PHPackages drenso/symfony-oidc-bundle - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. drenso/symfony-oidc-bundle ActiveSymfony-bundle drenso/symfony-oidc-bundle ========================== OpenID connect bundle for Symfony v4.3.1(5mo ago)89648.2k—3.2%39[2 PRs](https://github.com/Drenso/symfony-oidc/pulls)1Apache-2.0PHPPHP >=8.1 Since May 26Pushed 1mo ago4 watchersCompare [ Source](https://github.com/Drenso/symfony-oidc)[ Packagist](https://packagist.org/packages/drenso/symfony-oidc-bundle)[ Docs](https://gitlab.drenso.nl/intern/symfony-oidc)[ RSS](/packages/drenso-symfony-oidc-bundle/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (10)Dependencies (22)Versions (60)Used By (1) Symfony OIDC bundle =================== [](#symfony-oidc-bundle) This bundle can be used to add OIDC support to any Symfony application. We have only tested it with SURFconext OIDC, but it should work with any OIDC provider! Many thanks to for the implementation which this bundle uses although it has been modified to fix within an object oriented approach. > Note that this repository is automatically mirrored from our own Gitlab instance. We will accept issues and merge requests here though! ### Version notes [](#version-notes) Since version 2 this bundle only supports Symfony's new authentication manager, introduced in Symfony 5.3. As the security manager matured in Symfony 5.4, that is the first version this bundle supports. Using the new authentication manager is required for Symfony 6! We also require the use of PHP8, as that significantly reduces the maintenance complexity. Do you need this bundle, but you cannot enable the new authentication manager or use PHP8? Check out the [v1.x](https://github.com/Drenso/symfony-oidc/tree/v1.x) branch and its documentation! ### Works with the following IdPs [](#works-with-the-following-idps) The following IdPs are known to work with this bundle: IdPStatusRemarksAuth0 by Okta✅OpenConext✅Used by SURFconext in the NetherlandsKeycloak✅Microsoft Entra ID✅Will not work with default configuration, make sure to follow [these steps.](https://github.com/Drenso/symfony-oidc/blob/main/docs/ms-entra-id.md)If you are using this bundle with any other IdP, please submit a PR to add it! ### Migrate from older versions [](#migrate-from-older-versions) Take a look at [UPGRADE.md](https://github.com/Drenso/symfony-oidc/blob/main/UPGRADE.md)! ### Installation [](#installation) You can add this bundle by simply requiring it with composer: ``` composer require drenso/symfony-oidc-bundle ``` If you're using Symfony Flex, your `.env` file should have been appended with some environment variables and a `drenso_oidc.yaml` file should have been created in your configuration directory! ### Setup [](#setup) ##### OIDC Clients [](#oidc-clients) Make sure to configure at least the default OIDC client in the `drenso_oidc.yaml` in your `config/packages` directory. This can be done using the environment variables already added to your application by Symfony flex, or by updating the configuration file. You can configure more clients, they will be available under the `drenso.oidc.client.{name}`, and are autowirable by using `OidcClientInterface ${name}OidcClient`, for example `OidcClientInterface $defaultOidcClient`. If the name does not match with one of the configured clients, the default client will be autowired. Configuration example: ``` drenso_oidc: #default_client: default # The default client, will be aliased to OidcClientInterface clients: default: # The client name, each client will be aliased to its name (for example, $defaultOidcClient) # Required OIDC client configuration well_known_url: '%env(OIDC_WELL_KNOWN_URL)%' client_id: '%env(OIDC_CLIENT_ID)%' client_secret: '%env(OIDC_CLIENT_SECRET)%' # Extra configuration options #well_known_parser: ~ # Service id for a custom well-known configuration parser #well_known_cache_time: 3600 # Time in seconds, will only be used when symfony/cache is available #jwks_cache_time: 3600 # Time in seconds, will only be used when symfony/cache is available #token_leeway_seconds: 300 # Leeway time in seconds when validating token validity #redirect_route: '/login_check' #custom_client_headers: [] #code_challenge_method: ~ # Code challenge method, can be null, 'S256' or 'plain' #disable_nonce: false # Set to true when nonce verification should not be used # Add any extra client #link: # Will be accessible using $linkOidcClient #well_known_url: '%env(LINK_WELL_KNOWN_URL)%' #client_id: '%env(LINK_CLIENT_ID)%' #client_secret: '%env(LINK_CLIENT_SECRET)%' ``` ##### User provider [](#user-provider) You will need to update your User Provider to implement the methods from the `OidcUserProviderInterface`. Two methods need to be implemented: - `ensureUserExists(string $userIdentifier, OidcUserData $userData, OidcTokens $tokens)`: Implement this method to bootstrap a new account using the data available from the passed `OidcUserData` object. The identifier is a configurable property from the user data, which defaults to `sub`. If the account cannot be bootstrapped, authentication will be impossible as the User Provider will not be capable of retrieving the user. - `loadOidcUser(string $userIdentifier): UserInterface`: Implement this method to retrieve the user based on the identifier. We use a dedicated method instead of Symfony's default `loadUserByIdentifier` to allow you to detect where the login is coming from, without the need of creating a dedicated user provider. If the OIDC user identifiers are unique, a forward to the `loadUserByIdentifier` should be sufficient. ##### Firewall configuration [](#firewall-configuration) If you are using Symfony <6, make sure to enable the new authentication manager in the `security.yaml`: ``` security: enable_authenticator_manager: true ``` Enable the `oidc` listener in the `security.yml` for your firewall: ``` security: firewalls: main: pattern: ^/ oidc: ~ ``` There are a couple of options available for the `oidc` listener. OptionDefaultDescription`check_path``/login_check`Only on this path the authenticator will accept authentication. Note that this should match with the redirect configured for the OIDC client.`login_path``/login`The path to forward to when authentication is required`client``default`The configured OIDC client to use`user_identifier_property``sub`The OidcUserData property to use as unique user identifier`user_identifier_from_idtoken``false`The identifier is fetched from the id\_token instead of userinfo endpoint`enable_remember_me``false`Enable "remember me" functionality for authenticator`enable_end_session_listener``false`Enable "logout" functionality for authenticator through the "LogoutEvent"`use_logout_target_path``true`Used for the end session event subscriber`always_use_default_target_path``false`Used for the success handler`default_target_path``/`Used for the success handler`target_path_parameter``_target_path`Used for the success handler`use_referer``false`Used for the success handler`failure_path``null`Used for the failure handler`failure_forward``false`Used for the failure handler`failure_path_parameter``_failure_path`Used for the failure handler`enable_retrieve_user_info``true`Enable fetching data from the user info endpoint. *Required:* If disabled, `user_identifier_from_idtoken` must be set to `true`.`user_info_from_idtoken``false`The user info data is set from the ID token instead of fetching it from the endpoint.You can configure them directly under the `oidc` listener in your firewall, for example the `user_identifier_property`: ``` security: firewalls: main: oidc: user_identifier_property: email ``` ##### Start the authentication [](#start-the-authentication) Use the controller example below to forward a user to the OIDC service: ``` /** * This controller forwards the user to the OIDC login * * @throws \Drenso\OidcBundle\Exception\OidcException */ #[Route('/login_oidc', name: 'login_oidc')] #[IsGranted('PUBLIC_ACCESS')] public function surfconext(OidcClientInterface $oidcClient): RedirectResponse { // Redirect to authorization @ OIDC provider return $oidcClient->generateAuthorizationRedirect(); } ``` > It is possible to supply prompt, scopes and additional query parameters to the `generateAuthorizationRedirect` method. > It is also possible to force remember me mode for the redirect. That should be all! ### User identifier [](#user-identifier) By default, this bundle uses the `sub` property as user identifier, but any property from the retrieved user data can be used. Just configure the `user_identifier_property` with an property path string compatible with the [Symfony Property Accessor](https://symfony.com/doc/current/components/property_access.html) to retrieve the value you need. > Note that the object based access method is used to retrieve the properties from the user data. ### Remember me [](#remember-me) If you want to enable remember me functionality make sure that you add the `_remember_me=1` query parameter to the route being used to generate the redirect forward (the one that calls `generateAuthorizationRedirect`). You can override the `_remember_me` parameter per OIDC client. Just update the `remember_me_parameter` value in the client configuration. Lastly, make sure the Symfony remember me authenticator is enabled, and that you set the `enable_remember_me` option to true for the `oidc` authenticator in `security.yaml`. When a user is authenticated, you will see the `REMEMBERME` cookie. You can remove the `PHPSESSID` cookie to check whether remember me is working. ### Logout [](#logout) It is possible to enable "logout" through the `end_session_support` functionality of the Identity Provider, if the `end_session_endpoint` parameter is present in the .well-known endpoint it can be used. As logging out is fundamentally broken when using single sign-on, this option is disabled by default. This is due to the fact that logging out at the identity provider (for example: Azure, Facebook, etc) cannot guarantee the user is logged out of any other service that the user has authenticated with using the same identity provider. If you want to enable the "logout" support, simply add `enable_end_session_listener: true` to your oidc listener in the firewall config. It will only work of you enabled the default Symfony `logout: true` setting in your firewall. By default, the listener will pass the logout `target_path` to the OpenID Provider, so the user gets redirected back to your application after logging out. If you don't want this and want the user to remain at the logout confirmation page of your OpenID Provider, enable the `use_logout_target_path: false` setting. ***Example: default logout path*** ``` security: firewalls: main: logout: true oidc: enable_end_session_listener: true ``` ***Example: custom logout target path*** ``` security: firewalls: main: logout: target: /my_custom_target_path oidc: enable_end_session_listener: true ``` ***Example: disable redirect to logout `target_path`*** This will keep the user at the OpenID provider after login out. ``` security: firewalls: main: logout: true oidc: enable_end_session_listener: true use_logout_target_path: false ``` ### Client locator [](#client-locator) If for some reason you have several OIDC clients configured and need to retrieve them dynamically, you can use the `OidcClientLocator`. ``` public function surfconext(OidcClientLocator $clientLocator): RedirectResponse { return $clientLocator->getClient('your_client_id')->generateAuthorizationRedirect(); } ``` The locator will throw an OidcClientNotFoundException when the requested client is not found. When called without an argument, it will return the configured default client. ### Leeway [](#leeway) This bundle uses a 300 seconds leeway when validating the access tokens. This value can be configured with the `token_leeway_seconds` client option. ### Cache [](#cache) When you have `symfony/cache` available in your project, this library will automatically cache the well known and jwks results. By default, it will be cached for `3600` seconds. You can disable the caches separately by passing `null` to the `well_known_cache_time` or `jwks_cache_time` client options. ### Refreshing tokens [](#refreshing-tokens) Currently, the firewall implementation provided by this bundle does not offer refresh tokens (as it should not be necessary). However, if you need to refresh the tokens yourself for your implementation, you can use the `refreshTokens` method on the `OidcClientInterface`! ### Additional token claim validation [](#additional-token-claim-validation) If you need to validate additional token claims, you can create a service which implements `OidcTokenConstraintProviderInterface` and add its service id to the OIDC client of your choice. Sample configuration: ``` drenso_oidc: clients: default: additional_token_constraints_provider: App\Security\AdditionalTokenConstraintProvider ``` Sample constraint provider: ``` namespace App\Security; use App\Security\Constraint\HasAudienceContaining; use Drenso\OidcBundle\Enum\OidcTokenType; use Drenso\OidcBundle\OidcTokenConstraintProviderInterface; class AdditionalTokenConstraintProvider implements OidcTokenConstraintProviderInterface { public function getAdditionalConstraints(OidcTokenType $tokenType): array { if (OidcTokenType::ID === $tokenType) { return [ new HasAudienceContaining('abc123'), ]; } if (OidcTokenType::ACCESS === $tokenType) { return [ new HasAudienceContaining('def456'), ]; } return []; } } ``` ### Parsing well-known information [](#parsing-well-known-information) Some providers return incorrect or incomplete well known information. You can configure a custom well-known parser for the `OidcClient` by setting the `well_known_parser` to a service id which implements the `OidcWellKnownParserInterface`. ### OAuth 2.0 Token Exchange [RFC 8693](https://datatracker.ietf.org/doc/html/rfc8693) [](#oauth-20-token-exchange-rfc-8693) This bundle support Token Exchange: you can use the `exchangeTokens` on the `OidcClient` to do so. This was added with [\#66](https://github.com/Drenso/symfony-oidc/pull/66), which contains some more background information regarding the procedure as well. Known usages ------------ [](#known-usages) A list of open source projects that use this bundle: - Zitadel's [example-symfony-oidc](https://github.com/zitadel/example-symfony-oidc): A template repository with basic OIDC authentication, user model, roles and example pages. ### Health Score 67 — FairBetter than 100% of packages Maintenance82 Actively maintained with recent releases Popularity54 Moderate usage in the ecosystem Community29 Small or concentrated contributor base Maturity86 Battle-tested with a long release history Bus Factor1 Top contributor holds 90.2% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~47 days Recently: every ~77 days Total 59 Last Release 153d ago Major Versions v1.13.0 → v2.5.02022-06-23 v1.13.1 → v2.13.12024-02-29 v2.13.2 → v3.0.02024-04-02 v1.x-dev → v3.5.02024-12-09 v3.6.0 → v4.0.02025-02-11 PHP version history (5 changes)v1.0.0PHP ^7.1.3 v1.11.0PHP ^7.3 v1.11.4PHP ^7.3 || ^8.0 v2.0.0PHP >=8.0.2 v2.11.0PHP >=8.1 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/1835343?v=4)[Bob van de Vijver](/maintainers/bobvandevijver)[@bobvandevijver](https://github.com/bobvandevijver) ![](https://avatars.githubusercontent.com/u/3901745?v=4)[Tobias Feijten](/maintainers/tobias-93)[@tobias-93](https://github.com/tobias-93) --- Top Contributors [![bobvandevijver](https://avatars.githubusercontent.com/u/1835343?v=4)](https://github.com/bobvandevijver "bobvandevijver (184 commits)")[![dbollaer](https://avatars.githubusercontent.com/u/1390812?v=4)](https://github.com/dbollaer "dbollaer (3 commits)")[![tobias-93](https://avatars.githubusercontent.com/u/3901745?v=4)](https://github.com/tobias-93 "tobias-93 (3 commits)")[![michaelKaefer](https://avatars.githubusercontent.com/u/13886409?v=4)](https://github.com/michaelKaefer "michaelKaefer (2 commits)")[![hockdudu](https://avatars.githubusercontent.com/u/22674892?v=4)](https://github.com/hockdudu "hockdudu (1 commits)")[![Lctrs](https://avatars.githubusercontent.com/u/5477973?v=4)](https://github.com/Lctrs "Lctrs (1 commits)")[![benoitbauchet](https://avatars.githubusercontent.com/u/40472010?v=4)](https://github.com/benoitbauchet "benoitbauchet (1 commits)")[![matthiask-c24](https://avatars.githubusercontent.com/u/196298825?v=4)](https://github.com/matthiask-c24 "matthiask-c24 (1 commits)")[![MatthieuLeboeuf](https://avatars.githubusercontent.com/u/59397088?v=4)](https://github.com/MatthieuLeboeuf "MatthieuLeboeuf (1 commits)")[![muhlemmer](https://avatars.githubusercontent.com/u/5411563?v=4)](https://github.com/muhlemmer "muhlemmer (1 commits)")[![nuryagdym](https://avatars.githubusercontent.com/u/26792980?v=4)](https://github.com/nuryagdym "nuryagdym (1 commits)")[![rvmourik](https://avatars.githubusercontent.com/u/6427451?v=4)](https://github.com/rvmourik "rvmourik (1 commits)")[![LorisZ](https://avatars.githubusercontent.com/u/806943?v=4)](https://github.com/LorisZ "LorisZ (1 commits)")[![David-Dadon](https://avatars.githubusercontent.com/u/180660987?v=4)](https://github.com/David-Dadon "David-Dadon (1 commits)")[![fritjofbohm](https://avatars.githubusercontent.com/u/1853787?v=4)](https://github.com/fritjofbohm "fritjofbohm (1 commits)")[![gregoire-jianda](https://avatars.githubusercontent.com/u/2151352?v=4)](https://github.com/gregoire-jianda "gregoire-jianda (1 commits)") --- Tags symfonyOpenID Connectoidc ### Code Quality Static AnalysisPHPStan, Rector Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/drenso-symfony-oidc-bundle/health.svg) ``` [![Health](https://phpackages.com/badges/drenso-symfony-oidc-bundle/health.svg)](https://phpackages.com/packages/drenso-symfony-oidc-bundle) ``` ### Alternatives [sulu/sulu Core framework that implements the functionality of the Sulu content management system 1.3k1.3M152](/packages/sulu-sulu)[sylius/sylius E-Commerce platform for PHP, based on Symfony framework. 8.4k5.6M651](/packages/sylius-sylius)[contao/core-bundle Contao Open Source CMS 1231.6M2.4k](/packages/contao-core-bundle)[shopware/platform The Shopware e-commerce core 3.3k1.5M3](/packages/shopware-platform)[prestashop/prestashop PrestaShop is an Open Source e-commerce platform, committed to providing the best shopping cart experience for both merchants and customers. 9.0k15.4k](/packages/prestashop-prestashop)[shopware/core Shopware platform is the core for all Shopware ecommerce products. 595.2M386](/packages/shopware-core) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)