Lexikjwtauthenticationbundle: JWT token not found

Created on 18 Feb 2020  路  5Comments  路  Source: lexik/LexikJWTAuthenticationBundle

I have a production environment (the version is the same than my development envirnoments). On my development environment, sending a GET request to a route behind the JWT firewall with the Authorization header like: Bearer <token> all works fine. On the production environment I GET 401 JWT Token not found errrors for the same routes.

Here is my LexikJWTAuthenticationBundle configuration:

lexik_jwt_authentication:
    secret_key: '%env(resolve:JWT_SECRET_KEY)%'
    public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
    pass_phrase: '%env(resolve:JWT_PASSPHRASE)%'
    token_ttl: '%env(resolve:JWT_TOKEN_TTL)%'
    user_identity_field: username

    encoder:
        signature_algorithm: HS256

    token_extractors:
        authorization_header:
            enabled: true
            prefix: Bearer
            name: Authorization

Here is my security.yml:

security:
    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    encoders:
        App\Document\User:
            algorithm: auto
    providers:
        user_mongo:
            mongodb:
                class: App\Document\User
                property: email
    role_hierarchy:
        ROLE_RIDER: ROLE_USER
        ROLE_SELLER: ROLE_USER
        ROLE_ADMIN: ROLE_USER, ROLE_SELLER
        ROLE_SUPER_ADMIN: ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        api_login:
            pattern: ^/api/login
            stateless: true
            anonymous: true
            provider: user_mongo
            form_login:
                check_path: /api/login
                success_handler: lexik_jwt_authentication.handler.authentication_success
                failure_handler: lexik_jwt_authentication.handler.authentication_failure
                require_previous_session: false

        api_refresh:
            pattern: ^/api/refreshtoken
            stateless: true
            anonymous: true

        api_doc:
            pattern: ^/api/doc
            anonymous: true
            provider: user_mongo

        api:
            pattern: ^/api
            stateless: true
            anonymous: ~
            provider: user_mongo
            guard:
                authenticators:
                    - lexik_jwt_authentication.jwt_token_authenticator

        main:
            anonymous: ~
            pattern: ^/
            form_login:
                login_path: login
                check_path: login
                csrf_token_generator: security.csrf.token_manager
                provider: user_mongo
            remember_me:
                secret: '%kernel.secret%'
                lifetime: 604800
                path: /
            logout:
                invalidate_session: true
                path: /logout


    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        - { path: ^/api/ping$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/register$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/refreshtoken$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/frontendconfiguration, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/doc, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api, role: IS_AUTHENTICATED_FULLY }
        - { path: ^/api/admin, role: ROLE_ADMIN }
        - { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/, role: ROLE_ADMIN }

Most helpful comment

I figured out how to fix it, the Authorization header was filtered out by Apache. Just added SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 to my vhost configuration did the job.

All 5 comments

Why form_login instead of json_login under api_login firewall ?

@fd6130 It was a mistake but I don't think it will solve my issue. Gonna check this now.

EDIT: This is not a mistake, it's juste to not send the credentials as JSON but as two form-data POST fields.

@fd6130 It was a mistake but I don't think it will solve my issue. Gonna check this now.

EDIT: This is not a mistake, it's juste to not send the credentials as JSON but as two form-data POST fields.

Have you tried clear cache? And also maybe prod.log have some clues about the issue?

@fd6130 When I access a route protected by the firewall. I switched to dev mode but the problem is still the same.
Here is the log:

[2020-02-19 15:02:09] request.INFO: Matched route "api_list_businesses". {"route":"api_list_businesses","route_parameters":{"_route":"api_list_businesses","_controller":"App\\Controller\\BusinessController::listAction"},"request_uri":"http://backend.fidzee.fr/api/businesses","method":"GET"} []
[2020-02-19 15:02:09] security.DEBUG: Checking for guard authentication credentials. {"firewall_key":"api","authenticators":1} []
[2020-02-19 15:02:09] security.DEBUG: Checking support on guard authenticator. {"firewall_key":"api","authenticator":"Lexik\\Bundle\\JWTAuthenticationBundle\\Security\\Guard\\JWTTokenAuthenticator"} []
[2020-02-19 15:02:09] security.DEBUG: Guard authenticator does not support the request. {"firewall_key":"api","authenticator":"Lexik\\Bundle\\JWTAuthenticationBundle\\Security\\Guard\\JWTTokenAuthenticator"} []
[2020-02-19 15:02:09] security.INFO: Populated the TokenStorage with an anonymous Token. [] []
[2020-02-19 15:02:09] security.DEBUG: Access denied, the user is not fully authenticated; redirecting to authentication entry point. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException(code: 403): Access Denied. at /var/www/fidzee/vendor/symfony/security-http/Firewall/AccessListener.php:99)"} []
[2020-02-19 15:02:09] security.DEBUG: Calling Authentication entry point. [] []

I figured out how to fix it, the Authorization header was filtered out by Apache. Just added SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 to my vhost configuration did the job.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Walkoss picture Walkoss  路  4Comments

AlexDupreWeb picture AlexDupreWeb  路  4Comments

astronati picture astronati  路  5Comments

hiromik picture hiromik  路  3Comments

mflasquin picture mflasquin  路  5Comments