[Security] UserBadge->userLoader always overwritten by AccessTokenAuthenticator->userProvider when later is set regardless of former

[kaznovac]

Symfony version(s) affected

6.3.3

Description

This is not conforming behavior to the documentation on the UserBadge.

How to reproduce

Implement AccessTokenHandler returning the UserBadge with custom userLoader

<?php

namespace App\Security;

use App\Services\UserService;
use SensitiveParameter;
use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;

final class AccessTokenHandler implements AccessTokenHandlerInterface
{
    public function __construct(
        private UserService $userService,
    ) {
    }

    public function getUserBadgeFrom(
        #[SensitiveParameter]
        string $accessToken,
    ): UserBadge {
        $user = $this->userService->getUserByAccessToken($accessToken);

        return new UserBadge(
            userIdentifier: $user->getUserIdentifier(),
            userLoader: fn() => $user,
        );
    }
}

Possible Solution

No response

Additional Context

No response

[guillaumesmo]

Duplicate of #50511

[stof]

Closing this thanks to #51104