User is not checked when requesting an access token via password grant

[theofidry]

I noticed that when doing a request to get an access token via the password grant type, the PasswordGrant::validateUser() does not check if the user is a "valid" user.

Indeed, it tries to get a user with matching credentials, sure enough, but it does not check anything further where traditionally in a Symfony app you have some pre & post auth checks via the user checker.

Is this expected?

[RobertMe]

Running into the same issue. As actually using the token does still generate an error (because the OAuth2Authenticator implements the authentication framework of Symfony which will always run the pre- & post- checks) I do believe that this is a bug (because while you can generate the token, it will always result in an error when using it). Futhermore in my case it's not using the password grant type (but a custom grant based on JWT Bearer tokens) so I believe it should be more generic and not just for the password grant. And it would for example also be a bit weird when making actual requests (at some point) start to fail but a client would still be able to invoke the refresh grant and generate a new access token for a user which is invalid (and the newly generated token thus also being denied).

Implementing such validation might be done using the RequestAccessTokenEvent event, which contains the generated access token which in turn contains the user identifier (from which the user can be found by the UserProvider in Symfony). But the bundle already doing this validation would be better.