This tutorial has a new version, check it out!

Registering the Authenticator (Part 2)

Keep on Learning!

If you liked what you've learned so far, dive in!
Subscribe to get access to this tutorial plus
video, code and script downloads.

Start your All-Access Pass
Buy just this tutorial for $10.00

The authenticator class is done - well done enough to see it working. Next, we need to register it as a service. Open up app/config/services.yml to add it: call it jwt_token_authenticator. Set its class to AppBundle\Security\JwtTokenAuthenticator:

... lines 1 - 5
... lines 7 - 35
class: AppBundle\Security\JwtTokenAuthenticator
autowire: true

And instead of adding an arguments key: here's your permission to be lazy! Set autowire to true to make Symfony guess the arguments for us.

Finally, copy the service name and head into security.yml. Under the firewall, add a guard key, add authenticators below that and paste the service name:

... lines 2 - 8
... lines 11 - 20
- 'jwt_token_authenticator'
... lines 24 - 32

As soon as you do that, Symfony will call getCredentials() on the authenticator on every request. If we send a request that has an Authorization header, it should work its magic.

Let's try it! Run our original testPOSTProgrammerWorks() test: this is sending a valid JSON web token.

./vendor/bin/phpunit --filter testPOSTProgrammerWorks

And this time... it passes!

Hold on, that's pretty amazing! The authenticator automatically decodes the token and authenticates the user. By the time ProgrammerController is executed, our user is logged in. In fact, there's one other spot we can finally fix.

Down on line 37, we originally had to make it look like every programmer was being created by weaverryan:

... lines 1 - 18
class ProgrammerController extends BaseController
... lines 21 - 24
public function newAction(Request $request)
... lines 27 - 36
... lines 38 - 50
... lines 52 - 191

Without authentication, we didn't know who was actually making the API requests, and since every Programmer needs an owner, this hack was born.

Replace this with $this->getUser():

... lines 1 - 18
class ProgrammerController extends BaseController
... lines 21 - 24
public function newAction(Request $request)
... lines 27 - 36
... lines 38 - 50
... lines 52 - 191

That's it.

Our controller doesn't know or care how we were authenticated: it just cares that $this->getUser() returns the correct user object.

Run the test again.

./vendor/bin/phpunit --filter testPOSTProgrammerWorks

It still passes! Welcome to our beautiful JWT authentication system. Now, time to lock down every endpoint: I don't want other users messing with my code battlers.

Leave a comment!

  • 2018-10-13 weaverryan

    Woohoo! Nice work Tech Nomad!

    Yes, the supports() method is the FIRST method that Symfony calls at the beginning of each request. If it returns false (which is what was happening before), then no other methods are called on your authenticator and your request continues anonymously. But then, if that same anonymous request tries to access page that requires login, Symfony "kicks" them out. Specifically, it alls the *start()* method on your authentication, which is where we tell the user that they need to send authentication information.

    Anyways, nice work - and I hope it makes a bit more sense now!


  • 2018-10-13 Tech Nomad

    I've solved it! 🎉🎉🎉🎉🎉🎉
    I had to add this line of code inside my supports() method in JwtAuthenticator!

    public function supports( Request $request ) {
    return $request->headers->has( 'Authorization' ) && 0 === strpos( $request->headers->get( 'Authorization' ), 'Bearer ' );

    Found it in the final code of the new Security Tutorial inside the ApiTokenAuthenticator.php file.

  • 2018-10-12 Tech Nomad

    Hey Ryan,
    I can't authenticate via the custom jwt_(token_)authenticator :(
    I get the Jwt(Token)Authenticator->start() method processed with returning a custom error message like this:

    "error": "auth required",
    "request": {
    "attributes": {},
    "request": {},
    "query": {},
    "server": {},
    "files": {},
    "cookies": {},
    "headers": {}
    "$authException->getToken": null,
    "$authException->getMessageKey": "Authentication credentials could not be found.",
    "$authException->getMessageData": []

    Would be great if you could help me out. I have spend yesterday whole day on this issue :(

  • 2018-08-20 Diego Aguiar

    Awesome! so the security check works properly by not allowing you to authenticate if the given user is disabled. Nice job man!

  • 2018-08-20 Tim van der Zouwen

    Hey Ryan,

    1) This is my getUser():

    public function getUser($credentials, UserProviderInterface $userProvider)
    try {
    $data = $this->jwtEncoder->decode($credentials);
    } catch (JWTDecodeFailureException $e) {
    throw new CustomUserMessageAuthenticationException('Invalid Token');

    $username = $data['username'];

    // For debug only
    $userObj = $this->em
    ->findOneBy(['username' => $username]);

    // End debug

    return $this->em
    ->findOneBy(['username' => $username]);

    This is the User Object that I get from the var_dump().
    object(AppBundle\Entity\User\User)#1141 (14) {
    string(11) ""
    string(11) ""
    string(11) ""
    string(11) ""
    string(88) "R44WYsdJmxHRz88jnfOEmDVUjXjHDcV8Ub1g6sivkRqiX7MEHkB6u2DKWJgRmZ/RGnISWg7TFkucx/VnpaeCVw=="
    array(0) {

    2) This is the solution! When I dump the credentials I get:

    PHPUnit 6.5.11 by Sebastian Bergmann and contributors.

    Host: localhost:8000
    Date: Mon, 20 Aug 2018 15:04:04 +0000, Mon, 20 Aug 2018 15:04:04 GMT
    Connection: close
    X-Powered-By: PHP/7.1.16
    Cache-Control: no-cache, private
    Content-Type: application/problem+json
    "detail": "Account is disabled.",
    "status": 401,
    "type": "about:blank",
    "title": "Unauthorized"
    F 1 / 1 (100%)

    Time: 1.23 seconds, Memory: 24.00MB

    There was 1 failure:

    1) AppBundle\Test\Controller\API\JobOfferControllerTest::testPOSTJobOfferWorks
    Failed asserting that 401 matches expected 201.

    That clearly tells me the User is disabled!!!

    So Now I've updated my createUser class with:

    And everything works Fine now.

    Thank you very much!

  • 2018-08-20 weaverryan

    Hey Tim van der Zouwen!

    Hmm... this IS strange! So, a few questions:

    1) Once you get your User object, you ARE returning this from getUser() correct? Could you post the important parts of your authenticator?

    2) Are you 100% sure that checkCredentials() is *never* called?

    I'm asking these simple questions because the situation just doesn't make sense yet :). As you probably know, if you return a UserInterface object from getUser(), then checkCredentials() is ALWAYS called. Here's the core code that handles that:

    The ONLY thing that is checked between these two methods is the $this->userChecker->checkPreAuth($user);. Here is the core UserChecker - - it IS possible that this is causing some sort of failure - I would double check.

    Let me know what you find out!


  • 2018-08-20 Tim van der Zouwen


    I'm trying to use this in my project. But I will always get stuck in the start() function.
    - symfony/symfony: v3.4.1
    - lexik/jwt-authentication-bundle: v2.5.4

    When I debug my JwtTokenAuthenticator.php I get the following:

    01] getCredentials(){

    I get a token.

    So when I debug:

    02] getUser(){
    var_dump($data);var_dump(date('d-M-Y H:i:s',$data['exp']));var_dump(date('d-M-Y H:i:s')); die;

    Gives me:

    array(3) {
    string(11) ""
    string(20) "20-Aug-2018 09:33:11"
    string(20) "20-Aug-2018 08:33:11"

    The ->findOneBy(['username' => $username]); also gives me a valid $user object.

    03] I expect to go to:

    public function checkCredentials($credentials, UserInterface $user)
    return true;

    But instead I end up in:

    public function start(Request $request, AuthenticationException $authException = null)
    return new JsonResponse([
    'error' => 'auth requirerd'

    Can somebody explain to me why what is going wrong.

  • 2018-07-18 weaverryan

    You nailed it! Well also, because when you refresh the page, that bar at the bottom is final, "static" information about the request that just finished. Even if you DID login via another tab using a traditional session-based approach, the bar on the original page would still just sit there and say "Anonymous". The only magic-updating part of the bar is the cool part that shows the AJAX requests :).

    Happy to help! Cheers!

  • 2018-07-18 Shaun

    Aaah yes, I can see in the profile bar that each ajax request is authenticated, but the user remains unauthenticated in the bar. I presume this is because the state is stored in the client side when you setup a web app as an api, as opposed to a traditional web app where the authenticated user is stored is a server session variable.

    Thanks for your help :)

  • 2018-07-16 weaverryan

    Hey Shaun!

    Hmm. MAYBE :). When you load the site in your browser, you're probably not (somehow) sending the JWT token, right? So it makes sense that you would not be authenticated? Or are you doing something interesting for this :).

    If you use your JWT to make a few authenticated API requests to your system, you should then be able to go to /_profiler to see a list of those requests. If you click the link next to one of them, you'll enter into the profiler for that page. Then, click on the Security tab on the left to see if you are authenticated on that request. You *should* be there.


  • 2018-07-15 Shaun

    Hi guys,

    I've implemented JWT Authenticator with Guard in my app just like the one in this tutorial, however the Symfony Debug bar shows the user as unauthenticated, is this expected behaviour?

  • 2017-11-07 weaverryan

    Hey einue!

    Sorry for the late reply - for some reason Disqus put your comment in Spam :(.

    Check out this issue: - it is likely your problem!


  • 2017-11-01 Victor Bocharsky

    Hey einue ,

    I believe you can get access to all those headers via Symfony Request object, i.e:


    I mean, you can avoid apache_request_headers() function call and that extra check with function_exists(). Isn't that data set? I thought it should be parsed with Symfony Request.


  • 2017-10-27 einue

    It seems like the authorization header is saved in the apache_request_headers.

    If I add this Code

    if (!$request->headers->has('Authorization') && function_exists('apache_request_headers')) {
    $all = apache_request_headers();
    if (isset($all['Authorization'])) {
    $request->headers->set('Authorization', $all['Authorization']);

    at the beginning of getCredentials, it works with the authorization key. But that's in fact not a really nice solution... Now i implement an eventListener to fix that.

  • 2017-10-27 einue

    Hi Victor Bocharsky , thanks for the fast repsonse. I followed the video tutorial. I also changed the status code in the newAction. Then i get the error: Failed asserting that 200 matches expected 201.

    If I change the 'Authorization' key in getCredentials to 'Test' and also in the testPOSTProgrammerWorks-Method. It works fine.
    It seems like the Authorization-Header doesn't work. I use a vagrant box with apache.

  • 2017-10-27 Victor Bocharsky

    Hey einue ,

    The code in start/ and finish/ is different for this course. Also, status code should be 201 (not 200) as we have in "symfony-rest4/finish/src/AppBundle/Controller/ApiProgrammerController" file -> "newAction()" method -> and see 201 status code on line 45: "$response = $this->createApiResponse($programmer, 201);".

    Do you watch videos or are you following this tutorial by course scripts and code blocks only? Because, right in this video I see we return 201 in newAction().

    I'd be glad to help you to figure out this problem.


  • 2017-10-27 einue

    Hy, can you update the finish folder in the download project?
    I think the TokenControllerTest is missing and the ProgrammerControllerTest is not up to date.

    I followed your tutorial and I still get the 200 instead of the 201 status code for testPOSTProgrammerWorks.
    I put an echo json_encode($request); in the getCredentials Function. And by running the test, i got an empty request:

    I don't know, whats going wrong?

  • 2017-10-17 Diego Aguiar

    Hey @Greg!

    haha, it's ok to ask, someone else might find it useful :)
    and yes, if you have two different ways of accessing to your app (web, API), it's recommended to configure two firewalls


  • 2017-10-17 Greg


    It's me again ;)

    I have a little question about guard if I want to use guard for the api and for the web.

    I suppose I need 2 classes one for the web and one for the API but in security.yml, do I just declare the 2 services under the authenticators key ?

    Thanks again for all.

    Edit: One more time I really should to watch all the videos before I open my mouth ;)
    2 firewalls are the solution.
    isn't it?


  • 2017-08-14 weaverryan

    Yes! Code would be very helpful :). In general, the 401 happens when you try to access a secured endpoint, and there is NO authentication information on the request. Have you added code to your start() method yet? If so, if you modify the response in that method (e.g. change it to a 402), does that change your response to a 402 or is it still a 401? Typically, the start() method is responsible for returning the 401, but I want to be sure.

    To debug, I would look hard at your getCredentials() method. My guess is that this method is returning null, even when there is a JWT in the request. If I'm correct, then because you are returning null, the authenticator is being skipped, and so you ultimately receive the 401.


  • 2017-08-11 Diego Aguiar

    Hey Rajesh Patel

    Could you show us your code? So we can help you debugging


  • 2017-08-10 Rajesh Patel

    i have done all the code according to tutorial but its always return 401 Unauthorized.I am sending authorization header with JWT tokens but its not working can anyone help me please?

  • 2017-07-28 Diego Aguiar

    Hey Ayham Hasan!

    In that case you could inject the "TokenStorage" into your Subscriber class (By using dependency injection), and then, retrieve the User from it. Actually you would be "almost" duplicating all the logic that Symfony's BaseController does

    This is the right namespace of the TokenStorage:

    // in somewhere from your subscriber class

    $user = $this->tokenStorage->getToken();

    if (!is_object($user = $token->getUser())) {
    // user is not logged in


  • 2017-07-28 Ayham Hasan

    Hi, I have one question, I would like to call $this->getUser() not in Controller like in LocaleSubscriber class, how could I do that??

  • 2016-12-06 Victor Bocharsky

    Hey Zuhayer,

    When you have more than one service which extends the same class - you need to stop using "autowire: true" and set your dependencies manually. It's a normal behavior - system just can't determine by itself what service to inject. So you have to take this work on yourself. It's rare, but sometimes it happens like in your example with SonataAdminBundle.


  • 2016-12-06 Zuhayer Tahir

    When I configure autowire i get an error

    class: AppBundle\Security\JwtTokenAuthenticator
    autowire: true
    Unable to autowire argument of type "Doctrine\ORM\EntityManager" for the service "jwt_token_authenticator". Multiple services exist for this class (doctrine.orm.default_entity_manager, sonata.admin.entity_manager).

    How to resolve this error, or is this normal behavior when using SonataAdminBundle?
    Currently I am manually configuring and it works:

    arguments: ['@lexik_jwt_authentication.encoder', '@doctrine.orm.entity_manager', '@api.response_factory']

  • 2016-09-07 Victor Bocharsky

    Hey Rakib,

    It's weird. Could you please show your current content of security.yml file? At least security.firewalls section. You could show it in comment here or better use GitHub Gist for that.


  • 2016-09-06 Rakib Ahmed Shovon

    Unrecognized option "guard" under "security.firewalls.main"
    why Unrecognized ? cant move forward :-(
    did as you said . help pls