This file describes the steps you will need to make when upgrading this bundle.
The following has changed:
- Constructor parameters of a couple of classes (should all be managed by the bundle dependency injection)
- Drenso\OidcBundle\OidcClient
- Drenso\OidcBundle\OidcJwtHelper
- Drenso\OidcBundle\Security\OidcAuthenticator
- Session information is now stored per configured client, using a dedicated class
- Remember me support has been added (disabled by default)
As 2.x is a major rewrite which actually leverages the Symfony configuration component, you will need to remove most of your previous configuration.
The oidc key and its options remain the same in your firewall configuration 🎉
Remove the OidcClient registration from your services.yaml which passed the configuration values:
parameters:
oidc.well_known_url: '%env(OIDC_WELL_KNOWN)%'
oidc.client_id: '%env(OIDC_CLIENT_ID)%'
oidc.client_secret: "%env(string:key:oidc:json:file:resolve:SECRETS_FILE)%"
services:
Drenso\OidcBundle\OidcClient:
arguments:
$wellKnownUrl: '%oidc.well_known_url%'
$clientId: '%oidc.client_id%'
$clientSecret: '%oidc.client_secret%'Also, remove the security listeners:
services:
security.authentication.provider.oidc:
class: Drenso\OidcBundle\Security\Authentication\Provider\OidcProvider
arguments:
- ''
- '@security.user_checker'
- '@security.token_storage'
- '@logger'
security.authentication.listener.oidc:
class: Drenso\OidcBundle\Security\Firewall\OidcListener
arguments:
- '@security.token_storage'
- '@security.authentication.manager'
- '@security.authentication.session_strategy'
- '@security.http_utils'
- ''
- ''
- ''
- { }
- '@logger'
- '@Drenso\OidcBundle\OidcClient'Remove the OidcFactory from the Kernel.php build method:
/**
* @param ContainerBuilder $container
*/
protected function build(ContainerBuilder $container)
{
// Register the OIDC factory
$extension = $container->getExtension('security');
assert($extension instanceof SecurityExtension);
$extension->addSecurityListenerFactory(new OidcFactory());
}First, make sure to let Flex install/update the recipe:
composer sync-recipes drenso/symfony-oidc-bundle --force
This will add the required configuration. Now, simply set a value for the newly added environment variables, or update the configuration file with your variables/parameters.
First, you will need to update your User Provider to implement the new methods from the OidcUserProviderInterface, as
the loadUserByToken is no longer used. Instead, now two methods need to be implemented:
ensureUserExists(string $userIdentifier, OidcUserData $userData): Implement this method to bootstrap a new account using the data available from the passedOidcUserDataobject. The identifier is a configurable property from the user data, which defaults tosub. If the account cannot be bootstrapped, authentication will be impossible as the User Provider will not be capable of retrieving the user.loadOidcUser(string $userIdentifier): UserInterface: Implement this method to retrieve the user based on the identifier. We use a dedicated method instead of Symfony's defaultloadUserByIdentifierto allow you to detect where the login is coming from, without the need of creating a dedicated user provider. If the OIDC user identifiers are unique, a forward to theloadUserByIdentifiershould be sufficient.
Secondly, it is no longer required to manually clear the security session when starting the OIDC authorization. You can remove the following lines from you redirect controller (if you had them):
// Remove errors from state
$session->remove(Security::AUTHENTICATION_ERROR);
$session->remove(Security::LAST_USERNAME);The login_check route (see Drenso#5) is no longer needed, we now default to the /#_check path as is normally used by the Symfony form login method as well.
By default, this bundle now caches the well known response for an hour. The cache time is configurable, but note that caching will only work when symfony/cache is available in your container.
Most breaking changes are related to classes having been renamed or removed. If you did not rely on any of the internals, these changes should not be problematic for you.
Drenso\OidcBundle\OidcTokenshas moved toDrenso\OidcBundle\Model\OidcTokens. The functionality has not changed.Drenso\OidcBundle\Security\Authentication\Token\OidcTokenhas been replaced with two classes:Drenso\OidcBundle\Model\OidcUserData: Contains the user data as retrieved from the OIDC providerDrenso\OidcBundle\Security\Token\OidcToken: Contains the same data as the oldOidcToken, but it is required to first retrieve the newOidcUserDatavalue before being able to access the user data. UsegetAuthDataandgetUserDataon the token when you require them.- The
getUsernamemethod is removed. - It is no longer possible to override the retrieved OIDC data with the
setAuthDataandsetUserDatamethods, but you can still do it using the token attributes (not recommended).
Drenso\OidcBundle\OidcClient: No longer returnsNULLin case of missing query parameters of invalid state, instead it throws anOidcException.- The
retrieveUserInfomethod now return the user data wrapped in aDrenso\OidcBundle\Model\OidcUserDatafor easy access. - It is no longer possible to autowire the client with the
OidcClientclass, you will need to use theOidcClientInterface
- The
Drenso\OidcBundle\Security\Authentication\Provider\OidcProvideris no longer availableDrenso\OidcBundle\Security\EntryPoint\OidcEntryPointis no longer availableDrenso\OidcBundle\Security\Firewall\OidcListeneris no longer availableDrenso\OidcBundle\Security\Exception\OidcUsernameNotFoundExceptionhas been renamed toDrenso\OidcBundle\Security\Exception\OidcUserNotFoundExceptionDrenso\OidcBundle\Security\UserProvider\OidcUserProviderInterfacehas been changed, see above.
We've also annotated all methods using their actual return types, and removed doc block definitions where possible.
Feel free to open an issue!