Symfony, the best and easiest way is to use the Security Bundle. First, install that bundle and follow the instructions given by the official documentation.

At the end of the installation and configuration, you should have a config/packages/security.yaml file that looks like as follow:

config/packages/security.yaml
security:
    providers:
        default:
            id: App\Security\UserProvider
    firewalls:
        main:
            logout:
                path: 'logout'
            ...

Controller

If you are familiar with the Username/Password authentication with Symfony, it is not very different with Webauthn. You first need a controller to display the login form

namespace App\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Attribute\Route;

class LoginController extends AbstractController
{
    #[Route('/login', name: 'app_login')]
    public function index(AuthenticationUtils $authenticationUtils): Response
      {
         // get the login error if there is one
         $error = $authenticationUtils->getLastAuthenticationError();

         // last username entered by the user
         $lastUsername = $authenticationUtils->getLastUsername();

        return $this->render('login/index.html.twig', [
             'last_username' => $lastUsername,
             'error'         => $error,
          ]);
    }
}

Template

Below an example of a login form using the Stimulus Controller. Also, please note that:

  • The username field is not required

  • The username field should have the attribute autocomplete="username webauthn"

Login Authenticator

Next, we need a Symfony Authenticator to handle login form submissions. With Webauthn, we use a dedicated Passport that shall contain a specific Badge.

The Webauthn Badge will receive the current host (i.e. the current domain) and the result from the FIDO2 Authenticator.

The Webauthn Passport can receive any other badge you need e.g. the CRSF Token Badge or a custom badge required for your authentication login.

Security Configuration

To enable the user authentication, you just have to declare the Symfony Authenticator if the appropriate firewall (here main).

Multiple User Providers (v5.2.1+): The bundle now supports multiple user providers. If your application uses multiple providers, you can configure them in the security configuration and the WebauthnBadge will work correctly with all of them.

Also, you need to define the credential options endpoint.

User Registration

TO BE WRITTEN

Authentication Attributes

The security token returned by the firewall sets some attributes depending on the assertion and the capabilities of the authenticator. The attributes are:

  • IS_USER_PRESENT: the user was present during the authentication ceremony. This attribute is usually set to true by authenticators,

  • IS_USER_VERIFIED: the user was verified by the authenticator. Verification may be performed by several means including biometrics ones (fingerprint, iris, facial recognition…).

You can then set constraints to the access controls. In the example below, the /admin path can be reached by users with the role ROLE_ADMIN and that have been verified during the ceremony.

PreviousUser Entity RepositoryNextConfiguration References

Last updated

Was this helpful?