Using the bundle to authenticate with JWT on a second Symfony app - how to manually authenticate the JWT and create a user?

[pcmmf]

Hi,
I have two applications, both written with Symfony 7.1

1. "core" - provides the API via API Platform v4, manages the database entities etc, but only used in the background (no web facing frontend
2. "dashboard" - a web based front end that users log into

I've done it this way to be able to scale and distribute instances of "core", as it is access by a number of other applications.

I've installed the LexikJWTAuthenticationBundle in both projects - it works fine in the core application when using an API testing tool.

I'm now trying to allow users to login via dashboard. I've built a login form that takes a username and password, then sends an API request to https://core/api/login_check and gets back a JWT.

My problem is how I then use this on the dashboard app to create a user that Symfony can use for access checking etc (I note that I can control the API access already, but have need to hide and show bits of UI based on the user role).

So far, I have the following in my dashboard app:

# /config/packages/lexik_jwt_authentication.yaml
lexik_jwt_authentication:
    secret_key: '%env(resolve:JWT_SECRET_KEY)%'
    public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
    pass_phrase: '%env(JWT_PASSPHRASE)%'

    token_extractors:
        cookie:
            enabled: true
            name: 'jwt'
        authorization_header:
            enabled: false

# /config/packages/security.yaml
security:
    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
    providers:
        jwt:
            lexik_jwt: ~

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            jwt: ~
            provider: jwt
            stateless: true

    access_control:
        - { path: ^/security/login,     roles: PUBLIC_ACCESS }
        - { path: ^/security/logout,    roles: PUBLIC_ACCESS }
        - { path: ^/security/2fa,       roles: IS_AUTHENTICATED_2FA_IN_PROGRESS }

        - { path: ^/admin,              roles: ROLE_ADMIN }
        - { path: ^/,                   roles: IS_AUTHENTICATED_REMEMBERED }

    role_hierarchy:
        ROLE_ADMIN: ROLE_CUSTOMER_ADMIN
        ROLE_CUSTOMER_ADMIN: ROLE_CUSTOMER_USER

when@test:
    security:
        password_hashers:
            # By default, password hashers are resource intensive and take time. This is
            # important to generate secure password hashes. In tests however, secure hashes
            # are not important, waste resources and increase test times. The following
            # reduces the work factor to the lowest possible values.
            Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
                algorithm: auto
                cost: 4 # Lowest possible value for bcrypt
                time_cost: 3 # Lowest possible value for argon
                memory_cost: 10 # Lowest possible value for argon

When I retrieve the JWT via the API request, I store this into a cookie. This bundle then sees the cookie and uses the extractor to convert it into a Symfony user with the relevant Passport etc. For clarity, there is no user entity in the dashboard app - the user is an instance of JWTuser.

My question is, can I avoid the cookie step and the cookie extractor and somehow call the JWT authentication service directly, feeding it my JWT that I've retrieved? The cookie system works, but feels like it's adding a step that isn't necessary. I also explored making the firewall state_ful_ and then removing the cookie after it's been picked up by the bundle.

Is there a better way?