Description

Symfony provides native support for multiple user providers. This makes it easy to integrate any kind of login handlers, including SSO and existing 3rd party bundles (e.g. FR3DLdapBundle, HWIOauthBundle, FOSUserBundle, BeSimpleSsoAuthBundle, etc...).

However, to be able to use external user providers with eZ, a valid eZ user needs to be injected in into the repository. This is mainly for the kernel to be able to manage content-related permissions (but not limited to this).

Depending on your context, you will either want to create an eZ user on-the-fly, return an existing user, or even always use a generic user.

Solution

Whenever a an external user is matched (i.e. that does not come from eZ repository, like coming from LDAP), eZ kernel fires an MVCEvents::INTERACTIVE_LOGIN event. Every service listening to this event will receive a an eZ\Publish\Core\MVC\Symfony\Event\InteractiveLoginEvent object which contains the original security token (that holds the matched user) and the request.

It's then up to the listener to retrieve an eZ user from the repository and to assign it back to the event object. This user will be injected in into the repository and used for the rest of the request.

User exposed and security token

When a an external user is matched, a different token will be injected in into the security context, the InteractiveLoginToken. This token holds a UserWrapped instance which contains the originally matched user and the API user (the one from the eZ repository).

...

...