In Symfony 6.2 we introduced an Access Token Authenticator capable of fetching
RFC6750 compliant tokens and retrieving the associated user identifier. Symfony 7.1
enhances this feature with several new capabilities.

Contributed by Florent Morselli
in #53682.

First, we've added support for RSA algorithm signatures. The tokens used in
this authenticator are currently signed using the ES256 algorithm. Given the
widespread use of the RSA algorithm in services like Amazon Cognito, we have now
included support for it as well.
To use either or both algorithms in your application, update your security
configuration file:

# config/packages/security.yaml
security:
firewalls:
main:
access_token:
token_handler:
oidc:
# Algorithm used to sign the JWS
- algorithm: 'ES256'
+ algorithms: ['ES256', 'RS256']
# A JSON-encoded JWK
- key: '{"kty":"...","k":"..."}'
+ keyset: '{"keys":[{"kty":"...","k":"..."}]}'

Contributed by Nicolas Attard
in #48276.

Additionally, Symfony 7.1 introduces a new CAS 2.0 access token handler.
CAS (Central Authentication Service) is a single sign-on protocol for web
applications. It allows a user to access multiple applications while providing
their credentials (such as user ID and password) only once.
Symfony now includes a generic Cas2Handler to interface with your CAS
server. Add the following to your security configuration to configure the URL
where your CAS server will validate the requests:

# config/packages/security.yaml
security:
firewalls:
main:
access_token:
token_handler:
cas:
validation_url: https://example.com/cas/validate

Sponsor the Symfony project.