PHPackages itk-dev/openid-connect-bundle - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. itk-dev/openid-connect-bundle ActiveSymfony-bundle[Authentication & Authorization](/categories/authentication) itk-dev/openid-connect-bundle ============================= Symfony bundle for openid-connect 4.2.0(4w ago)247.0k↑54%MITPHPPHP ^8.3CI passing Since Sep 16Pushed 4w ago2 watchersCompare [ Source](https://github.com/itk-dev/openid-connect-bundle)[ Packagist](https://packagist.org/packages/itk-dev/openid-connect-bundle)[ RSS](/packages/itk-dev-openid-connect-bundle/feed)WikiDiscussions develop Synced 1w ago READMEChangelog (10)Dependencies (41)Versions (24)Used By (0) OpenId Connect Bundle ===================== [](#openid-connect-bundle) [![Github](https://camo.githubusercontent.com/6599247edf6f4eca188f811294f9e258928689d9d48069d3ea0d690c83e87195/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f736f757263652d69746b2d2d6465762f6f70656e69642d2d636f6e6e6563742d2d62756e646c652d626c75653f7374796c653d666c61742d737175617265)](https://github.com/itk-dev/openid-connect-bundle)[![Release](https://camo.githubusercontent.com/921b4b459de0f1f3ef885c99be0aad4e4147d1393fee10b03b5d2b971d18fc01/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f69746b2d6465762f6f70656e69642d636f6e6e6563742d62756e646c652e7376673f7374796c653d666c61742d737175617265266c6162656c3d72656c65617365)](https://packagist.org/packages/itk-dev/openid-connect-bundle)[![PHP Version](https://camo.githubusercontent.com/33fdd07a2cff983d42c28babd5d0f83906f081a1e2147984623e651378aad093/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f69746b2d6465762f6f70656e69642d636f6e6e6563742d62756e646c652e7376673f7374796c653d666c61742d73717561726526636f6c6f72423d253233383839324246)](https://www.php.net/downloads)[![Build Status](https://camo.githubusercontent.com/e4feb436a61cceb64ae6aeb47b9d2494964ba83e71f9fe1f0084baa3d9fab760/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f69746b2d6465762f6f70656e69642d636f6e6e6563742d62756e646c652f7068702e79616d6c3f6272616e63683d646576656c6f70266c6162656c3d4349266c6f676f3d676974687562267374796c653d666c61742d737175617265)](https://github.com/itk-dev/openid-connect-bundle/actions/workflows/php.yaml?query=branch%3Adevelop)[![Codecov Code Coverage](https://camo.githubusercontent.com/77a969a1c72819fe7ddd35294ded4f30ea9e44420dd312eaa68aa250b87d3cc1/68747470733a2f2f696d672e736869656c64732e696f2f636f6465636f762f632f67682f69746b2d6465762f6f70656e69642d636f6e6e6563742d62756e646c653f6c6162656c3d636f6465636f76266c6f676f3d636f6465636f76267374796c653d666c61742d737175617265)](https://codecov.io/gh/itk-dev/openid-connect-bundle)[![Read License](https://camo.githubusercontent.com/fdbba3e3436d860a96e0ba5d3ac0304f80b6ead3cf8e19f875ffe6e78f160592/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f69746b2d6465762f6f70656e69642d636f6e6e6563742d62756e646c652e7376673f7374796c653d666c61742d73717561726526636f6c6f72423d6461726b6379616e)](https://github.com/itk-dev/openid-connect-bundle/blob/master/LICENSE.md)[![Package downloads on Packagist](https://camo.githubusercontent.com/01f1a901ff050b9879fbd24cb609060961fbde3b1df9a0e0e66c4e7f17bd590c/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f69746b2d6465762f6f70656e69642d636f6e6e6563742d62756e646c652e7376673f7374796c653d666c61742d73717561726526636f6c6f72423d6461726b6d6167656e7461)](https://packagist.org/packages/itk-dev/openid-connect-bundle/stats) Symfony bundle for authorization via OpenID Connect. Note Symfony Native OIDC Support --------------------------- [](#symfony-native-oidc-support) Since this bundle was created Symfony has added [support for OpenID Connect](https://symfony.com/blog/new-in-symfony-6-3-openid-connect-token-handler)as documented in ["Using OpenID Connect (OIDC)"](https://symfony.com/doc/current/security/access_token.html#using-openid-connect-oidc). Symfony's native OIDC support has improved significantly in recent releases: - [OIDC discovery](https://github.com/symfony/symfony/pull/54932) was added in Symfony 7.3 (May 2025), removing the need for manual keyset configuration. Keys are fetched and cached automatically from the provider's `.well-known/openid-configuration` endpoint. - [OAuth2 Token Introspection](https://symfony.com/blog/new-in-symfony-7-3-security-improvements)(RFC 7662) support was added in Symfony 7.3, useful when access tokens are opaque (not JWTs). - [JWE (encrypted token) support](https://github.com/symfony/symfony/pull/57721)was added in Symfony 7.3 for OIDC token handlers. However, Symfony's native OIDC support is designed for **stateless bearer token validation** (the `access_token` authenticator) only. It validates tokens that are already present on the request (e.g. in an `Authorization: Bearer`header). It does **not** implement the **authorization code flow** — the browser-based login where the application redirects to the IdP, handles the callback with an authorization code, exchanges it for tokens, and establishes a session. This is tracked upstream in [symfony/symfony#50896](https://github.com/symfony/symfony/issues/50896). This means the following features of this bundle have no native Symfony equivalent: FeatureThis bundleSymfony nativeAuthorization code flow✅❌Session-based browser login✅❌Multiple named OIDC providers✅❌ ¹CLI login tokens✅❌OIDC discovery✅✅Bearer token validation (API)❌✅OAuth2 token introspection❌✅¹ Symfony's `access_token` handler accepts multiple `issuers` for token validation, but this is not the same as this bundle's named provider model with distinct client credentials, redirect URIs, and selectable login routes per provider. If your application needs browser-based OIDC login, this bundle is still required. Installation ------------ [](#installation) To install run ``` composer require itk-dev/openid-connect-bundle ``` Usage ----- [](#usage) Before being able to use the bundle, you must have your own User entity and database setup. Once you have this, you need to - Configure variables for OpenId Connect - Create an Authenticator class that extends the bundle authenticator, `OpenIdLoginAuthenticator` - Configure `LoginTokenAuthenticator` in order to use CLI login. ### Variable configuration [](#variable-configuration) In `/config/packages/` you need the following `itkdev_openid_connect.yaml` file for configuring OpenId Connect variables ``` itkdev_openid_connect: cache_options: cache_pool: 'cache.app' # Cache item pool for caching discovery document and CLI login tokens cli_login_options: route: '%env(string:OIDC_CLI_LOGIN_ROUTE)%' # Redirect route for CLI login user_provider: ~ # openid_providers: # Define one or more providers # [providerKey]: # options: # metadata_url: … # … admin: options: metadata_url: '%env(string:ADMIN_OIDC_METADATA_URL)%' client_id: '%env(string:ADMIN_OIDC_CLIENT_ID)%' client_secret: '%env(string:ADMIN_OIDC_CLIENT_SECRET)%' # Specify redirect URI redirect_uri: '%env(string:ADMIN_OIDC_REDIRECT_URI)%' # Optional: Specify leeway (seconds) to account for clock skew between provider and hosting # Defaults to 10 leeway: '%env(int:ADMIN_OIDC_LEEWAY)%' # Optional: Cache duration (seconds) for the OIDC discovery document and JWKS # Defaults to 86400 (24 hours) cache_duration: '%env(int:ADMIN_OIDC_CACHE_DURATION)%' # Optional: Allow (non-secure) http requests (used for mocking a IdP). NOT RECOMMENDED FOR PRODUCTION. # Defaults to false allow_http: '%env(bool:ADMIN_OIDC_ALLOW_HTTP)%' user: options: metadata_url: '%env(string:USER_OIDC_METADATA_URL)%' client_id: '%env(string:USER_OIDC_CLIENT_ID)%' client_secret: '%env(string:USER_OIDC_CLIENT_SECRET)%' # As an alternative to using (a more or less) hardcoded redirect uri, # a Symfony route can be used as redirect URI redirect_route: 'default' # Define any params for the redirect_route # redirect_route_parameters: { type: user } ``` With the following `.env` environment variables ``` ###> itk-dev/openid-connect-bundle ### # "admin" open id connect configuration variables (values provided by the OIDC IdP) ADMIN_OIDC_METADATA_URL=ADMIN_APP_METADATA_URL ADMIN_OIDC_CLIENT_ID=ADMIN_APP_CLIENT_ID ADMIN_OIDC_CLIENT_SECRET=ADMIN_APP_CLIENT_SECRET ADMIN_OIDC_REDIRECT_URI=ADMIN_APP_REDIRECT_URI ADMIN_OIDC_LEEWAY=30 ADMIN_OIDC_CACHE_DURATION=86400 ADMIN_OIDC_ALLOW_HTTP=false # "user" open id connect configuration variables USER_OIDC_METADATA_URL=USER_APP_METADATA_URL USER_OIDC_CLIENT_ID=USER_APP_CLIENT_ID USER_OIDC_CLIENT_SECRET=USER_APP_CLIENT_SECRET # cli redirect url OIDC_CLI_LOGIN_ROUTE=OIDC_CLI_LOGIN_ROUTE ###< itk-dev/openid-connect-bundle ### ``` Set the actual values your `env.local` file to ensure they are not committed to Git. #### Configuring the HTTP client [](#configuring-the-http-client) Each provider accepts an optional `http_client_options` block that is forwarded to the underlying Guzzle HTTP client used by `league/oauth2-client`. This is useful for setting a request timeout so a slow IdP cannot block worker processes indefinitely. ``` itkdev_openid_connect: openid_providers: user: options: # ... existing keys ... # @see https://docs.guzzlephp.org/en/stable/request-options.html http_client_options: # Float describing the total timeout of the request in seconds. Use 0 to wait indefinitely (the default behavior). timeout: 5.0 # Pass a string to specify an HTTP proxy, or an array to specify different proxies for different protocols. (Default: none) proxy: "%env(string:HTTP_PROXY)%" # Describes the SSL certificate verification behavior of a request. (Default: true) verify: true ``` The bundle accepts only `timeout`, `proxy`, and `verify` under `http_client_options` — these are the keys `league/oauth2-client` forwards to Guzzle (`verify` is consulted only when `proxy` is set). Any other key causes an `InvalidConfigurationException` at container compile time. > **Why Guzzle and not Symfony HttpClient?**`league/oauth2-client`, which the underlying `itk-dev/openid-connect`library extends, hard-types its HTTP client as `GuzzleHttp\ClientInterface`. Symfony HttpClient implements PSR-18 / HTTPlug, not Guzzle's interface, and no maintained adapter goes Symfony → Guzzle. Configure Guzzle via the options above; full transport replacement is not currently possible without a custom adapter we are not yet shipping. In `/config/routes/` you need a similar `itkdev_openid_connect.yaml` file for configuring the routing ``` itkdev_openid_connect: resource: "@ItkDevOpenIdConnectBundle/src/Resources/config/routes.yaml" prefix: "/openidconnect" # Prefix for bundle routes ``` It is not necessary to add a prefix to the bundle routes, but in case you want i.e. another `/login` route, it makes distinguishing between them easier. When invoking the login controller action (route `itkdev_openid_connect_login`) the key of a provider must be set in the `provider` parameter, e.g. ``` {{ 'Sign in'|trans }} ``` ``` $router->generate('itkdev_openid_connect_login', ['provider => 'user']); ``` Make sure to allow anonymous access to the login controller route, i.e. something along the lines of ``` # config/packages/security.yaml security: # … access_control: # … - { path: ^/openidconnect/login(/.+)?$, role: IS_AUTHENTICATED_ANONYMOUSLY } ``` ### CLI login [](#cli-login) In order to use the CLI login feature the following environment variable must be set in order for Symfony to be able to generate URLs in commands: ``` DEFAULT_URI= ``` See [Symfony documentation: Generating URLs in Commands](https://symfony.com/doc/current/routing.html#generating-urls-in-commands)for more information. You must also add the bundles `CliLoginTokenAuthenticator` to the `security.yaml`file: ``` security: firewalls: main: custom_authenticators: - ItkDev\OpenIdConnectBundle\Security\CliLoginTokenAuthenticator ``` Finally, configure the Symfony route to use for login links: `cli_login_options: route`. If yoy have multiple firewalls that are active for different url patterns you need to make sure you add `LoginTokenAuthenticator` to the firewall active for the route specified here. ### Creating the Authenticator [](#creating-the-authenticator) The bundle can help you get the claims received from the authorizer – the only functions that need to be implemented are `authenticate()`, `onAuthenticationSuccess()` and `start()`. ```