Replace Criipto OIDC integration with VerifyID REST API

Criipto used OpenID Connect (JWT decoding, JWKS keys, token exchange).
VerifyID uses a simpler REST API with two endpoints: URL generation and
age checking. Device ID is generated server-side (UUID v4) and stored
in the session.

Breaking changes:
- Config: `criipto.*` replaced with `verify_id.plugin_key`
- Env vars: CRIIPTO_* replaced with VERIFYID_PLUGIN_KEY
- MinimumAge enum: removed cases 15 and 21 (VerifyID supports 16/18 only)
- Removed firebase/php-jwt and cuyz/valinor dependencies

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: loevgaard

composer.json

@@ -9,10 +9,8 @@
     ],
     "require": {
         "php": ">=8.1",
-        "cuyz/valinor": "^1.13",
         "doctrine/orm": "^2.0 || ^3.0",
         "doctrine/persistence": "^3.4",
-        "firebase/php-jwt": "^6.10",
         "setono/doctrine-orm-trait": "^1.1",
         "sylius/admin-bundle": "^1.0",
         "sylius/core": "^1.0",
@@ -23,10 +21,11 @@
         "symfony/dependency-injection": "^6.4 || ^7.0",
         "symfony/event-dispatcher": "^6.4 || ^7.0",
         "symfony/form": "^6.4 || ^7.0",
-        "symfony/http-client": "^6.4 || ^7.0",
+        "symfony/http-client-contracts": "^3.4",
         "symfony/http-foundation": "^6.4 || ^7.0",
         "symfony/http-kernel": "^6.4 || ^7.0",
         "symfony/routing": "^6.4 || ^7.0",
+        "symfony/uid": "^6.4 || ^7.0",
         "twig/twig": "^2.0 || ^3.0",
         "webmozart/assert": "^1.11"
     },

openspec/changes/archive/2026-03-06-replace-criipto-with-verifyid/.openspec.yaml

@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-03-06

openspec/changes/archive/2026-03-06-replace-criipto-with-verifyid/design.md

@@ -0,0 +1,94 @@
+## Context
+
+The plugin currently uses Criipto as an OpenID Connect provider for age verification. The OIDC flow involves discovering endpoints via `.well-known/openid-configuration`, building authorization URLs with scopes like `is_over_18`, exchanging authorization codes for JWT id_tokens, and decoding those tokens with JWKS keys.
+
+VerifyID offers a simpler REST API: generate a verification URL, redirect the user, receive a token back, and check the token against an endpoint. No OIDC, no JWTs, no key management.
+
+The current codebase has these Criipto-specific components:
+- `OpenIdConfiguration` / `OpenIdConfigurationFactory` — fetches OIDC discovery document and JWKS keys
+- `TokenDecoder` / `DecodedToken` — decodes JWT id_tokens using firebase/php-jwt
+- `AuthorizationUrlGenerator` — builds OIDC authorization URLs with scopes
+- `CriiptoCallbackAction` — exchanges auth code for token, decodes it, stores result
+- `Configuration` — defines `criipto` config block with `client_id`, `client_secret`, `verify_domain`
+
+## Goals / Non-Goals
+
+**Goals:**
+- Replace Criipto with VerifyID as the age verification provider
+- Keep the entire flow server-side (no client-side JavaScript required)
+- Simplify the integration — fewer moving parts, fewer dependencies
+- Maintain the existing checkout UX pattern (button on checkout complete page)
+
+**Non-Goals:**
+- Supporting multiple providers simultaneously
+- Supporting provider abstraction/interface for swapping providers
+- Backward compatibility with Criipto configuration
+- Supporting ages 15 or 21 (not supported by VerifyID)
+
+## Decisions
+
+### 1. Server-side device_id generation
+
+**Decision**: Generate UUID v4 server-side and store in the Symfony session.
+
+**Alternatives considered**:
+- Client-side JS via VerifyID's `device_id.js` script — would require AJAX or form submission to pass the device_id to the server, complicating the template
+- Passing device_id through URL parameters — exposes it unnecessarily
+
+**Rationale**: The `device_id.js` script just generates a UUID v4 and stores it in localStorage. We can generate the same UUID server-side with `Uuid::v4()`. Storing it in the session keeps it available across the redirect flow (initiate → VerifyID → callback) without any client-side dependencies.
+
+### 2. Two-phase redirect flow
+
+**Decision**: The "Verify Age" button links to a new `InitiateVerificationAction` controller that generates the device_id, calls VerifyID's URL generator API, and redirects the user to the returned URL.
+
+**Alternatives considered**:
+- Pre-generating the verification URL when the checkout page renders (in the Twig runtime) — this would require an HTTP call on every page load, even if the user never clicks verify
+- AJAX-based URL generation — adds client-side complexity
+
+**Rationale**: Lazy URL generation (only when the user clicks) avoids unnecessary API calls. The Twig runtime now generates a URL to our own controller rather than directly to the provider, keeping the template simple.
+
+```
+Current:  Template → renders direct Criipto URL → user clicks → Criipto → callback
+New:      Template → renders internal route → user clicks → InitiateAction
+          → calls VerifyID API → redirects to verification URL → VerifyID → callback
+```
+
+### 3. Callback reads token_age_verified parameter
+
+**Decision**: The callback controller reads `token_age_verified` from the query string, retrieves the `device_id` from the session, and calls VerifyID's `/auth_check/{token}/{device_id}` endpoint.
+
+**Rationale**: This matches VerifyID's documented flow. The response `{ "age": int|null }` maps directly to the existing `Customer::setOlderThan()` method.
+
+### 4. Rename controller and route
+
+**Decision**: Rename `CriiptoCallbackAction` to `VerifyIdCallbackAction`. Add `InitiateVerificationAction`. Rename routes to `setono_sylius_age_verification_shop_initiate` and `setono_sylius_age_verification_shop_callback`.
+
+**Rationale**: Provider-specific naming in routes and controllers. The route names drop the `criipto` prefix to avoid coupling to any specific provider name, since the plugin is already age-verification-specific.
+
+### 5. Configuration simplification
+
+**Decision**: Replace the `criipto` config node (3 values) with `verify_id` node containing only `plugin_key`. Default to `%env(VERIFYID_PLUGIN_KEY)%`.
+
+**Rationale**: VerifyID only requires a plugin key. No client secret, no domain discovery.
+
+### 6. Remove MinimumAge cases 15 and 21
+
+**Decision**: Reduce `MinimumAge` enum to `MINIMUM_16 = 16` and `MINIMUM_18 = 18`. Remove `asScope()` method (was Criipto-specific).
+
+**Rationale**: VerifyID's `/url_generator_s/` endpoint only accepts ages 16 and 18. The `asScope()` method was for building OIDC scope strings, which no longer applies.
+
+### 7. Dependency cleanup
+
+**Decision**: Remove `firebase/php-jwt` and `cuyz/valinor` from composer.json. Add `symfony/uid` if not already available (for `Uuid::v4()`).
+
+**Rationale**: JWT decoding and Valinor mapping were only used for Criipto token handling. `symfony/uid` provides UUID generation and is likely already available through Sylius dependencies.
+
+## Risks / Trade-offs
+
+- **[VerifyID API availability]** The plugin now depends on VerifyID's API being available for both URL generation and age checking. Criipto used a client-side redirect flow that only needed the server for token exchange. → Mitigation: Both calls are short-lived HTTP GETs. The initiate call only happens when the user clicks verify. Error handling should show a clear message if the API is unreachable.
+
+- **[Session dependency]** The device_id is stored in session, which means the flow breaks if the session is lost between initiation and callback (e.g., session cookie expires, load balancer issues). → Mitigation: Standard Symfony session handling; same risk as any CSRF-token-based flow.
+
+- **[Age 16/18 only]** Removing ages 15 and 21 is a breaking change for host apps that configured products with those minimum ages. → Mitigation: This is a major version bump (2.x branch). Document the migration clearly.
+
+- **[No test mode toggle]** VerifyID has a test key (`verifyid_test`) and test endpoint (`/auth_check_test/`). We're not building an explicit test mode toggle. → Mitigation: Users can set `VERIFYID_PLUGIN_KEY=verifyid_test` for testing. The `/auth_check_test/` endpoint can be addressed later if needed.

openspec/changes/archive/2026-03-06-replace-criipto-with-verifyid/proposal.md

@@ -0,0 +1,31 @@
+## Why
+
+Replace Criipto (OpenID Connect-based) age verification provider with VerifyID (REST API-based). VerifyID provides a simpler integration model — no OIDC discovery, no JWT decoding, no client secrets — just a plugin key and two REST endpoints. This also aligns the plugin with MitID-based verification via VerifyID's platform.
+
+## What Changes
+
+- **BREAKING**: Remove all Criipto/OIDC integration (OpenID configuration discovery, JWT token decoding, JWKS key fetching)
+- **BREAKING**: Replace `criipto` configuration block (`client_id`, `client_secret`, `verify_domain`) with `verify_id` configuration (`plugin_key`)
+- **BREAKING**: Remove `MinimumAge` cases for ages 15 and 21 — VerifyID only supports 16 and 18
+- Replace direct-link-to-provider flow with two-phase server-side flow: user clicks link to own controller, controller calls VerifyID API to get verification URL, redirects user there
+- New callback controller reads `token_age_verified` query parameter (instead of OIDC authorization code) and calls VerifyID `/auth_check/` endpoint to get verified age
+- Generate `device_id` (UUID v4) server-side and store in session — no client-side JavaScript required
+- Rename route from `criipto_callback` to provider-agnostic name
+
+## Capabilities
+
+### New Capabilities
+- `verifyid-integration`: Server-side integration with VerifyID REST API for age verification (URL generation, callback handling, age checking)
+
+### Modified Capabilities
+- None
+
+## Impact
+
+- **Deleted files**: `OpenIdConfiguration`, `OpenIdConfigurationFactory`, `OpenIdConfigurationFactoryInterface`, `TokenDecoder`, `TokenDecoderInterface`, `DecodedToken`
+- **Rewritten files**: `CriiptoCallbackAction` (renamed), `AuthorizationUrlGenerator`, `Configuration`, `SetonoSyliusAgeVerificationExtension`, `services.xml`, routes, shop template
+- **Modified files**: `MinimumAge` enum (remove 15/21 cases, remove `asScope()`)
+- **Dependencies**: Can remove `firebase/php-jwt` and potentially `cuyz/valinor` (used only for JWT token mapping). May need `symfony/uid` for UUID v4 generation.
+- **Environment variables**: Remove `CRIIPTO_CLIENT_ID`, `CRIIPTO_CLIENT_SECRET`, `CRIIPTO_VERIFY_DOMAIN`. Add `VERIFYID_PLUGIN_KEY`.
+- **Session**: New dependency on session storage for `device_id` persistence across the redirect flow
+- **Breaking for host apps**: Config key changes, env var changes, `MinimumAge` enum cases removed

openspec/changes/archive/2026-03-06-replace-criipto-with-verifyid/specs/verifyid-integration/spec.md

@@ -0,0 +1,71 @@
+## ADDED Requirements
+
+### Requirement: Initiate age verification via VerifyID
+The system SHALL provide a controller action that initiates the VerifyID age verification flow. It SHALL generate a UUID v4 device_id, store it in the Symfony session, call the VerifyID `/url_generator_s/{pluginKey}/{device_id}/{age}?domain={callbackUrl}` endpoint, and redirect the user to the returned verification URL.
+
+#### Scenario: Successful verification initiation
+- **WHEN** a user clicks the "Verify Age" button on the checkout page with a minimum age of 18
+- **THEN** the system generates a UUID v4 device_id, stores it in the session, calls `GET https://api.verifyid.dk/api/url_generator_s/{pluginKey}/{device_id}/18?domain={callbackUrl}`, and redirects the user to the URL returned in the response
+
+#### Scenario: Successful verification initiation for age 16
+- **WHEN** a user clicks the "Verify Age" button on the checkout page with a minimum age of 16
+- **THEN** the system calls the VerifyID endpoint with age parameter `16` and redirects to the returned URL
+
+#### Scenario: VerifyID API returns error
+- **WHEN** the VerifyID URL generator endpoint returns a non-200 response or returns `url: null`
+- **THEN** the system redirects the user back to the checkout complete page (does not crash)
+
+### Requirement: Handle VerifyID callback
+The system SHALL provide a callback controller action at a public route. When VerifyID redirects the user back after verification, the callback SHALL read the `token_age_verified` query parameter, retrieve the `device_id` from the session, call the VerifyID `/auth_check/{token}/{device_id}` endpoint, and store the verified age on the customer.
+
+#### Scenario: Successful age verification callback
+- **WHEN** the user is redirected back with a valid `token_age_verified` query parameter
+- **THEN** the system calls `GET https://api.verifyid.dk/api/auth_check/{token}/{device_id}`, receives `{ "age": 18 }`, sets `olderThan = 18` and `ageCheckedAt = now` on the customer, and redirects to the checkout complete page
+
+#### Scenario: Callback with null age (verification failed)
+- **WHEN** the VerifyID `/auth_check/` endpoint returns `{ "age": null }`
+- **THEN** the system does NOT update the customer's age verification fields, and redirects to the checkout complete page (the age check on the checkout page will still show the verification prompt)
+
+#### Scenario: Callback without token parameter
+- **WHEN** the callback URL is accessed without a `token_age_verified` query parameter
+- **THEN** the system redirects to the checkout complete page without updating any customer data
+
+#### Scenario: Callback without device_id in session
+- **WHEN** the callback is accessed but no `device_id` exists in the session
+- **THEN** the system redirects to the checkout complete page without updating any customer data
+
+### Requirement: Plugin configuration with VerifyID credentials
+The system SHALL accept a `verify_id` configuration block with a `plugin_key` setting. The `plugin_key` SHALL default to the `VERIFYID_PLUGIN_KEY` environment variable.
+
+#### Scenario: Configuration with environment variable
+- **WHEN** the plugin is configured without explicitly setting `plugin_key`
+- **THEN** the system uses the value of `%env(VERIFYID_PLUGIN_KEY)%`
+
+#### Scenario: Configuration with explicit value
+- **WHEN** the plugin configuration sets `verify_id.plugin_key: "my_key"`
+- **THEN** the system uses `"my_key"` as the VerifyID plugin key
+
+### Requirement: Only ages 16 and 18 are supported
+The `MinimumAge` enum SHALL only contain cases for ages 16 and 18.
+
+#### Scenario: Product with minimum age 16
+- **WHEN** a product has minimum age set to 16
+- **THEN** the system initiates verification with age parameter 16
+
+#### Scenario: Product with minimum age 18
+- **WHEN** a product has minimum age set to 18
+- **THEN** the system initiates verification with age parameter 18
+
+### Requirement: Server-side device_id generation
+The system SHALL generate the VerifyID device_id server-side as a UUID v4 string, without requiring any client-side JavaScript. The device_id SHALL be stored in the Symfony session and reused for the auth_check call after callback.
+
+#### Scenario: Device ID persists across redirect
+- **WHEN** the initiation controller generates a device_id and stores it in the session
+- **THEN** the callback controller retrieves the same device_id from the session to use in the `/auth_check/` API call
+
+### Requirement: Twig runtime generates internal route URL
+The Twig runtime `authorizationUrl()` method SHALL return a URL to the internal initiation controller (not directly to VerifyID). The initiation controller route SHALL include the minimum age as a parameter.
+
+#### Scenario: Template renders verify button
+- **WHEN** the checkout complete page renders and an age check is required for age 18
+- **THEN** the "Verify Age" link points to the internal initiation route with age 18 as a parameter

openspec/changes/archive/2026-03-06-replace-criipto-with-verifyid/tasks.md

@@ -0,0 +1,51 @@
+## 1. Delete Criipto/OIDC components
+
+- [x] 1.1 Delete `src/OpenIdConfiguration/OpenIdConfiguration.php`, `OpenIdConfigurationFactory.php`, `OpenIdConfigurationFactoryInterface.php`
+- [x] 1.2 Delete `src/Token/TokenDecoder.php`, `TokenDecoderInterface.php`, `DecodedToken.php`
+- [x] 1.3 Delete `src/Controller/CriiptoCallbackAction.php`
+
+## 2. Update MinimumAge enum
+
+- [x] 2.1 Remove `MINIMUM_15` and `MINIMUM_21` cases from `MinimumAge` enum, remove `asScope()` method
+
+## 3. Update configuration
+
+- [x] 3.1 Replace `criipto` config node with `verify_id` node containing `plugin_key` (defaulting to `%env(VERIFYID_PLUGIN_KEY)%`) in `Configuration.php`
+- [x] 3.2 Update `SetonoSyliusAgeVerificationExtension` to read `verify_id.plugin_key` and set corresponding container parameter
+
+## 4. Create VerifyID controllers
+
+- [x] 4.1 Create `InitiateVerificationAction` controller: generates UUID v4 device_id, stores in session, calls VerifyID `/url_generator_s/` endpoint, redirects to returned URL
+- [x] 4.2 Create `VerifyIdCallbackAction` controller: reads `token_age_verified` query param, retrieves device_id from session, calls `/auth_check/` endpoint, stores verified age on customer
+
+## 5. Update URL generator
+
+- [x] 5.1 Rewrite `AuthorizationUrlGenerator` to generate an internal route URL (to `InitiateVerificationAction`) with the minimum age as a parameter, instead of building an external OIDC URL
+- [x] 5.2 Update `AuthorizationUrlGeneratorInterface` if the signature changes
+
+## 6. Update service wiring
+
+- [x] 6.1 Update `services.xml`: remove Criipto/OIDC service definitions, add new controller services (`InitiateVerificationAction`, `VerifyIdCallbackAction`) with required dependencies (HttpClient, session, router, plugin_key parameter)
+- [x] 6.2 Update `AuthorizationUrlGenerator` service definition (remove OpenIdConfiguration dependency, simplify to just router)
+
+## 7. Update routes
+
+- [x] 7.1 Update `routes/global.yaml`: replace `criipto_callback` route with two routes — `setono_sylius_age_verification_shop_initiate` (with age parameter) and `setono_sylius_age_verification_shop_callback`
+
+## 8. Update Twig runtime
+
+- [x] 8.1 Update `Twig/Runtime::authorizationUrl()` — it no longer needs `countryCode` since the URL is now an internal route. Simplify to pass just the `MinimumAge` to the generator.
+
+## 9. Update dependencies
+
+- [x] 9.1 Remove `firebase/php-jwt` and `cuyz/valinor` from `composer.json`, add `symfony/uid` if not already present
+- [x] 9.2 Run `composer update` to verify dependency changes
+
+## 10. Update tests and tooling
+
+- [x] 10.1 Update or rewrite existing unit tests for changed components (`MinimumAgeChecker`, `AuthorizationUrlGenerator`, etc.)
+- [x] 10.2 Add unit tests for `InitiateVerificationAction` and `VerifyIdCallbackAction`
+- [x] 10.3 Update test application config (`tests/Application/`) — replace Criipto env vars with VerifyID plugin key
+- [x] 10.4 Run `composer analyse` (PHPStan) and fix any errors
+- [x] 10.5 Run `composer check-style` and fix any coding standard violations
+- [x] 10.6 Run `vendor/bin/composer-dependency-analyser` and fix any issues