Skip to content

[Security] Add documentation chapter for OAuth2TokenHandler #22029

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
welcoMattic wants to merge 1 commit into
base: 7.3
Choose a base branch
from
Open

[Security] Add documentation chapter for OAuth2TokenHandler #22029

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
121 changes: 121 additions & 0 deletions security/access_token.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -875,6 +875,127 @@
}
}

3) Configure the Oauth2TokenHandler
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Symfony provides a generic access token handler that calls the configured token introspection endpoint to validate the token and retrieve the user information from it.
It requires the ``symfony/http-client`` package to make the needed HTTP requests. If you haven't installed it yet, run this command:

.. code-block:: terminal

$ composer require symfony/http-client

First, configure a dedicated scoped HTTP client for the token handler:

.. configuration-block::

.. code-block:: yaml
# config/packages/framework.yaml
framework:

Check failure on line 894 in security/access_token.rst

View workflow job for this annotation

GitHub Actions / Lint (DOCtor-RST) 

Please add a blank line after "    .. code-block:: yaml
http_client:
scoped_clients:
oauth2.client:
base_uri: 'https://authorization-server.example.com/introspection'
scope: 'https://authorization-server\.example\.com'
headers:
Authorization: 'Basic Y2xpZW50OnBhc3N3b3Jk'

.. code-block:: xml

<!-- config/packages/framework.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<container xmlns="http://symfony.com/schema/dic/services"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:framework="http://symfony.com/schema/dic/symfony"
xsi:schemaLocation="http://symfony.com/schema/dic/services
https://symfony.com/schema/dic/services/services-1.0.xsd
http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">

<framework:config>
<framework:http-client>
<framework:scoped-client name="oauth2.client"
base-uri="https://authorization-server.example.com/introspection"
scope="https://authorization-server\.example\.com"
>
<!-- Introspection Endpoint usually requires client authentication -->
<framework:header name="Authorization">Basic Y2xpZW50OnBhc3N3b3Jk</framework:header>
</framework:scoped-client>
</framework:http-client>
</framework:config>
</container>

.. code-block:: php

// config/packages/framework.php
use Symfony\Config\FrameworkConfig;

return static function (FrameworkConfig $framework): void {
$framework->httpClient()->scopedClient('oauth2.client')
->baseUri('https://authorization-server.example.com/introspection')
->scope('https://authorization-server\.example\.com')
->header('Authorization', 'Basic Y2xpZW50OnBhc3N3b3Jk') // Introspection Endpoint usually requires client authentication
;
};

Then, configure the ``oauth2`` token handler to use this scoped HTTP client:

.. configuration-block::

.. code-block:: yaml

# config/packages/security.yaml
security:
firewalls:
main:
pattern: ^/
access_token:
token_handler:
oauth2: ~
token_extractors: 'header'
realm: 'My API'

.. code-block:: xml

Check failure on line 957 in security/access_token.rst

View workflow job for this annotation

GitHub Actions / Code Blocks 

[Cache Warmup] 2026-02-23T10:49:51+00:00 [critical] Uncaught Error: Symfony\Bundle\SecurityBundle\DependencyInjection\Security\AccessToken\OAuth2TokenHandlerFactory::create(): Argument #3 ($config) must be of type array|string, null given, called in /home/runner/work/symfony-docs/symfony-docs/_sf_app/vendor/symfony/security-bundle/DependencyInjection/Security/Factory/AccessTokenFactory.php on line 160

<!-- config/packages/security.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<srv:container xmlns="http://symfony.com/schema/dic/security"
xmlns:srv="http://symfony.com/schema/dic/services"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://symfony.com/schema/dic/services
https://symfony.com/schema/dic/services/services-1.0.xsd
http://symfony.com/schema/dic/security
https://symfony.com/schema/dic/security/security-1.0.xsd">

<config>
<firewall name="main">
<access-token>
<token-handler>
<oauth2/>
</token-handler>
</access-token>
</firewall>
</config>
</srv:container>

.. code-block:: php

// config/packages/security.php
use Symfony\Config\SecurityConfig;

return static function (SecurityConfig $security) {
$security->firewall('main')
->accessToken()
->tokenHandler()
->oauth2()
->tokenExtractors('header')
->realm('My API')
;
};

.. versionadded:: 7.3

Check failure on line 995 in security/access_token.rst

View workflow job for this annotation

GitHub Actions / Code Blocks 

[Cache Warmup] 2026-02-23T10:49:54+00:00 [critical] Uncaught Error: Too few arguments to function Symfony\Config\Security\FirewallConfig\AccessToken\TokenHandlerConfig::oauth2(), 0 passed in /home/runner/work/symfony-docs/symfony-docs/_sf_app/config/packages/security.php on line 9 and exactly 1 expected

The support for OAuth2 Token Introspection handler was introduced in Symfony 7.3.

Using CAS 2.0
-------------

Expand Down
Loading