@@ -717,6 +717,10 @@ it, and retrieves the user information from it. Optionally, the token can be enc
717717
718718 Support for encryption algorithms to decrypt JWEs was introduced in Symfony 7.3.
719719
720+ .. versionadded :: 7.4
721+
722+ Support for multiple OIDC discovery endpoints was introduced in Symfony 7.4.
723+
720724To enable `OpenID Connect Discovery `_, the ``OidcTokenHandler `` requires the
721725``symfony/cache `` package to store the OIDC configuration in the cache. If you
722726haven't installed it yet, run the following command:
@@ -796,6 +800,91 @@ from the OpenID Connect Discovery), and configure the ``discovery`` option:
796800 ;
797801 };
798802
803+
804+ .............................................
805+
806+ The ``OidcTokenHandler `` supports multiple OIDC discovery endpoints. This allows
807+ validating tokens from multiple identity providers:
808+
809+ .. configuration-block ::
810+
811+ .. code-block :: yaml
812+
813+ # config/packages/security.yaml
814+ security :
815+ firewalls :
816+ main :
817+ access_token :
818+ token_handler :
819+ oidc :
820+ algorithms : ['ES256', 'RS256']
821+ audience : ' api-example'
822+ issuers : ['https://oidc1.example.com', 'https://oidc2.example.com']
823+ discovery :
824+ base_uri :
825+ - https://idp1.example.com/realms/demo/
826+ - https://idp2.example.com/realms/demo/
827+ cache :
828+ id : cache.app
829+
830+ code-block :: xml
831+
832+ <!-- config/packages/security.xml -->
833+ <?xml version =" 1.0" encoding =" UTF-8"
834+ <srv : container xmlns =" http://symfony.com/schema/dic/security"
835+ xmlns : srv =" http://symfony.com/schema/dic/services"
836+ xmlns : xsi =" http://www.w3.org/2001/XMLSchema-instance"
837+ xsi : schemaLocation =" http://symfony.com/schema/dic/services
838+ https://symfony.com/schema/dic/services/services-1.0.xsd
839+ http://symfony.com/schema/dic/security
840+ https://symfony.com/schema/dic/security/security-1.0.xsd" >
841+
842+ <config >
843+ <firewall name =" main"
844+ <access-token >
845+ <token-handler >
846+ <oidc audience =" api-example"
847+ <algorithm >ES256</algorithm >
848+ <algorithm >RS256</algorithm >
849+ <issuer >https://oidc1.example.com</issuer >
850+ <issuer >https://oidc2.example.com</issuer >
851+ <discovery cache =" cache.app"
852+ <base-uri >https://idp1.example.com/realms/demo/</base-uri >
853+ <base-uri >https://idp2.example.com/realms/demo/</base-uri >
854+ </discovery >
855+ </oidc >
856+ </token-handler >
857+ </access-token >
858+ </firewall >
859+ </config >
860+ </srv : container >
861+
862+ code-block :: php
863+
864+ // config/packages/security.php
865+ use Symfony\Config\SecurityConfig;
866+
867+ return static function (SecurityConfig $security) {
868+ $security->firewall('main')
869+ ->accessToken()
870+ ->tokenHandler()
871+ ->oidc()
872+ ->algorithms(['ES256', 'RS256'])
873+ ->audience('api-example')
874+ ->issuers(['https://oidc1.example.com', 'https://oidc2.example.com'])
875+ ->discovery()
876+ ->baseUri([
877+ 'https://idp1.example.com/realms/demo/',
878+ 'https://idp2.example.com/realms/demo/',
879+ ])
880+ ->cache(['id' => 'cache.app'])
881+ ;
882+ };
883+
884+
885+ and builds a combined JWK set for token validation. This enables your application
886+ to accept and validate tokens from multiple identity providers in a single firewall.
887+
799888Following the `OpenID Connect Specification `_, the ``sub `` claim is used by
800889default as user identifier. To use another claim, specify it on the
801890configuration:
0 commit comments