Instead of returning the last token provided return the first.

In case of multiple supporting providers the authentication will be attempted several times.

This happens with the current FacebookBundle for example but could happen with others too. The result was that the first provided token held all appropriate roles while a second one did not.

src/Symfony/Component/Security/Core/Authentication/AuthenticationProviderManager.php

@@ -59,6 +59,7 @@ class AuthenticationProviderManager implements AuthenticationManagerInterface
 
             try {
                 $result = $provider->authenticate($token);
+                break;
             } catch (AccountStatusException $e) {
                 $e->setExtraInformation($token);