guard_authentication documentation for api firewall

[hackzilla]

I can't figure out how your_db_provider property apiKey is actually used with $userProvider->loadUserByUsername($apiKey);

# app/config/security.yml
security:
    # ...

    providers:
        your_db_provider:
            entity:
                class: AppBundle:User
                property: apiKey

    # ...

near https://symfony.com/doc/current/security/guard_authentication.html#create-a-user-and-a-user-provider

There is no mention of modifying UserRepository-> loadUserByUsername to handle apiKey.

    public function getUser($credentials, UserProviderInterface $userProvider)
    {
        $apiKey = $credentials['token'];

        if (null === $apiKey) {
            return;
        }

        // if null, authentication will fail
        // if a User object, checkCredentials() is called
        return $userProvider->loadUserByUsername($apiKey);
    }

I was expecting the property key to be passed somehow into UserLoaderInterface

property: apiKey

My current expectation is to create another method loadUserByApiKey

[hackzilla]

I've just found \Symfony\Bridge\Doctrine\Security\User\EntityUserProvider:loadUserByUsername

I think there should still be a note added about property, as the documentation on https://symfony.com/doc/current/security/entity_provider.html#using-a-custom-query-to-load-the-user refers to creating your own loadUserByUsername, but not property.

[xabbuh]

If you are writing your own query to load users, there is no need to configure the property (you just write the query the way it has to be). The property is only needed if you do not write your own query, but make use of the built-in entity user provider.

[javiereguiluz]

I'm closing this as fixed because the mentioned section (https://symfony.com/doc/current/security/entity_provider.html#using-a-custom-query-to-load-the-user) was update to explain that you must remove the property when using a custom query, etc.