Symfony 6.1 infinite redirect loop on login

Question

This is driving me crazy, it was working and I have no idea what changed, but now I am getting an infinite redirect loop (301) on my login page, logs show AccessDeniedException. Obviously I have checked many StackOverflow answers and other internet links but I can't see what's wrong with my setup:

security.yaml:

security:
    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
    providers:
        app_user_provider:
            entity:
                class: App\Entity\Users
                property: email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        customer:
            pattern: ^/customer
            security: false

        main:
            pattern: ^/
            lazy: true
            provider: app_user_provider

            form_login:
                login_path: login
                check_path: login
                enable_csrf: true

            logout:
                path: logout
                target: /login
            
    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/customer, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/sales, roles: [ROLE_SALES, ROLE_ADMIN] }
        - { path: ^/admin, role: ROLE_ADMIN }

logs:

[2022-10-26T11:29:20.918658+00:00] request.INFO: Matched route "login". {"route":"login","route_parameters":{"_route":"login","_controller":"App\\Controller\\SecurityController::login"},"request_uri":"https://***.com/login","method":"GET"} []
[2022-10-26T11:29:20.928261+00:00] security.DEBUG: Checking for authenticator support. {"firewall_name":"main","authenticators":1} []
[2022-10-26T11:29:20.928351+00:00] security.DEBUG: Checking support on authenticator. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2022-10-26T11:29:20.928405+00:00] security.DEBUG: Authenticator does not support the request. {"firewall_name":"main","authenticator":"Symfony\\Component\\Security\\Http\\Authenticator\\FormLoginAuthenticator"} []
[2022-10-26T11:29:20.955819+00:00] security.DEBUG: Access denied, the user is not fully authenticated; redirecting to authentication entry point. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException(code: 403): Access Denied. at /vendor/symfony/security-http/Firewall/AccessListener.php:97)"} []

What's wrong with this?

Answer 1

Since IS_AUTHENTICATED_ANONYMOUSLY was deprecated in 5.3 and removed in 6.0, it is no longer recognized as an "unsecured access" role.

As a result Symfony thinks you need to be logged in to access /login and redirects you to your default login page. This is what causes the redirect loop.

To fix this use PUBLIC_ACCESS instead of IS_AUTHENTICATED_ANONYMOUSLY.

See https://symfony.com/doc/6.1/security.html#allowing-unsecured-access-i-e-anonymous-users