Extending Authenticator

The JWTAuthenticator class is responsible of authenticating JWT tokens. It is used through the lexik_jwt_authentication.security.jwt_authenticator abstract service which can be customized in the most flexible but still structured way to do it: creating your own authenticators by extending the service, so you can manage various security contexts in the same application.

Creating your own Authenticator

        1
2
3
4
5
6
7
8
        namespace App\Security;

use Lexik\Bundle\JWTAuthenticationBundle\Security\Authenticator\JWTAuthenticator;

class CustomAuthenticator extends JWTAuthenticator
{
    // Your own logic
}
    

        1
2
3
4
5
        # config/services.yaml
services:
    app.custom_authenticator:
        class: App\Security\CustomAuthenticator
        parent: lexik_jwt_authentication.security.jwt_authenticator
    

        1
2
3
4
5
6
7
8
9
10
        # config/packages/security.yaml
security:
    # ...
    firewalls:
        # ...
        api:
            pattern:   ^/api
            stateless: true
            jwt:
                authenticator: app.custom_authenticator
    

Note

The code examples of this section require to have this step done, it may not be repeated.

Using different Token Extractors per Authenticator

Token extractors are set up in the main configuration of this bundle (see configuration reference). If your application contains multiple firewalls with different security contexts, you may want to configure the different token extractors which should be used on each firewall respectively. This can be done by having as much authenticators as firewalls (for creating authenticators, see the first section of this topic).

You can overwrite the getTokenExtractor() in custom authenticator:

        1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
        /**
* @return TokenExtractor\TokenExtractorInterface
*/
protected function getTokenExtractor()
{
    // Return a custom extractor, no matter of what are configured
    return new TokenExtractor\AuthorizationHeaderTokenExtractor('Token', 'Authorization');

    // Or retrieve the chain token extractor for mapping/unmapping extractors for this authenticator
    $chainExtractor = parent::getTokenExtractor();

    // Clear the token extractor map from all configured extractors
    $chainExtractor->clearMap();

    // Or only remove a specific extractor
    $chainTokenExtractor->removeExtractor(function (TokenExtractor\TokenExtractorInterface $extractor) {
        return $extractor instanceof TokenExtractor\CookieTokenExtractor;
    });

    // Add a new query parameter extractor to the configured ones
    $chainExtractor->addExtractor(new TokenExtractor\QueryParameterTokenExtractor('jwt'));

    // Return the chain token extractor with the new map
    return $chainTokenExtractor;
}
    

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.

TOC

Version