symfony · nicolas-grekas · Jul 21, 2025 · Jul 21, 2025
diff --git a/UPGRADE-8.0.md b/UPGRADE-8.0.md
@@ -408,7 +408,9 @@ Security
   +    return $data;
   +}
   ```
-
+ * Throw a `BadCredentialsException` when passing an empty string as `$userIdentifier` argument to `UserBadge` constructor
+ * Accept only `ExposeSecurityLevel` enums for `AuthenticatorManager`'s `$exposeSecurityErrors` argument
+ * Respectively accept only `AlgorithmManager` and `JWKSet` for `OidcTokenHandler`'s `$signatureAlgorithm` and `$signatureKeyset` arguments
  * Remove callable firewall listeners support, extend `AbstractListener` or implement `FirewallListenerInterface` instead
  * Remove `AbstractListener::__invoke`
  * Remove `LazyFirewallContext::__invoke()`

@@ -13,9 +13,7 @@
 
 use Jose\Component\Checker;
 use Jose\Component\Checker\ClaimCheckerManager;
-use Jose\Component\Core\Algorithm;
 use Jose\Component\Core\AlgorithmManager;
-use Jose\Component\Core\JWK;
 use Jose\Component\Core\JWKSet;
 use Jose\Component\Encryption\JWEDecrypter;
 use Jose\Component\Encryption\JWETokenSupport;
@@ -53,22 +51,14 @@ final class OidcTokenHandler implements AccessTokenHandlerInterface
     private ?string $oidcJWKSetCacheKey = null;
 
     public function __construct(
-        private Algorithm|AlgorithmManager $signatureAlgorithm,
-        private JWK|JWKSet|null $signatureKeyset,
+        private AlgorithmManager $signatureAlgorithm,
+        private ?JWKSet $signatureKeyset,
         private string $audience,
         private array $issuers,
         private string $claim = 'sub',
         private ?LoggerInterface $logger = null,
         private ClockInterface $clock = new Clock(),
     ) {
-        if ($signatureAlgorithm instanceof Algorithm) {
-            trigger_deprecation('symfony/security-http', '7.1', 'First argument must be instance of %s, %s given.', AlgorithmManager::class, Algorithm::class);
-            $this->signatureAlgorithm = new AlgorithmManager([$signatureAlgorithm]);
-        }
-        if ($signatureKeyset instanceof JWK) {
-            trigger_deprecation('symfony/security-http', '7.1', 'Second argument must be instance of %s, %s given.', JWKSet::class, JWK::class);
-            $this->signatureKeyset = new JWKSet([$signatureKeyset]);
-        }
     }
 
     public function enableJweSupport(JWKSet $decryptionKeyset, AlgorithmManager $decryptionAlgorithms, bool $enforceEncryption): void

@@ -47,8 +47,6 @@
  */
 class AuthenticatorManager implements AuthenticatorManagerInterface, UserAuthenticatorInterface
 {
-    private ExposeSecurityLevel $exposeSecurityErrors;
-
     /**
      * @param iterable<mixed, AuthenticatorInterface> $authenticators
      */
@@ -59,17 +57,9 @@ public function __construct(
         private string $firewallName,
         private ?LoggerInterface $logger = null,
         private bool $eraseCredentials = true,
-        ExposeSecurityLevel|bool $exposeSecurityErrors = ExposeSecurityLevel::None,
+        private ExposeSecurityLevel $exposeSecurityErrors = ExposeSecurityLevel::None,
         private array $requiredBadges = [],
     ) {
-        if (\is_bool($exposeSecurityErrors)) {
-            trigger_deprecation('symfony/security-http', '7.3', 'Passing a boolean as "exposeSecurityErrors" parameter is deprecated, use %s value instead.', ExposeSecurityLevel::class);
-
-            // The old parameter had an inverted meaning ($hideUserNotFoundExceptions), for that reason the current name does not reflect the behavior
-            $exposeSecurityErrors = $exposeSecurityErrors ? ExposeSecurityLevel::None : ExposeSecurityLevel::All;
-        }
-
-        $this->exposeSecurityErrors = $exposeSecurityErrors;
     }
 
     /**

@@ -55,8 +55,7 @@ public function __construct(
         ?\Closure $identifierNormalizer = null,
     ) {
         if ('' === $userIdentifier) {
-            trigger_deprecation('symfony/security-http', '7.2', 'Using an empty string as user identifier is deprecated and will throw an exception in Symfony 8.0.');
-            // throw new BadCredentialsException('Empty user identifier.');
+            throw new BadCredentialsException('Empty user identifier.');
         }
 
         if (\strlen($userIdentifier) > self::MAX_USERNAME_LENGTH) {

@@ -6,6 +6,9 @@ CHANGELOG
 
  * Remove callable firewall listeners support, extend `AbstractListener` or implement `FirewallListenerInterface` instead
  * Remove `AbstractListener::__invoke`
+ * Throw a `BadCredentialsException` when passing an empty string as `$userIdentifier` argument to `UserBadge` constructor
+ * Accept only `ExposeSecurityLevel` enums for `AuthenticatorManager`'s `$exposeSecurityErrors` argument
+ * Respectively accept only `AlgorithmManager` and `JWKSet` for `OidcTokenHandler`'s `$signatureAlgorithm` and `$signatureKeyset` arguments
 
 7.4
 ---