RemoteUserAuthenticator triggers Symfony 8 deprecation notice

### Symfony version(s) affected

6.4

### Description

Shibboleth [may include](https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335257/AttributeAccess#REMOTE_USER) an empty username in the `REMOTE_USER` `$_SERVER` parameter, which triggers the following deprecation notice:

`User Deprecated: Since symfony/security-http 7.2: Using an empty string as user identifier is deprecated and will throw an exception in Symfony 8.0.` ([source](https://github.com/symfony/symfony/blob/05d5bb3b6a887c55b65d1247472d23e5dcbaa4f3/src/Symfony/Component/Security/Http/Authenticator/Passport/Badge/UserBadge.php#L56))

### How to reproduce

Configure a Symfony project using a [remote_user](https://symfony.com/doc/current/reference/configuration/security.html#remote-user-authentication) authenticator. Configure the web server to set the `REMOTE_USER` `$_SERVER` parameter to an empty string. Try to authenticate. Log will show deprecation notice.

### Possible Solution

Update the `RemoteUserAuthenticator` to [return null when an empty string is detected](https://github.com/symfony/symfony/blob/05d5bb3b6a887c55b65d1247472d23e5dcbaa4f3/src/Symfony/Component/Security/Http/Authenticator/RemoteUserAuthenticator.php#L47) in the `REMOTE_USER` `$_SERVER` parameter.

### Additional Context

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

RemoteUserAuthenticator triggers Symfony 8 deprecation notice #59584

Symfony version(s) affected

Description

How to reproduce

Possible Solution

Additional Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

RemoteUserAuthenticator triggers Symfony 8 deprecation notice #59584

Description

Symfony version(s) affected

Description

How to reproduce

Possible Solution

Additional Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions