[Security] Adding providerKey to AnonymousToken

[carlalexander]

I apologize if this is covered elsewhere. I couldn't find any mention in articles, docs or issues. Is there a specific reason why AnonymousToken doesn't get the providerKey while all other AbstractToken subclasses do?

I am trying, programatically, to determine which firewall emitted an AnonymousToken and saw that it was not stored in the token.

I can create a PR to add it. I just wasn't sure if there was a security issue related to it so figured I'd ask first.

[jakzal]

Probably related to #10651

[carlalexander]

I saw the issue, but I wasn't sure if they were related. AnonymousAuthenticationProvider doesn't check to validate the providerKey. Just the key used by the firewall configuration.

[jakzal]

@carlalexander right. Worth to have them linked anyway.

[curry684]

@wouterj this request makes sense, can it be integrated into your work at #30765?

[wouterj]

Given that there has not been much activity on this issue and AnonymousToken will be removed in Symfony 6, I think it's safe to close this one.