Support AccountStatusException by OAuth2 authenticator

Authenticator/AbstractOAuth2Authenticator.php

@@ -21,6 +21,7 @@
 use Symfony\Component\Routing\RouterInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
@@ -61,6 +62,13 @@ public function start(Request $request, AuthenticationException $authException =
             return new Response('Authentication required.', Response::HTTP_UNAUTHORIZED);
         }
 
+        $exception = $this->session->get(Security::AUTHENTICATION_ERROR);
+        $this->session->remove(Security::AUTHENTICATION_ERROR);
+
+        if ($exception !== null) {
+            return new Response($exception->getMessage(), Response::HTTP_UNAUTHORIZED);
+        }
+
         $firewall = $this->firewalls->getFirewallConfig($request)->getName();
         $statevar = $firewall . '@' . static::class;
 
@@ -142,6 +150,8 @@ public function checkCredentials($credentials, UserInterface $user)
      */
     public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
     {
+        $this->session->remove(Security::AUTHENTICATION_ERROR);
+
         // An URL the user was trying to reach before authentication.
         $targetPath = sprintf('_security.%s.target_path', $providerKey);
         $targetUrl  = $this->session->get($targetPath, '/');
@@ -157,7 +167,9 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token,
      */
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
     {
-        return new Response('Authentication required.', Response::HTTP_UNAUTHORIZED);
+        $this->session->set(Security::AUTHENTICATION_ERROR, $exception);
+
+        return null;
     }
 
     /**

Tests/Authenticator/AbstractOAuth2AuthenticatorTest.php

@@ -24,6 +24,7 @@
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\Routing\RouterInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 
 class AbstractOAuth2AuthenticatorTest extends \PHPUnit_Framework_TestCase
@@ -117,6 +118,30 @@ public function testStartAjax()
         self::assertEquals('Authentication required.', $response->getContent());
     }
 
+    public function testStartWithException()
+    {
+        $exception = new AuthenticationException('Account is disabled.');
+
+        $session = $this->createMock(SessionInterface::class);
+        $session
+            ->method('get')
+            ->willReturnMap([
+                [Security::AUTHENTICATION_ERROR, null, $exception],
+            ]);
+
+        $reflection = new \ReflectionProperty(DummyOAuth2Authenticator::class, 'session');
+        $reflection->setAccessible(true);
+        $reflection->setValue($this->authenticator, $session);
+
+        $request = new Request();
+
+        $response = $this->authenticator->start($request);
+
+        self::assertInstanceOf(Response::class, $response);
+        self::assertEquals(Response::HTTP_UNAUTHORIZED, $response->getStatusCode());
+        self::assertEquals('Account is disabled.', $response->getContent());
+    }
+
     public function testGetCredentialsSuccess()
     {
         $expected = [
@@ -241,9 +266,7 @@ public function testOnAuthenticationFailure()
 
         $response = $this->authenticator->onAuthenticationFailure($request, $exception);
 
-        self::assertInstanceOf(Response::class, $response);
-        self::assertEquals(Response::HTTP_UNAUTHORIZED, $response->getStatusCode());
-        self::assertEquals('Authentication required.', $response->getContent());
+        self::assertNull($response);
     }
 
     public function testSupportsRememberMe()