Session error with stateless firewall - configuration options

[jmiridis]

Checklist

• [X] I have looked into the Readme and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

With Symfony feature #48044, a firewall that is configured stateless will add an attribute _stateless to the request. The AbstractSessionListener checks the attribute at the end of a request and throws an UnexpectedSessionUsageException("Session was used while the request was declared stateless.") if a session has been started. I am using the auth0.authorizer authorizer and stateless: true in my firewall which now throws this error.

Describe the ideal solution

I am not sure whether this is a bug or something that could be handled by allowing a different configuration. Is there a way to change the configuration to prevent this error or could it be added?

Alternatives and current workarounds

No response

Additional context

No response

[evansims]

Hey @jmiridis 👋 Thanks for raising this.

This appears to be a new feature introduced into Symfony after our most recent SDK release. I'll need to investigate this a bit more and get back to you.

[aless673]

this is now a 500 error with latest Symfony versions stateless auth is now unusable with auth0/symfony

[evansims]

Hi @aless673, thanks for reporting. We do not presently support the stateless configuration property — it would have been purely coincidental if it worked in any previous version. It’s on our radar.

[DavidBadura]

I have the same problem. Does anyone have a workaround?

[jvdhehvg]

I have the same problem. Does anyone have a workaround?

@DavidBadura you can define a strategy in the auth0 SDK config like so:

auth0:
    sdk:
        ...
        strategy: "api"
        ...

This will make sure that the SDK will not start a session. Does this solve your problem?

[evansims]

A working example configuration of using stateless with token-based authentication is available in the "example" subdirectory of the repository. Note that this will never work with session-based authentication for apparent reasons.