diff --git a/security/access_token.rst b/security/access_token.rst
index d5d607dbcb0..2e6438a633e 100644
--- a/security/access_token.rst
+++ b/security/access_token.rst
@@ -343,6 +343,443 @@ and configure the service ID as the ``success_handler``:
``failure_handler`` option and create a class that implements
:class:`Symfony\\Component\\Security\\Http\\Authentication\\AuthenticationFailureHandlerInterface`.
+Using OpenID Connect (OIDC)
+---------------------------
+
+`OpenID Connect (OIDC)`_ is the third generation of OpenID technology and it's a RESTful HTTP API that uses
+JSON as its data format. OpenID Connect is an authentication layer on top of the OAuth 2.0 authorization framework.
+It allows to verify the identity of an end user based on the authentication performed by an authorization server.
+
+.. caution::
+
+ This feature is experimental and could change or be removed at any time without prior notice.
+
+1) Configure the OidcUserInfoTokenHandler
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. versionadded:: 6.3
+
+ The ``OidcUserInfoTokenHandler`` class was introduced in Symfony 6.3.
+
+.. note::
+
+ The ``OidcUserInfoTokenHandler`` requires ``symfony/http-client`` package:
+
+ .. code-block:: terminal
+
+ $ composer require symfony/http-client
+
+Symfony provides a generic OidcUserInfoTokenHandler to call your OIDC server and retrieve the user info:
+
+.. configuration-block::
+
+ .. code-block:: yaml
+
+ # config/packages/security.yaml
+ security:
+ firewalls:
+ main:
+ access_token:
+ token_handler:
+ oidc_user_info:
+ client:
+ base_uri: https://www.example.com/realms/demo/protocol/openid-connect/userinfo
+
+ .. code-block:: xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ .. code-block:: php
+
+ // config/packages/security.php
+ use Symfony\Config\SecurityConfig;
+
+ return static function (SecurityConfig $security) {
+ $security->firewall('main')
+ ->accessToken()
+ ->tokenHandler()
+ ->oidcUserInfo()
+ ->client()
+ ->baseUri('https://www.example.com/realms/demo/protocol/openid-connect/userinfo')
+ ;
+ };
+
+.. tip::
+
+ Following the `OpenID Connect Specification`_, the `sub` claim
+ is used as user identifier by default. To use another claim,
+ specify it on the configuration:
+
+.. configuration-block::
+
+ .. code-block:: yaml
+
+ # config/packages/security.yaml
+ security:
+ firewalls:
+ main:
+ access_token:
+ token_handler:
+ oidc_user_info:
+ claim: email
+ client:
+ base_uri: https://www.example.com/realms/demo/protocol/openid-connect/userinfo
+
+ .. code-block:: xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ .. code-block:: php
+
+ // config/packages/security.php
+ use Symfony\Config\SecurityConfig;
+
+ return static function (SecurityConfig $security) {
+ $security->firewall('main')
+ ->accessToken()
+ ->tokenHandler()
+ ->oidcUserInfo()
+ ->claim('email')
+ ->client()
+ ->baseUri('https://www.example.com/realms/demo/protocol/openid-connect/userinfo')
+ ;
+ };
+
+.. tip::
+
+ The ``oidc_user_info`` token handler automatically creates
+ an HTTP client with the specified configuration. If you
+ prefer using your own client, you can specify the service
+ name via the ``client`` option:
+
+.. configuration-block::
+
+ .. code-block:: yaml
+
+ # config/packages/security.yaml
+ security:
+ firewalls:
+ main:
+ access_token:
+ token_handler:
+ oidc_user_info:
+ client: oidc.client
+
+ .. code-block:: xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ .. code-block:: php
+
+ // config/packages/security.php
+ use Symfony\Config\SecurityConfig;
+
+ return static function (SecurityConfig $security) {
+ $security->firewall('main')
+ ->accessToken()
+ ->tokenHandler()
+ ->oidcUserInfo()
+ ->client('oidc.client')
+ ;
+ };
+
+By default, the ``OidcUserInfoTokenHandler`` creates an OidcUser with the claims. To create your own User from the
+claims, you must :doc:`create your own UserProvider `::
+
+ // src/Security/Core/User/OidcUserProvider.php
+ use Symfony\Component\Security\Core\User\AttributesBasedUserProviderInterface;
+
+ class OidcUserProvider implements AttributesBasedUserProviderInterface
+ {
+ public function loadUserByIdentifier(string $identifier, array $attributes = []): UserInterface
+ {
+ // do some magic
+ }
+ }
+
+2) Configure the OidcTokenHandler
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. versionadded:: 6.3
+
+ The ``OidcTokenHandler`` class was introduced in Symfony 6.3.
+
+.. note::
+
+ The ``OidcTokenHandler`` requires ``web-token/jwt-signature``, ``web-token/jwt-checker`` and
+ ``web-token/jwt-signature-algorithm-ecdsa`` packages:
+
+ .. code-block:: terminal
+
+ $ composer require web-token/jwt-signature
+ $ composer require web-token/jwt-checker
+ $ composer require web-token/jwt-signature-algorithm-ecdsa
+
+Symfony provides a generic OidcTokenHandler to decode your token, validate it and retrieve the user info from it:
+
+.. configuration-block::
+
+ .. code-block:: yaml
+
+ # config/packages/security.yaml
+ security:
+ firewalls:
+ main:
+ access_token:
+ token_handler:
+ oidc:
+ signature:
+ # Algorithm used to sign the JWS
+ algorithm: 'HS256'
+ # A JSON-encoded JWK
+ key: '{"kty":"...","k":"..."}'
+
+ .. code-block:: xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ .. code-block:: php
+
+ // config/packages/security.php
+ use Symfony\Config\SecurityConfig;
+
+ return static function (SecurityConfig $security) {
+ $security->firewall('main')
+ ->accessToken()
+ ->tokenHandler()
+ ->oidc()
+ ->signature()
+ ->algorithm('HS256')
+ ->key('{"kty":"...","k":"..."}')
+ ;
+ };
+
+.. tip::
+
+ Following the `OpenID Connect Specification`_, the `sub` claim
+ is used by default as user identifier. To use another claim,
+ specify it on the configuration:
+
+.. configuration-block::
+
+ .. code-block:: yaml
+
+ # config/packages/security.yaml
+ security:
+ firewalls:
+ main:
+ access_token:
+ token_handler:
+ oidc:
+ claim: email
+ signature:
+ algorithm: 'HS256'
+ key: '{"kty":"...","k":"..."}'
+
+ .. code-block:: xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ .. code-block:: php
+
+ // config/packages/security.php
+ use Symfony\Config\SecurityConfig;
+
+ return static function (SecurityConfig $security) {
+ $security->firewall('main')
+ ->accessToken()
+ ->tokenHandler()
+ ->oidc()
+ ->claim('email')
+ ->signature()
+ ->algorithm('HS256')
+ ->key('{"kty":"...","k":"..."}')
+ ;
+ };
+
+.. tip::
+
+ The ``oidc`` token handler also check for the token audience.
+ By default, this audience is optional. To enable this check,
+ add the ``audience`` option:
+
+.. configuration-block::
+
+ .. code-block:: yaml
+
+ # config/packages/security.yaml
+ security:
+ firewalls:
+ main:
+ access_token:
+ token_handler:
+ oidc:
+ audience: 'My audience'
+ signature:
+ algorithm: 'HS256'
+ key: '{"kty":"...","k":"..."}'
+
+ .. code-block:: xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ .. code-block:: php
+
+ // config/packages/security.php
+ use Symfony\Config\SecurityConfig;
+
+ return static function (SecurityConfig $security) {
+ $security->firewall('main')
+ ->accessToken()
+ ->tokenHandler()
+ ->oidc()
+ ->audience('My audience')
+ ->signature()
+ ->algorithm('HS256')
+ ->key('{"kty":"...","k":"..."}')
+ ;
+ };
+
+By default, the OidcTokenHandler creates an OidcUser with the claims. To create your own User from the claims,
+you must :doc:`create your own UserProvider `::
+
+ // src/Security/Core/User/OidcUserProvider.php
+ use Symfony\Component\Security\Core\User\AttributesBasedUserProviderInterface;
+
+ class OidcUserProvider implements AttributesBasedUserProviderInterface
+ {
+ public function loadUserByIdentifier(string $identifier, array $attributes = []): UserInterface
+ {
+ // do some magic
+ }
+ }
+
.. _`JSON Web Tokens (JWT)`: https://datatracker.ietf.org/doc/html/rfc7519
.. _`SAML2 (XML structures)`: https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html
.. _`RFC6750`: https://datatracker.ietf.org/doc/html/rfc6750
+.. _`OpenID Connect Specification`: https://openid.net/specs/openid-connect-core-1_0.html
+.. _`OpenID Connect (OIDC)`: https://en.wikipedia.org/wiki/OpenID#OpenID_Connect_(OIDC)
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy