In Symfony 6.2 we introduced an access token authenticator which can fetch access tokens from the request headers, body or query string to retrieve the associated user identifier.
In Symfony 6.3 we're introducing an implementation of that authenticator mechanism to interact with OpenID Connect servers. OpenID Connect (OIDC) is the third generation of OpenID technology and it's a RESTful HTTP API that uses JSON as its data format.
OpenID Connect is an authentication layer on top of the OAuth 2.0 authorization framework. It allows to verify the identity of an end user based on the authentication performed by an authorization server.
First, we've introduced an OidcUserInfoTokenHandler to call your OIDC server
and retrieve the user info. You only need to configure the following and Symfony
will create an HTTP client for you to handle the HTTP requests needed for this
authentication (config is shown in YAML, but XML and PHP also work):
1 2 3 4 5 6 7
# config/packages/security.yaml
security:
firewalls:
main:
access_token:
token_handler:
oidc_user_info: https://www.example.com/realms/demo/protocol/openid-connect/userinfoThis token handler creates an OidcUser object with all the user claims, but
you can define a custom user provider to create your own User object from
the given claims.
In addition to the previous token handler, we've added a generic OidcTokenHandler
to decode your token, validate it and retrieve the user info from it. This is
again a matter of adding a few lines of config (in YAML, XML or PHP):
1 2 3 4 5 6 7 8 9 10 11
# config/packages/security.yaml
security:
firewalls:
main:
access_token:
token_handler:
oidc:
# Algorithm used to sign the JWS
algorithm: 'ES256'
# A JSON-encoded JWK
key: '{"kty":"...","k":"..."}'That's all. In Symfony 6.3 you can add OpenID Connect compatibility to your applications with just a few lines of security configuration. Read the pending Pull Request with the docs of this feature to learn more about it.