- Add
#[IsCsrfTokenValid]
attribute - Add CAS 2.0 access token handler
- Make empty username or empty password on form login attempts throw
BadCredentialsException
- Add argument
$badgeFqcn
toPassport::addBadge()
- Add argument
$lifetime
toLoginLinkHandlerInterface::createLoginLink()
- Throw when calling the constructor of
DefaultLoginRateLimiter
with an empty secret
UserValueResolver
no longer implementsArgumentValueResolverInterface
- Deprecate calling the constructor of
DefaultLoginRateLimiter
with an empty secret
- Add
RememberMeBadge
toJsonLoginAuthenticator
and enable reading parameter in JSON request body - Add argument
$exceptionCode
to#[IsGranted]
- Deprecate passing a secret as the 2nd argument to the constructor of
Symfony\Component\Security\Http\RememberMe\PersistentRememberMeHandler
- Add
OidcUserInfoTokenHandler
andOidcTokenHandler
with OIDC support forAccessTokenAuthenticator
- Add
attributes
optional array argument inUserBadge
- Call
UserBadge::userLoader
with attributes if the argument is set - Allow to override badge fqcn on
Passport::addBadge
- Add
SecurityTokenValueResolver
to inject token as controller argument
- Add maximum username length enforcement of 4096 characters in
UserBadge
- Add
#[IsGranted()]
- Deprecate empty username or password when using when using
JsonLoginAuthenticator
- Set custom lifetime for login link
- Add
$lifetime
parameter toLoginLinkHandlerInterface::createLoginLink()
- Add RFC6750 Access Token support to allow token-based authentication
- Allow using expressions as
#[IsGranted()]
attribute and subject
- Remove
LogoutSuccessHandlerInterface
andLogoutHandlerInterface
, register a listener on theLogoutEvent
event instead - Remove
CookieClearingLogoutHandler
,SessionLogoutHandler
andCsrfTokenClearingLogoutHandler
. UseCookieClearingLogoutListener
,SessionLogoutListener
andCsrfTokenClearingLogoutListener
instead
- Deprecate the
$authenticationEntryPoint
argument ofChannelListener
, and add$httpPort
and$httpsPort
arguments - Deprecate
RetryAuthenticationEntryPoint
, this code is now inlined in theChannelListener
- Deprecate
FormAuthenticationEntryPoint
andBasicAuthenticationEntryPoint
, in the new system theFormLoginAuthenticator
andHttpBasicAuthenticator
should be used instead - Deprecate
AbstractRememberMeServices
,PersistentTokenBasedRememberMeServices
,RememberMeServicesInterface
,TokenBasedRememberMeServices
, use the remember me handler alternatives instead - Deprecate the
$authManager
argument ofAccessListener
- Deprecate not setting the
$exceptionOnNoToken
argument ofAccessListener
tofalse
- Deprecate
DeauthenticatedEvent
, useTokenDeauthenticatedEvent
instead - Deprecate
CookieClearingLogoutHandler
,SessionLogoutHandler
andCsrfTokenClearingLogoutHandler
. UseCookieClearingLogoutListener
,SessionLogoutListener
andCsrfTokenClearingLogoutListener
instead - Deprecate
PassportInterface
,UserPassportInterface
andPassportTrait
, usePassport
instead
The CHANGELOG for version 5.3 and earlier can be found at https://github.com/symfony/symfony/blob/5.3/src/Symfony/Component/Security/CHANGELOG.md