Introducing Guard: Symfony Security with a Smile
tl;dr Guard is a new library that makes Symfony authentication a joy. And we've written a big tutorial all about it: KnpUGuard Tutorial.
Symfony's authorization system - the stuff related to voters and roles - is awesome. It's simple, it kicks butt, and it's one of my favorite things, just behind fresh-baked cookies.
But then there's that other part: authentication. This is how you login: maybe with a form or via OAuth, like Facebook login. This part is probably the single worst part of Symfony. It's over-engineered, hard to customize and no fun to work with.
Examples? Creating a form login is easy, but customizing how you load the user or what happens when authentication fails is hard. Creating an API token is pretty easy, assuming you understand what a "token" is and you don't need multiple authentication methods. And how would you handle Facebook login? Fortunately, HWIOAuthBundle exists, but it has a lot of security classes to make this happen.
This problem was screaming for a solution. If we could make Symfony's authentication system simple and fun, the whole security system would go from a pain, to a powerful tool.
Hello Guard! (GitHub, Packagist): a tiny library (and bundle) that puts every part of an authentication scheme into one place: GuardAuthenticatorInterface. To create your custom authentication system, just make one class, implement this interface, fill in the methods and celebrate with a milk shake.
Need to customize how you query or load your user? You'll do that in
Have a special way to check passwords or that a token is valid? Do whatever you want
createAuthenticatedToken(). Maybe you need to hook into what happens right after
the user successfully authenticates. Just do that in
onAuthenticationFailure() for the opposite.
Read the KnpUGuard Tutorial to get started.
This library won't be perfect yet, so if you find any issues or have a use-case that isn't possible, open an issue and let's see if we can improve things.
Yes, there is a secret goal behind all of this: to get Guard merged into Symfony. There is a pull request already symfony/symfony#14673, but thanks to KnpUGuard, you don't have to wait for the next version of Symfony. Releasing it now also let's us test and improve things, so that the final version - if it's accepted into Symfony - will be truly great.