How does login and authentication work in Symfony 5.*

This is basically just my notes at this time and what I have found. I’ll keep adding to it over time. I can never, ever for the life of me remember how this complicated BS works.

To learn that see the links section. Here is an excellent article about the files involved, the process etc.

If you are wanting to know the overview of how the Syfmony Authentication system works it is actually under Security here.

How it works overview.

This is only what I have found. I don’t know 100% how it works at this time.

First off a list of files involved in the login process. These are from running the standard Makers.

  1. The login form obviously app/templates/security/login.html.twig
  2. A security controller app/src/Controller/SecurityController.php
  3. A user Provider (freeking words) aka the User entity class app/src/Entity/User.php
  4. An Authenticator app/src/Security/LoginFormAuthenticator.php

When a user tries to login Symfony first calls LoginFormAuthenticator.php to check to see if the user is logged in/authenticated so the work is not done in the controller like most other actions.

To change, add, remove anything from the authentication process you make changes in the LoginFormAuthenticator.php methods. Unless it is done in configs, like multiple Authenticators. And some of this is controlled by configurations.

This authenticator is listed in the app/config/packages/security.yaml file under firewalls:main:guard:athenticators as

- App\Security\LoginFormAuthenticator

symfony firewall authenticator section

Every time a request is made the firewall will use the authenticator listed to try to authenticate the user. If authentication fails Symfony secretly behind the scenes tries other ways to authenticate the user as you can see in the image below. I haven’t found the info about this yet.

symfony guards
Secret guards attack

As you can see in the image above Symfony will try your guard you listed in the configuration file, but it also tries it’s own secret list of default authenticators. And seeing the above in my logs kept making me say WTF is this BS and why is it happening.

secret agent meme
shh it’s a secret

That has been my biggest complaint about Symfony, the docs and info are scattered all over, especially about Authentication.


I’ve literally had to hunt and peck and google and dig to find this info and figure out how the hell the system works. I hope this saves someone time.

For information about the login form see this article in the docs.

Here is a SymfonyCast with some good info, a bit has changed from version 4 to 5.3(current)

This is a new SymfonyCast for version 5 not even done yet. It has more info on WTF is going on.

Here is a  link in the symfony docs about authentication. I only find it minimally useful after creating my login system with makers. I’d like to see more about what happens each time a page is accessed etc. like what process is the system following?

Here is a link to symfony docs on how to create your own authenticator.

The best link I have found yet this info should be in the docs

Here is a really helpful article I finally found. It contains info that should be in the docs, like how the system works if you create it with makers, like probably 98% of the people out there. And basically how the system functions.






One response to “How does login and authentication work in Symfony 5.*”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.