@@ -380,9 +380,7 @@ and retrieve the user info:
380380 main :
381381 access_token :
382382 token_handler :
383- oidc_user_info :
384- client :
385- base_uri : https://www.example.com/realms/demo/protocol/openid-connect/userinfo
383+ oidc_user_info : https://www.example.com/realms/demo/protocol/openid-connect/userinfo
386384
387385code-block :: xml
388386
@@ -399,11 +397,7 @@ and retrieve the user info:
399397 <config >
400398 <firewall name =" main"
401399 <access-token >
402- <token-handler >
403- <oidc-user-info >
404- <client base-uri =" https://www.example.com/realms/demo/protocol/openid-connect/userinfo"
405- </oidc-user-info >
406- </token-handler >
400+ <token-handler oidc-user-info =" https://www.example.com/realms/demo/protocol/openid-connect/userinfo"
407401 </access-token >
408402 </firewall >
409403 </config >
@@ -418,9 +412,7 @@ and retrieve the user info:
418412 $security->firewall('main')
419413 ->accessToken()
420414 ->tokenHandler()
421- ->oidcUserInfo()
422- ->client()
423- ->baseUri('https://www.example.com/realms/demo/protocol/openid-connect/userinfo')
415+ ->oidcUserInfo('https://www.example.com/realms/demo/protocol/openid-connect/userinfo')
424416 ;
425417 };
426418
@@ -439,8 +431,7 @@ identifier by default. To use another claim, specify it on the configuration:
439431 token_handler :
440432 oidc_user_info :
441433 claim : email
442- client :
443- base_uri : https://www.example.com/realms/demo/protocol/openid-connect/userinfo
434+ base_uri : https://www.example.com/realms/demo/protocol/openid-connect/userinfo
444435
445436code-block :: xml
446437
@@ -458,9 +449,7 @@ identifier by default. To use another claim, specify it on the configuration:
458449 <firewall name =" main"
459450 <access-token >
460451 <token-handler >
461- <oidc-user-info claim =" email"
462- <client base-uri =" https://www.example.com/realms/demo/protocol/openid-connect/userinfo"
463- </oidc-user-info >
452+ <oidc-user-info claim =" email" base-uri =" https://www.example.com/realms/demo/protocol/openid-connect/userinfo"
464453 </token-handler >
465454 </access-token >
466455 </firewall >
@@ -478,13 +467,12 @@ identifier by default. To use another claim, specify it on the configuration:
478467 ->tokenHandler()
479468 ->oidcUserInfo()
480469 ->claim('email')
481- ->client()
482- ->baseUri('https://www.example.com/realms/demo/protocol/openid-connect/userinfo')
470+ ->baseUri('https://www.example.com/realms/demo/protocol/openid-connect/userinfo')
483471 ;
484472 };
485473
486474oidc_user_info `` token handler automatically creates an HTTP client with
487- the specified configuration . If you prefer using your own client, you can
475+ the specified `` base_uri `` . If you prefer using your own client, you can
488476specify the service name via the ``client `` option:
489477
490478.. configuration-block ::
@@ -583,11 +571,14 @@ it and retrieve the user info from it:
583571 access_token :
584572 token_handler :
585573 oidc :
586- signature :
587- # Algorithm used to sign the JWS
588- algorithm : ' HS256'
589- # A JSON-encoded JWK
590- key : ' {"kty":"...","k":"..."}'
574+ # Algorithm used to sign the JWS
575+ algorithm : ' ES256'
576+ # A JSON-encoded JWK
577+ key : ' {"kty":"...","k":"..."}'
578+ # Audience (`aud` claim): required for validation purpose
579+ audience : ' api-example'
580+ # Issuers (`iss` claim): required for validation purpose
581+ issuers : ['https://oidc.example.com']
591582
592583code-block :: xml
593584
@@ -605,8 +596,12 @@ it and retrieve the user info from it:
605596 <firewall name =" main"
606597 <access-token >
607598 <token-handler >
608- <oidc >
609- <signature algorithm =" HS256" key =" {'kty':'...','k':'...'}"
599+ <!-- Algorithm used to sign the JWS -->
600+ <!-- A JSON-encoded JWK -->
601+ <!-- Audience (`aud` claim): required for validation purpose -->
602+ <oidc algorithm =" ES256" key =" {'kty':'...','k':'...'}" audience =" api-example"
603+ <!-- Issuers (`iss` claim): required for validation purpose -->
604+ <issuer >https://oidc.example.com</issuer >
610605 </oidc >
611606 </token-handler >
612607 </access-token >
@@ -624,9 +619,14 @@ it and retrieve the user info from it:
624619 ->accessToken()
625620 ->tokenHandler()
626621 ->oidc()
627- ->signature()
628- ->algorithm('HS256')
629- ->key('{"kty":"...","k":"..."}')
622+ // Algorithm used to sign the JWS
623+ ->algorithm('ES256')
624+ // A JSON-encoded JWK
625+ ->key('{"kty":"...","k":"..."}')
626+ // Audience (`aud` claim): required for validation purpose
627+ ->audience('api-example')
628+ // Issuers (`iss` claim): required for validation purpose
629+ ->issuers(['https://oidc.example.com'])
630630 ;
631631 };
632632
@@ -646,9 +646,10 @@ configuration:
646646 token_handler :
647647 oidc :
648648 claim : email
649- signature :
650- algorithm : ' HS256'
651- key : ' {"kty":"...","k":"..."}'
649+ algorithm : ' ES256'
650+ key : ' {"kty":"...","k":"..."}'
651+ audience : ' api-example'
652+ issuers : ['https://oidc.example.com']
652653
653654code-block :: xml
654655
@@ -666,8 +667,8 @@ configuration:
666667 <firewall name =" main"
667668 <access-token >
668669 <token-handler >
669- <oidc claim =" email"
670- <signature algorithm = " HS256 " key = " {'kty':'...','k':'...'} " / >
670+ <oidc claim =" email" algorithm = " ES256 " key = " {'kty':'...','k':'...'} " audience = " api-example "
671+ <issuer >https://oidc.example.com</ issuer >
671672 </oidc >
672673 </token-handler >
673674 </access-token >
@@ -686,70 +687,10 @@ configuration:
686687 ->tokenHandler()
687688 ->oidc()
688689 ->claim('email')
689- ->signature()
690- ->algorithm('HS256')
691- ->key('{"kty":"...","k":"..."}')
692- ;
693- };
694-
695- oidc `` token handler also checks for the token audience. By default, this
696- audience is optional. To enable this check, add the ``audience `` option:
697-
698- .. configuration-block ::
699-
700- .. code-block :: yaml
701-
702- # config/packages/security.yaml
703- security :
704- firewalls :
705- main :
706- access_token :
707- token_handler :
708- oidc :
709- audience : ' My audience'
710- signature :
711- algorithm : ' HS256'
712- key : ' {"kty":"...","k":"..."}'
713-
714- code-block :: xml
715-
716- <!-- config/packages/security.xml -->
717- <?xml version =" 1.0" encoding =" UTF-8"
718- <srv : container xmlns =" http://symfony.com/schema/dic/security"
719- xmlns : srv =" http://symfony.com/schema/dic/services"
720- xmlns : xsi =" http://www.w3.org/2001/XMLSchema-instance"
721- xsi : schemaLocation =" http://symfony.com/schema/dic/services
722- https://symfony.com/schema/dic/services/services-1.0.xsd
723- http://symfony.com/schema/dic/security
724- https://symfony.com/schema/dic/security/security-1.0.xsd" >
725-
726- <config >
727- <firewall name =" main"
728- <access-token >
729- <token-handler >
730- <oidc audience =" My audience"
731- <signature algorithm =" HS256" key =" {'kty':'...','k':'...'}"
732- </oidc >
733- </token-handler >
734- </access-token >
735- </firewall >
736- </config >
737- </srv : container >
738-
739- code-block :: php
740-
741- // config/packages/security.php
742- use Symfony\Config\SecurityConfig;
743-
744- return static function (SecurityConfig $security) {
745- $security->firewall('main')
746- ->accessToken()
747- ->tokenHandler()
748- ->oidc()
749- ->audience('My audience')
750- ->signature()
751- ->algorithm('HS256')
752- ->key('{"kty":"...","k":"..."}')
690+ ->algorithm('ES256')
691+ ->key('{"kty":"...","k":"..."}')
692+ ->audience('api-example')
693+ ->issuers(['https://oidc.example.com'])
753694 ;
754695 };
755696
0 commit comments