To authenticate or register your users with Symfony, the best and easiest way is to use the Security Bundle. First, install that bundle and follow the instructions given by .
At the end of the installation and configuration, you should have a config/packages/security.yaml file that looks like as follow:
If you are familiar with the Username/Password authentication with Symfony, it is not very different with Webauthn. You first need a controller to display the login form
namespace App\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Attribute\Route;
class LoginController extends AbstractController
{
#[Route('/login', name: 'app_login')]
public function index(AuthenticationUtils $authenticationUtils): Response
{
// get the login error if there is one
$error = $authenticationUtils->getLastAuthenticationError();
// last username entered by the user
$lastUsername = $authenticationUtils->getLastUsername();
return $this->render('login/index.html.twig', [
'last_username' => $lastUsername,
'error' => $error,
]);
}
}
Template
The usenrame field is not required
The username field should have the attribute autocomplete="username webauthn"
Next, we need a Symfony Authenticator to handle login form submissions. With Webauthn, we use a dedicated Passport that shall contain a specific Badge.
The Webauthn Badge will receive the current host (i.e. the current domain) and the result from the FIDO2 Authenticator.
The Webauthn Passport can receive any other badge you need e.g. the CRSF Token Badge or a custom badge required for your authentication login.
<?php
declare(strict_types=1);
namespace App\Security\Functional;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
use Webauthn\Bundle\Security\Authentication\WebauthnAuthenticator;
use Webauthn\Bundle\Security\Authentication\WebauthnBadge;
use Webauthn\Bundle\Security\Authentication\WebauthnPassport;
final class LoginAuthenticator extends WebauthnAuthenticator
{
public function __construct(
private readonly UrlGeneratorInterface $urlGenerator,
) {
}
public function authenticate(Request $request): Passport
{
return new WebauthnPassport( #Dedicated Passport
new WebauthnBadge( # Dedicated badge
$request->getHost(),
$request->request->get('_assertion', '') // From the login form. See below
),
[/** Add other badges here */]
);
}
public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
{
return new JsonResponse([
'success' => true,
]);
}
protected function getLoginUrl(Request $request): string
{
return $this->urlGenerator->generate('app_login'); //Redirect to the login controller
}
}
Security Configuration
To enable the user authentication, you just have to declare the Symfony Authenticator if the appropriate firewall (here main).
The security token returned by the firewall sets some attributes depending on the assertion and the capabilities of the authenticator. The attributes are:
IS_USER_PRESENT: the user was present during the authentication ceremony. This attribute is usually set to true by authenticators,
IS_USER_VERIFIED: the user was verified by the authenticator. Verification may be performed by several means including biometrics ones (fingerprint, iris, facial recognition…).
You can then set constraints to the access controls. In the example below, the /admin path can be reached by users with the role ROLE_ADMIN and that have been verified during the ceremony.
