The security system offers an interesting feature: when a request is authenticated from a token stored in session, the user instance is refreshed and compared to check if it has changed to prevent authentication with stale user data. The problem is how this comparison is made when the user object does not implements EquatableInterface.

In Symfony 3.4, current code compares the output of getUsername, getPassword and getSalt. If the user class implements AdvancedUserInterface, it compares the output of isAccountNonExpired, isAccountNonLocked, isAccountNonLocked and isEnabled too.

In Symfony 4.4 a new feature was added to check if the user roles have changed (#31177), but the implementation has a bug (#35941) that compares the refreshed user roles with token roles instead of comparing them with the stored user instance. This introduced a BC break fixed in #35944 and reverted in #37008. Now we have Symfony 4.4 with a known (and undocumented) BC break that unintentionally prevents to add to the token object any role not present in user object.

Usually, symfony apps use custom UserInterface implementations, so comparing two concrete object instances could be a tricky bussiness. To prevent this my proposition is:

Deprecate UserInterface implementations not implementing EquatableInterface too in Symfony 5.2, and make UserInterface to extend EquatableInterface in Symfony 6 discarding the code that compares UserInterface instances that do not implement EquatableInterface.

But this will not solve the problem with the BC break introduced in Symfony 4.4, so I propose to deprecate this in Symfony 3.4 too, but maybe with a different message pointing to the known BC break unintentionally introduced in Symfony 4.4.

Although Symfony 4.3 is only supported for security fixes, I think this deprecation should be included too to prevent problems when upgrading to Symfony 4.4.

Finally, if this is deprecated in Symfony 3.4 and Symfony 5.2, should this deprecation affects to Symfony 4.4, 5.0 and 5.1 too?