@@ -411,6 +411,72 @@ and retrieve the user info:
411411 ;
412412 };
413413
414+ OpenID Connect Discovery `_, the ``OidcUserInfoTokenHandler ``
415+ requires the ``symfony/cache `` package to store the OIDC configuration in
416+ cache. If you haven't installed it yet, run this command:
417+
418+ .. code-block :: terminal
419+
420+ $ composer require symfony/cache
421+
422+ base_uri `` and ``discovery `` keys:
423+
424+ .. configuration-block ::
425+
426+ .. code-block :: yaml
427+
428+ # config/packages/security.yaml
429+ security :
430+ firewalls :
431+ main :
432+ access_token :
433+ token_handler :
434+ oidc_user_info :
435+ base_uri : https://www.example.com/realms/demo/
436+ discovery :
437+ cache : cache.app
438+
439+ code-block :: xml
440+
441+ <!-- config/packages/security.xml -->
442+ <?xml version =" 1.0" encoding =" UTF-8"
443+ <srv : container xmlns =" http://symfony.com/schema/dic/security"
444+ xmlns : srv =" http://symfony.com/schema/dic/services"
445+ xmlns : xsi =" http://www.w3.org/2001/XMLSchema-instance"
446+ xsi : schemaLocation =" http://symfony.com/schema/dic/services
447+ https://symfony.com/schema/dic/services/services-1.0.xsd
448+ http://symfony.com/schema/dic/security
449+ https://symfony.com/schema/dic/security/security-1.0.xsd" >
450+
451+ <config >
452+ <firewall name =" main"
453+ <access-token >
454+ <token-handler >
455+ <oidc-user-info base-uri =" https://www.example.com/realms/demo/"
456+ <discovery cache =" cache.app"
457+ </oidc-user-info >
458+ </token-handler >
459+ </access-token >
460+ </firewall >
461+ </config >
462+ </srv : container >
463+
464+ code-block :: php
465+
466+ // config/packages/security.php
467+ use Symfony\Config\SecurityConfig;
468+
469+ return static function (SecurityConfig $security) {
470+ $security->firewall('main')
471+ ->accessToken()
472+ ->tokenHandler()
473+ ->oidcUserInfo()
474+ ->baseUri('https://www.example.com/realms/demo/')
475+ ->discovery()
476+ ->cache('cache.app')
477+ ;
478+ };
479+
414480OpenID Connect Specification `_, the ``sub `` claim is used as user
415481identifier by default. To use another claim, specify it on the configuration:
416482
@@ -625,6 +691,84 @@ it and retrieve the user info from it:
625691 The support of multiple algorithms to sign the JWS was introduced in Symfony 7.1.
626692 In previous versions, only the ``ES256 `` algorithm was supported.
627693
694+ To enable the `OpenID Connect Discovery `_, the ``OidcTokenHandler ``
695+ requires the ``symfony/cache `` package to store the OIDC configuration in
696+ cache. If you haven't installed it yet, run this command:
697+
698+ .. code-block :: terminal
699+
700+ $ composer require symfony/cache
701+
702+ keyset `` configuration key (it will be imported from
703+ the OpenID Connect Discovery), and configure the ``discovery `` key:
704+
705+ .. configuration-block ::
706+
707+ .. code-block :: yaml
708+
709+ # config/packages/security.yaml
710+ security :
711+ firewalls :
712+ main :
713+ access_token :
714+ token_handler :
715+ oidc :
716+ claim : email
717+ algorithms : ['ES256', 'RS256']
718+ audience : ' api-example'
719+ issuers : ['https://oidc.example.com']
720+ discovery :
721+ base_uri : https://www.example.com/realms/demo/
722+ cache : cache.app
723+
724+ code-block :: xml
725+
726+ <!-- config/packages/security.xml -->
727+ <?xml version =" 1.0" encoding =" UTF-8"
728+ <srv : container xmlns =" http://symfony.com/schema/dic/security"
729+ xmlns : srv =" http://symfony.com/schema/dic/services"
730+ xmlns : xsi =" http://www.w3.org/2001/XMLSchema-instance"
731+ xsi : schemaLocation =" http://symfony.com/schema/dic/services
732+ https://symfony.com/schema/dic/services/services-1.0.xsd
733+ http://symfony.com/schema/dic/security
734+ https://symfony.com/schema/dic/security/security-1.0.xsd" >
735+
736+ <config >
737+ <firewall name =" main"
738+ <access-token >
739+ <token-handler >
740+ <oidc claim =" email" audience =" api-example"
741+ <algorithm >ES256</algorithm >
742+ <algorithm >RS256</algorithm >
743+ <issuer >https://oidc.example.com</issuer >
744+ <discovery base-uri =" https://www.example.com/realms/demo/" cache =" cache.app"
745+ </oidc >
746+ </token-handler >
747+ </access-token >
748+ </firewall >
749+ </config >
750+ </srv : container >
751+
752+ code-block :: php
753+
754+ // config/packages/security.php
755+ use Symfony\Config\SecurityConfig;
756+
757+ return static function (SecurityConfig $security) {
758+ $security->firewall('main')
759+ ->accessToken()
760+ ->tokenHandler()
761+ ->oidc()
762+ ->claim('email')
763+ ->algorithms(['ES256', 'RS256'])
764+ ->audience('api-example')
765+ ->issuers(['https://oidc.example.com'])
766+ ->discovery()
767+ ->baseUri('https://www.example.com/realms/demo/')
768+ ->cache('cache.app')
769+ ;
770+ };
771+
628772OpenID Connect Specification `_, the ``sub `` claim is used by
629773default as user identifier. To use another claim, specify it on the
630774configuration:
@@ -925,5 +1069,6 @@ for :ref:`stateless firewalls <reference-security-stateless>`.
9251069.. _`JSON Web Tokens (JWT)` : https://datatracker.ietf.org/doc/html/rfc7519
9261070.. _`OpenID Connect (OIDC)` : https://en.wikipedia.org/wiki/OpenID#OpenID_Connect_(OIDC)
9271071.. _`OpenID Connect Specification` : https://openid.net/specs/openid-connect-core-1_0.html
1072+ .. _`OpenID Connect Discovery` : https://openid.net/specs/openid-connect-discovery-1_0.html
9281073.. _`RFC6750` : https://datatracker.ietf.org/doc/html/rfc6750
9291074.. _`SAML2 (XML structures)` : https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html
0 commit comments