New in Symfony 6.3: OpenID Connect Token Handler
In Symfony 6.2 we introduced an access token authenticator which can fetch
access tokens from the request headers, body or query string to retrieve the
associated user identifier.
In Symfony 6.3 we’re introducing an implementation of that authenticator mechanism
to interact with OpenID Connect servers. OpenID Connect (OIDC) is the third generation
of OpenID technology and it’s a RESTful HTTP API that uses JSON as its data format.
OpenID Connect is an authentication layer on top of the OAuth 2.0 authorization
framework. It allows to verify the identity of an end user based on the
authentication performed by an authorization server.
First, we’ve introduced an OidcUserInfoTokenHandler to call your OIDC server
and retrieve the user info. You only need to configure the following and Symfony
will create an HTTP client for you to handle the HTTP requests needed for this
authentication (config is shown in YAML, but XML and PHP also works):
# by default, the claim is ’sub‘; use this option to customize it
# claim: ‚email‘
This token handler creates an OidcUser object with all the user claims, but
you can define a custom user provider to create your own User object from
the given claims.
In addition to the previous token handler, we’ve added a generic OidcTokenHandler
to decode your token, validate it and retrieve the user info from it. This is
again a matter of adding a few lines of config (in YAML, XML or PHP):
# Algorithm used to sign the JWS
# A JSON-encoded JWK
That’s all. In Symfony 6.3 you can add OpenID Connect compatibility to your
applications with just a few lines of security configuration. Read the
pending Pull Request with the docs of this feature to learn more about it.