Ryan Weaver, Symfony core team member and SymfonyCasts founder, needs our help

New in Symfony 6.3: OpenID Connect Token Handler

April 25, 2023 · Published by Avatar of Javier Eguiluz Javier Eguiluz

Symfony 6.3 is backed by:

Les-Tilleuls.coop is a team of 70+ Symfony experts who can help you design, develop and fix your projects. We provide a wide range of professional services including development, consulting, coaching, training and audits. We also are highly skilled in JS, Go and DevOps. We are a worker cooperative!
As a professional software service provider, basecom implements customized solutions in the areas of e-commerce, PIM solutions and web portals. With our experience and certified expertise, we have been one of the most renowned Symfony specialists in Germany for many years.
As the creator of Symfony, SensioLabs supports companies using Symfony, with an offering encompassing consultancy, expertise, services, training, and technical assistance to ensure the success of web application development projects.
Shopware offers you cutting-edge, highly adaptable ecommerce solutions trusted by the world's most acclaimed brands. Create outstanding customer experiences, innovate fast, and accelerate your growth in the ever-evolving space of digital commerce. You decide how far you want to go, and we'll be by your side.

Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.

Vincent Chalamon

Contributed by
Vincent Chalamon
in #48272.

In Symfony 6.2 we introduced an access token authenticator which can fetch access tokens from the request headers, body or query string to retrieve the associated user identifier.

In Symfony 6.3 we're introducing an implementation of that authenticator mechanism to interact with OpenID Connect servers. OpenID Connect (OIDC) is the third generation of OpenID technology and it's a RESTful HTTP API that uses JSON as its data format.

OpenID Connect is an authentication layer on top of the OAuth 2.0 authorization framework. It allows to verify the identity of an end user based on the authentication performed by an authorization server.

First, we've introduced an OidcUserInfoTokenHandler to call your OIDC server and retrieve the user info. You only need to configure the following and Symfony will create an HTTP client for you to handle the HTTP requests needed for this authentication (config is shown in YAML, but XML and PHP also work):

1
2
3
4
5
6
7
# config/packages/security.yaml
security:
    firewalls:
        main:
            access_token:
                token_handler:
                    oidc_user_info: https://www.example.com/realms/demo/protocol/openid-connect/userinfo

This token handler creates an OidcUser object with all the user claims, but you can define a custom user provider to create your own User object from the given claims.

In addition to the previous token handler, we've added a generic OidcTokenHandler to decode your token, validate it and retrieve the user info from it. This is again a matter of adding a few lines of config (in YAML, XML or PHP):

1
2
3
4
5
6
7
8
9
10
11
# config/packages/security.yaml
security:
    firewalls:
        main:
            access_token:
                token_handler:
                    oidc:
                        # Algorithm used to sign the JWS
                        algorithm: 'ES256'
                        # A JSON-encoded JWK
                        key: '{"kty":"...","k":"..."}'

That's all. In Symfony 6.3 you can add OpenID Connect compatibility to your applications with just a few lines of security configuration. Read the pending Pull Request with the docs of this feature to learn more about it.

Published in #Living on the edge

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.