As your api firewall is stateless, it will not use the session to get an authenticated user, so it won't be able to find the user authenticated through the form previously. the issue is not http basic and form logic. It is stateless and form login

Is there a way to achive the wished behaviour with symfony?

Well, if you want to be able to access the API with your authentication cookie set by the form login, you cannot make it stateless.
The context is about reusing the same session user, so it makes no sense for stateless auth

I use the API for two purposes:

1. For an app
2. For the web application

The http authentication is for the app. On the web application I have the form login. Can I reuse the session I have there for the API? Meaning provide multiple options for authentication for one firewall?

That's my current configuration as example:

    firewalls:
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
                check_path: /login_check
                login_path: /login
                default_target_path: /counter
            logout:
                path:   /logout
            anonymous: true
            context: app
        api:
            pattern: ^/api/
            http_basic:
                realm: "API"
                provider: fos_userbundle
            context: app

Ok, I know where the problem lies now.

    firewalls:
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
                check_path: /login_check
                login_path: /login
                default_target_path: /counter
            logout:
                path:   /logout
            anonymous: true
        api:
            pattern: ^/api/
            http_basic:
                realm: "API"
                provider: fos_userbundle

This way everything works on the web application and I don't get the popup because each call to the API (/api/*) will be handled by the "main" firewall which is already logged in. Unfortunately the smartphone app that calls the api does not work anymore, because each call there is also handeled by the "main" firewall.

The other option would be to turn them around like the following:

    firewalls:
        api:
            pattern: ^/api/
            http_basic:
                realm: "API"
                provider: fos_userbundle
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
                check_path: /login_check
                login_path: /login
                default_target_path: /counter
            logout:
                path:   /logout
            anonymous: true

No the smartphone app works again, but then I get the behaviour that I get a http login popup from the browser for the api calls. Which is a no go (even when it appears just once and is saved afterwards).

The only workaround I could come up with is to use the last configuration and dublicate all routes to the api and make the one accessable with the prefix "/api/" (for the smartphone app) and one with a prefix like for example "/webapi/" (for the web app).

"/webapp/" will also be handeled by the "main" firewall, therefore I won't get the http login popup and the smartphone app will still work.

Of course that means, that it's not a real RESTful API any more, because each ressource is accessable through multiple URLs and I need to add and change a route for each new call there.

Is there any way to work around this workaround? Would it be a good idea to implement one in a future symfony version to solve this kind of problem?

Slightly related to #8606.

@christian-kolb your case could be solved by implementing a listener which would authenticate a user in one firewall if he's authenticated in the other one.

+1 for making this possible/easier out of the box

+1 for making this possible/easier out of the box

+1 for making this possible/easier out of the box
I want a user that is authenticated to have access to another firewall without having to create new routes.

I am using multiple guard authenticators, and tried to log in the user automatically like this.

  $token = new UsernamePasswordToken($user, $user->getPassword(), "main", $user->getRoles());
  $this->get("security.token_storage")->setToken($token);
  $event = new InteractiveLoginEvent($request, $token);
  $this->get("event_dispatcher")->dispatch("security.interactive_login", $event);

I can't use the same entry point for both authenticators as suggested [in the docs].(http://symfony.com/doc/3.4/security/multiple_guard_authenticators.html
)

@weaverryan I think you should take a look at the comment above as I think the docs are right here.