New in Symfony 6.3: OpenID Connect Token Handler


Contributed by Vincent Chalamon
in #48272.

In Symfony 6.2 we introduced an access token authenticator which can fetch
access tokens from the request headers, body or query string to retrieve the
associated user identifier.
In Symfony 6.3 we're introducing an implementation of that authenticator mechanism
to interact with OpenID Connect servers. OpenID Connect (OIDC) is the third generation
of OpenID technology and it's a RESTful HTTP API that uses JSON as its data format.
OpenID Connect is an authentication layer on top of the OAuth 2.0 authorization
framework. It allows to verify the identity of an end user based on the
authentication performed by an authorization server.
First, we've introduced an OidcUserInfoTokenHandler to call your OIDC server
and retrieve the user info. You only need to configure the following and Symfony
will create an HTTP client for you to handle the HTTP requests needed for this
authentication (config is shown in YAML, but XML and PHP also work):

# config/packages/security.yaml
security:
firewalls:
main:
access_token:
token_handler:
oidc_user_info:
client:
base_uri: https://www.example.com/realms/demo/protocol/openid-connect/userinfo
# by default, the claim is 'sub'; use this option to customize it
# claim: 'email'

This token handler creates an OidcUser object with all the user claims, but
you can define a custom user provider to create your own User object from
the given claims.
In addition to the previous token handler, we've added a generic OidcTokenHandler
to decode your token, validate it and retrieve the user info from it. This is
again a matter of adding a few lines of config (in YAML, XML or PHP):

# config/packages/security.yaml
security:
firewalls:
main:
access_token:
token_handler:
oidc:
signature:
# Algorithm used to sign the JWS
algorithm: 'HS256'
# A JSON-encoded JWK
key: '{"kty":"...","k":"..."}'

That's all. In Symfony 6.3 you can add OpenID Connect compatibility to your
applications with just a few lines of security configuration. Read the
pending Pull Request with the docs of this feature to learn more about it.

Sponsor the Symfony project.