Rebased to target Symfony 7.1

do we have any advice on the topic? Or any things we can anticipate that could be part of the same PR?

I checked how the built-in user providers could handle this, but I'm not sure if any of them can be changed as well.
How the user ID is stored or retrieved is highly dependent on the developer's implementation.
To me, the most important now seems to propagate this into the documentation.

What's the next step here? How do we make it easy to opt-in for the OWASP-recommended normalization?

What's the next step here? How do we make it easy to opt-in for the OWASP-recommended normalization?

Hello@nicolas-grekas,

This PR is now up to date, rebased against the 7.3 branch, and squashed. It’s ready for review.

The next step is to finalize the documentation. It should demonstrate how to inject a normalizer to ensure that different variations (e.g.,JOHN.DOE,john.doe,John.DOe) are treated as equivalent.

BR.

Can you give us a hint about how this can be used? : )

This feature will most likely be used by the firewall Authenticator service that creates the UserBadge, but it could also be used by theTokenHandler::getUserBadge when handling access tokens.

Below is a simple example of how to implement aNormalizedUserBadge.
In this example, it ensures that any variations in the username—such as uppercase, lowercase, or accented characters—are normalized to a consistent format.

namespaceApp\Security;useSymfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;useSymfony\Component\String\UnicodeString;usefunctionSymfony\Component\String\u;finalclass NormalizedUserBadgeextends UserBadge{publicfunction__construct(string$identifier)    {$callback =staticfn (string$identifier) =>u($identifier)->normalize(UnicodeString::NFKC)->ascii()->lower()->toString();parent::__construct($identifier, identifierNormalizer:$callback);    }}

From the Authenticator:

<?phpnamespaceApp\Security;finalclass PasswordAuthenticatorextends AbstractLoginFormAuthenticator{// Simplified for brievetypublicfunctionauthenticate(Request$request):Passport    {$username = (string)$request->request->get('username','');$password = (string)$request->request->get('password','');$request->getSession()            ->set(SecurityRequestAttributes::LAST_USERNAME,$username);returnnewPassport(newNormalizedUserBadge($username),newPasswordCredentials($password),            [//All other useful badges            ]        );    }

When a user attempts to log in with “John.Doe” or “JOhn.doe,” both will be treated as “john.doe.”
Keep in mind that any existing usernames in the database should also be normalized accordingly.

Another potential use case involves scenarios where users can log in with various forms of the same identifier:john.doe@acme.com,acme.com\jdoe,https://amce.com/+jdoe oracct:jdoe@acme.com.
By using this feature, you can unify all these variants into a single, standardized format (e.g., “domain\nickname”) without having to create custom queries on the repository side.
In this case, the callback could be as follows (not tested):

$callback =staticfunction (string$identifier) {$normalized =u($identifier)->normalize(UnicodeString::NFKC)->ascii()->lower()->toString();$username ='';$domain ='';match (true) {str_contains($normalized,'@') => [$localPart,$domain =explode('@',$normalized,2),$username =str_contains($localPart,'.')                        ?substr(explode('.',$localPart,2)[0],0,1) .explode('.',$localPart,2)[1]                        :$localPart,                ],str_contains($normalized,'\\') => [$domain,$username =explode('\\',$normalized,2)                ],str_contains($normalized,'://') => [$parts =parse_url($normalized),isset($parts['host'],$parts['path']) && [$domain =$parts['host'],$username =ltrim($parts['path'],'/')                    ]                ],default =>$username =$normalized            };$username =preg_replace('/[^a-z0-9]/','',$username);return$domain .'\\' .$username;        };

Thank you@Spomky.

As a next step, I'm wondering if we should somehow define some reusable normalizers that developers can use without reinventing the wheel (like the Google strategy mentioned above).