coddin-web / idp-openid-connect-bundle
A Symfony bundle to set up an IdentityProvider with OpenID Connect implemented
Requires
- php: >=8.1
- beberlei/assert: ^3.3
- doctrine/doctrine-bundle: ^2.7
- doctrine/orm: ^2.12
- guzzlehttp/guzzle: ^7.4
- league/flysystem: ^3.0
- league/oauth2-server: ^8.3
- nyholm/psr7: ^1.5
- ramsey/uuid: ^4.3
- steverhoades/oauth2-openid-connect-server: ^2.4
- symfony/framework-bundle: ^6.1
- symfony/mailer: ^6.1
- symfony/messenger: ^6.1
- symfony/psr-http-message-bridge: ^2.1
- symfony/security-bundle: ^6.1
- symfony/security-csrf: ^6.1
- symfony/serializer-pack: ^1.1
- symfony/translation: ^6.1
- symfony/twig-bundle: ^6.1
- symfony/ux-twig-component: ^2.3
- symfony/validator: ^6.1
- thecodingmachine/safe: ^2.2
Requires (Dev)
- dama/doctrine-test-bundle: ^7.0
- dg/bypass-finals: ^1.3
- doctrine/doctrine-fixtures-bundle: ^3.4
- phpstan/phpstan: ^1.2
- phpstan/phpstan-phpunit: ^1.0
- phpstan/phpstan-strict-rules: ^1.1
- phpstan/phpstan-symfony: ^1.2
- phpunit/phpunit: ^9.5
- rregeer/phpunit-coverage-check: ^0.3.1
- slevomat/coding-standard: ^7.0
- squizlabs/php_codesniffer: ^3.6
- symfony/console: ^6.1
- symfony/doctrine-messenger: ^6.1
- symfony/dotenv: ^6.1
- symfony/expression-language: ^6.1
- symfony/runtime: ^6.1
- symfony/stopwatch: 6.0.*
- symfony/webpack-encore-bundle: ^1.15
- symfony/yaml: ^6.1
README
A Symfony bundle to set up an IdentityProvider with OpenID Connect implemented
Installation
Make sure Composer is installed globally, as explained in the installation chapter of the Composer documentation.
Applications that use Symfony Flex
Open a command console, enter your project directory and execute:
$ composer require coddin-web/idp-openid-connect-bundle
Applications that don't use Symfony Flex
Step 1: Download the Bundle
Open a command console, enter your project directory and execute the following command to download the latest stable version of this bundle:
$ composer require coddin-web/idp-openid-connect-bundle
Step 2: Enable the Bundle
Then, enable the bundle by adding it to the list of registered bundles
in the config/bundles.php
file of your project:
// config/bundles.php
return [
// ...
Coddin\IdentityProvider\CoddinIdentityProviderBundle::class => ['all' => true],
// ...
];
Please note that this bundle can provide default configuration for other bundles (like doctrine and messenger). To make this work this bundle should be registered before other bundles.
This bundle also comes with a fully configured security config. Please make sure this does not conflict with your own security configuration or skip using the provided config and manually import what you need.
Configuring this bundle
Step 1: Include routes
This bundle provides routes needed for the OpenIDConnect flow to work, you can import them like so:
# config/routes.yaml
idp:
resource: "@CoddinIdentityProviderBundle/config/routes.yaml"
prefix: /
Step 2: Include default configs:
Note: this step can be skipped if you decide to configure certain bundles (like DoctrineBundle and SecurityBundle, etc) yourself.
# config/packages/coddin_identity_provider.yaml
imports:
- { resource: "@CoddinIdentityProviderBundle/config/config.yaml" }
Please note that when including this configuration you need to remove your application security.yaml file.
Or you could import the individual configuration files like so:
# config/packages/coddin_identity_provider.yaml
imports:
# ...
- { resource: "@CoddinIdentityProviderBundle/config/packages/messenger.yaml" }
Step 3: Templates
The templates need the assets provided by the bundle, they can be installed via:
bin/console assets:install --symlink
Step 4: Database
This bundle needs specific tables to exist for the OAuth flow to work. They can either be "brute forced" in your application by running bin/console doctrine:schema:update --force
(which I do not recommend) or within your application you can run bin/console doctrine:migrations:diff
to create the needed migrations to update your application with the needed tables.
Step 5: Cache
The Symfony cache needs to be cleared before this module will be fully operational. This can be done with bin/console cache:clear
If errors keep popping up try removing the cache by hand rm -rf var/cache/*
Please be careful when doing this in a production environment
Step 6: Environment variables
This bundle uses environment variables to configure certain aspects:
Variable | Description |
---|---|
IDP_ENCRYPTION_KEY | This variable is used as the encryption key for signing the requests <br/><br/>this key should be generated with ./vendor/bin/generate-defuse-key |
IDP_PUBLIC_KEY_PATH | A public and private key are needed for the OAuth2 Server |
IDP_PRIVATE_KEY_PATH | A public and private key are needed for the OAuth2 Server |
IDP_JWKS_PATH | This variable should point to a file (e.g.) jwks.json that contains the public key information for the .well-known endpoint <br/><br/>The contents of this file can be generated with the command bin/console coddin:jwk:generate |
IDP_HOST_URL | This variable is used by the router to determine the default host (e.g. for e-mail templates) |
IDP_SCHEME | This variable is used by the router to determine the default scheme (which should be https , which is also the default) |
TRUSTED_HOSTS | This variable is used to protect the introspect endpoint |
COMPANY_NAME | This variable is used to customize the default templates |
IDP_MAIL_FROM | This variable is used as the global "from" header for emails |
MAILER_DSN | This is needed for the password reset and general mailing within the application |
MESSENGER_TRANSPORT_DSN | This is needed for the asynchronous processes this bundle uses |
NB: The public / private and jwk paths are relative to the project directory
OAuth2 keys
This bundle comes with keys (which are needed by OAuth2 to sign the requests) located in the config/openidconnect/keys
directory of the bundle.
DO NOT use these keys on a production environment but replace them during your build.
For a new (production) server these keys can be generated by running two openssl
commands.
openssl genrsa -out private.key 2048
openssl rsa -pubout -in private.key -out public.key
!! Setting up these files in the ENV is important (see Environment variables)
Message Queue / Supervisor
This bundle uses asynchronous events to not block the end-user with possible hiccups of certain processes. Therefor it is needed to run a message queue.
It is recommended to use e.g. supervisor to run Symfony's Messenger queue like so: bin/console messenger:consume async
By importing this bundle's configuration (see Step 2) the Messages will be configured for you.
Debugging / unexpected errors
On a Macbook unexpected errors could occur when using LibreSSL insteadof OpenSSL.
MacOS comes with LibreSSL pre-installed, but it can be replaced by installing openssl with Homebrew.
Supported languages
Out of the box this module supports detection of the locale via the browser.
Two languages are supported: Dutch and English
Feel free to contribute other languages by submitting a Pull Request!
Testing
This bundle uses PHPUnit for unit and integration tests.
It can be run standalone by composer phpunit
or within the complete checkup by composer checkup
NB The integration tests need a database to be run against. See the .env.test (which can be overruled by .env.test.local) for the needed configuration.
Checkup
The above-mentioned checkup runs multiple analyses of the bundle's code. This includes Squizlab's Codesniffer, PHPStan and a coverage check.
Continuous Integration
GitHub actions are used for continuous integration. Check out the configuration file if you'd like to know more.
Changelog
See the project changelog
Contributing
Contributions are always welcome. Please see CONTRIBUTING.md and CODE_OF_CONDUCT.md for details.
License
The MIT License (MIT). Please see License File for more information.
Credits
This code is principally developed and maintained by Marius Posthumus for usage by several clients of Coddin
Additional Resources
https://github.com/steverhoades/oauth2-openid-connect-server - The core of this bundle
https://github.com/thephpleague/oauth2-server - The base of the OpenIDConnect server library
https://tailwindcss.com/ - Used as base for of the default templates