Description
Description
I'm implementing an OIDC architecture in an API first project, and wanted to secure my API with an authenticator. I first took a look at bundles like hwi/oauth-bundle or knpuniversity/oauth2-client-bundle, but they're not adapted to an API as they provide bunch of features not needed in an API, and provides their own JWT generation and storage (e.g.: cookie).
I talked about it with @dunglas who shares the idea to implement a Bearer authenticator directly in the Symfony Security bundle. The idea behind this authenticator would be to retrieve the token from the Authorization
header (prefixed with Bearer
), and validate and decode it in a BearerToken using lcobucci/jwt.
Example
# config/packages/security.yaml
security:
firewall:
main:
bearer:
signature: '/path/to/signature/key' # Could be a file path, plaintext, or even an url
algorithm: 'hmac.sha256'
key: 'customUserId' # Which key from the JWT should be sent to the UserProvider (default: 'sub')
Note: I'm not happy about the signature
and key
configuration keys, they should be renamed