401 - Invalid Credentials

[PaxBryan]

I have implemented this bundle but I'm getting a 401 - invalid credential error when I submit the refresh token.
I log in and get a token as well as a refresh token at the same time.
Directly after that I'm trying to POST with the refresh token to www.mywebsite.com/api/token/refresh.

Here is my security.yaml file :

`security:
enable_authenticator_manager: true
# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
App\Entity\User:
algorithm: auto

# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
providers:
    # used to reload user from session & other features (e.g. switch_user)
    app_user_provider:
        entity:
            class: App\Entity\User
            property: username
firewalls:
    dev:
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false
    login:
        pattern: ^/api/login
        stateless: true
        json_login:
            check_path: /api/login
            username_path: username
            password_path: password
            success_handler: lexik_jwt_authentication.handler.authentication_success
            failure_handler: lexik_jwt_authentication.handler.authentication_failure
    api:
        pattern: ^/api
        stateless: true
        entry_point: jwt
        jwt: ~
        refresh_jwt:
            check_path: /api/token/refresh
        logout:
            path: api_token_invalidate
    main:
        lazy: true
        provider: app_user_provider

        # activate different ways to authenticate
        # https://symfony.com/doc/current/security.html#the-firewall

        # https://symfony.com/doc/current/security/impersonating_user.html
        # switch_user: true

# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
    - { path: ^/api/docs, roles: IS_AUTHENTICATED_ANONYMOUSLY } # Allows accessing the Swagger UI
    #- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }

- { path: ^/api/users, roles: IS_AUTHENTICATED_FULLY }

    # - { path: ^/admin, roles: ROLE_ADMIN }
    # - { path: ^/profile, roles: ROLE_USER }
    - { path: ^/api/login, roles: PUBLIC_ACCESS }
    #- { path: ^/api,       roles: IS_AUTHENTICATED_FULLY } @TODO à décommenter lors de la MEP
    - { path: ^/api/(login|token/refresh), roles: PUBLIC_ACCESS }

when@test:
security:
password_hashers:
# By default, password hashers are resource intensive and take time. This is
# important to generate secure password hashes. In tests however, secure hashes
# are not important, waste resources and increase test times. The following
# reduces the work factor to the lowest possible values.
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
algorithm: auto
cost: 4 # Lowest possible value for bcrypt
time_cost: 3 # Lowest possible value for argon
memory_cost: 10 # Lowest possible value for argon

`

Does anybody has an idea why I'm getting that response ?

By the way the route to invalidate works perfectly.

[PaxBryan]

I found the solution. Since my provider entity property is username and not email, I had to change the getUserIdentifier function in User.
Hope this might help !