Download the PHP package drenso/symfony-oidc-bundle without Composer

On this page you can find all versions of the php package drenso/symfony-oidc-bundle. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package symfony-oidc-bundle

Symfony OIDC bundle

This bundle can be used to add OIDC support to any Symfony application. We have only tested it with SURFconext OIDC, but it should work with any OIDC provider!

Many thanks to https://github.com/jumbojett/OpenID-Connect-PHP for the implementation which this bundle uses although it has been modified to fix within an object oriented approach.

Note that this repository is automatically mirrored from our own Gitlab instance. We will accept issues and merge requests here though!

Version notes

Since version 2 this bundle only supports Symfony's new authentication manager, introduced in Symfony 5.3. As the security manager matured in Symfony 5.4, that is the first version this bundle supports. Using the new authentication manager is required for Symfony 6!

We also require the use of PHP8, as that significantly reduces the maintenance complexity.

Do you need this bundle, but you cannot enable the new authentication manager or use PHP8? Check out the v1.x branch and its documentation!

Works with the following IdPs

The following IdPs are known to work with this bundle:

IdP Status Remarks
OpenConext Used by SURFconext in the Netherlands
Keycloak
Microsoft Entra ID Will not work with default configuration, make sure to follow these steps.

If you are using this bundle with any other IdP, please submit a PR to add it!

Migrate from older versions

Take a look at UPGRADE.md!

Installation

You can add this bundle by simply requiring it with composer:

If you're using Symfony Flex, your .env file should have been appended with some environment variables and a drenso_oidc.yaml file should have been created in your configuration directory!

Setup

OIDC Clients

Make sure to configure at least the default OIDC client in the drenso_oidc.yaml in your config/packages directory. This can be done using the environment variables already added to your application by Symfony flex, or by updating the configuration file. You can configure more clients, they will be available under the drenso.oidc.client.{name}, and are autowirable by using OidcClientInterface ${name}OidcClient, for example OidcClientInterface $defaultOidcClient. If the name does not match with one of the configured clients, the default client will be autowired.

Configuration example:

User provider

You will need to update your User Provider to implement the methods from the OidcUserProviderInterface. Two methods need to be implemented:

Firewall configuration

If you are using Symfony <6, make sure to enable the new authentication manager in the security.yaml:

Enable the oidc listener in the security.yml for your firewall:

There are a couple of options available for the oidc listener.

Option Default Description
check_path /login_check Only on this path the authenticator will accept authentication. Note that this should match with the redirect configured for the OIDC client.
login_path /login The path to forward to when authentication is required
client default The configured OIDC client to use
user_identifier_property sub The OidcUserData property to use as unique user identifier
user_identifier_from_idtoken false The identifier is fetched from the id_token instead of userinfo endpoint
enable_remember_me false Enable "remember me" functionality for authenticator
enable_end_session_listener false Enable "logout" functionality for authenticator through the "LogoutEvent"
use_logout_target_path true Used for the end session event subscriber
always_use_default_target_path false Used for the success handler
default_target_path / Used for the success handler
target_path_parameter _target_path Used for the success handler
use_referer false Used for the success handler
failure_path null Used for the failure handler
failure_forward false Used for the failure handler
failure_path_parameter _failure_path Used for the failure handler

You can configure them directly under the oidc listener in your firewall, for example the user_identifier_property:

Start the authentication

Use the controller example below to forward a user to the OIDC service:

It is possible to supply prompt, scopes and additional query parameters to the generateAuthorizationRedirect method.

It is also possible to force remember me mode for the redirect.

That should be all!

User identifier

By default, this bundle uses the sub property as user identifier, but any property from the retrieved user data can be used. Just configure the user_identifier_property with an property path string compatible with the Symfony Property Accessor to retrieve the value you need.

Note that the object based access method is used to retrieve the properties from the user data.

Remember me

If you want to enable remember me functionality make sure that you add the _remember_me=1 query parameter to the route being used to generate the redirect forward (the one that calls generateAuthorizationRedirect).

You can override the _remember_me parameter per OIDC client. Just update the remember_me_parameter value in the client configuration.

Lastly, make sure the Symfony remember me authenticator is enabled, and that you set the enable_remember_me option to true for the oidc authenticator in security.yaml.

When a user is authenticated, you will see the REMEMBERME cookie. You can remove the PHPSESSID cookie to check whether remember me is working.

Logout

It is possible to enable "logout" through the end_session_support functionality of the Identity Provider, if the end_session_endpoint parameter is present in the .well-known endpoint it can be used.

As logging out is fundamentally broken when using single sign-on, this option is disabled by default. This is due to the fact that logging out at the identity provider (for example: Azure, Facebook, etc) cannot guarantee the user is logged out of any other service that the user has authenticated with using the same identity provider.

If you want to enable the "logout" support, simply add enable_end_session_listener: true to your oidc listener in the firewall config. It will only work of you enabled the default Symfony logout: true setting in your firewall.

By default, the listener will pass the logout target_path to the OpenID Provider, so the user gets redirected back to your application after logging out. If you don't want this and want the user to remain at the logout confirmation page of your OpenID Provider, enable the use_logout_target_path: false setting.

Example: default logout path

Example: custom logout target path

_Example: disable redirect to logout target_path_

This will keep the user at the OpenID provider after login out.

Client locator

If for some reason you have several OIDC clients configured and need to retrieve them dynamically, you can use the OidcClientLocator.

The locator will throw an OidcClientNotFoundException when the requested client is not found. When called without an argument, it will return the configured default client.

Leeway

This bundle uses a 300 seconds leeway when validating the access tokens. This value can be configured with the token_leeway_seconds client option.

Cache

When you have symfony/cache available in your project, this library will automatically cache the well known and jwks results. By default, it will be cached for 3600 seconds.

You can disable the caches separately by passing null to the well_known_cache_time or jwks_cache_time client options.

Refreshing tokens

Currently, the firewall implementation provided by this bundle does not offer refresh tokens (as it should not be necessary). However, if you need to refresh the tokens yourself for your implementation, you can use the refreshTokens method on the OidcClientInterface!

Additional token claim validation

If you need to validate additional token claims, you can create a service which implements OidcTokenConstraintProviderInterface and add its service id to the OIDC client of your choice.

Sample configuration:

Sample constraint provider:

Parsing well-known information

Some providers return incorrect or incomplete well known information. You can configure a custom well-known parser for the OidcClient by setting the well_known_parser to a service id which implements the OidcWellKnownParserInterface.

OAuth 2.0 Token Exchange RFC 8693

This bundle support Token Exchange: you can use the exchangeTokens on the OidcClient to do so. This was added with https://github.com/Drenso/symfony-oidc/pull/66, which contains some more background information regarding the procedure as well.

Known usages

A list of open source projects that use this bundle:


All versions of symfony-oidc-bundle with dependencies

PHP Build Version
Package Version
Requires php Version ^7.3 || ^8.0
ext-curl Version *
ext-hash Version *
ext-json Version *
ext-mbstring Version *
ext-openssl Version *
symfony/http-foundation Version ^3.4.35 || ^4.2.12 || ^5.0.7
symfony/routing Version ^3.4 || ^4.0 || ^5.0
psr/log Version ^1.1 || ^2.0 || ^3.0
phpseclib/phpseclib Version ^2.0.31 || ^3.0.7
symfony/dependency-injection Version ^3.4.26 || ^4.1.12 || ^5.0
symfony/security-bundle Version ^3.4 || ^4.0 || ^5.0
symfony/security-core Version ^3.4 || ^4.0 || ^5.0
symfony/security-http Version ^3.4.26 || ^4.1.12 || ^5.0.7
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package drenso/symfony-oidc-bundle contains the following files

Loading the files please wait ....