Since getCredentials() is called on every request, if you return early (because the path isn't login_check) like your example shows, does that mean it will always redirect to getLoginUrl() when in a secured section of a site?

How does it handle being authenticated already?

In the API Token tutorial, you register the service and authenticator before you actually implement the service. This seems a little backwards considering the authenticator isn't in a usable state yet. If you look at any of the Symfony tutorials, that part always comes last, because it's the last logical step.

The first time around, this did confuse me a little, wondering why checkCredentials() was empty.

Might it be a good idea to put a note (near the 'doing nothing' - or maybe in the code comments) to clarify that it has effectively already checked the credentials are good when it searched for the user by token, in getUser() ?

It seems odd to me to not have the mentioning of installing Guard before the creation of the login form. Especially since the previous chapter is the installation. I would simply link it at the top and say something like "Make sure you've followed the previous chapter and installed KnpGuard".

Per my comment in #4, it would be awesome if there was a tutorial on how the flow works for Guard.

The comment:

I may be a bit confused because there isn't anything in the tutorial which truly describes the entire path of authentication when using Guard. It would be really helpful to have the first part of the tutorial describe the authenticator class itself, and how it progresses. From both an unauthenticated call to an authenticated area, to an authenticated call to an authenticated area, so that you can understand how it flows from one method to the next.