Minor tweak

Author: javiereguiluz

security/access_token.rst

@@ -717,10 +717,6 @@ it, and retrieves the user information from it. Optionally, the token can be enc
 
     Support for encryption algorithms to decrypt JWEs was introduced in Symfony 7.3.
 
-.. versionadded:: 7.4
-
-    Support for multiple OIDC discovery endpoints was introduced in Symfony 7.4.
-
 To enable `OpenID Connect Discovery`_, the ``OidcTokenHandler`` requires the
 ``symfony/cache`` package to store the OIDC configuration in the cache. If you
 haven't installed it yet, run the following command:
@@ -800,11 +796,9 @@ from the OpenID Connect Discovery), and configure the ``discovery`` option:
             ;
         };
 
-Configuring Multiple OIDC Discovery Endpoints
-.............................................
-
-The ``OidcTokenHandler`` supports multiple OIDC discovery endpoints. This allows
-validating tokens from multiple identity providers:
+Following the `OpenID Connect Specification`_, the ``sub`` claim is used by
+default as user identifier. To use another claim, specify it on the
+configuration:
 
 .. configuration-block::
 
@@ -817,15 +811,11 @@ validating tokens from multiple identity providers:
                     access_token:
                         token_handler:
                             oidc:
+                                claim: email
                                 algorithms: ['ES256', 'RS256']
+                                keyset: '{"keys":[{"kty":"...","k":"..."}]}'
                                 audience: 'api-example'
-                                issuers: ['https://oidc1.example.com', 'https://oidc2.example.com']
-                                discovery:
-                                    base_uri:
-                                        - https://idp1.example.com/realms/demo/
-                                        - https://idp2.example.com/realms/demo/
-                                    cache:
-                                        id: cache.app
+                                issuers: ['https://oidc.example.com']
 
     .. code-block:: xml
 
@@ -843,15 +833,10 @@ validating tokens from multiple identity providers:
                 <firewall name="main">
                     <access-token>
                         <token-handler>
-                            <oidc audience="api-example">
+                            <oidc claim="email" keyset="{'keys':[{'kty':'...','k':'...'}]}" audience="api-example">
                                 <algorithm>ES256</algorithm>
                                 <algorithm>RS256</algorithm>
-                                <issuer>https://oidc1.example.com</issuer>
-                                <issuer>https://oidc2.example.com</issuer>
-                                <discovery cache="cache.app">
-                                    <base-uri>https://idp1.example.com/realms/demo/</base-uri>
-                                    <base-uri>https://idp2.example.com/realms/demo/</base-uri>
-                                </discovery>
+                                <issuer>https://oidc.example.com</issuer>
                             </oidc>
                         </token-handler>
                     </access-token>
@@ -869,25 +854,38 @@ validating tokens from multiple identity providers:
                 ->accessToken()
                     ->tokenHandler()
                         ->oidc()
+                            ->claim('email')
                             ->algorithms(['ES256', 'RS256'])
+                            ->keyset('{"keys":[{"kty":"...","k":"..."}]}')
                             ->audience('api-example')
-                            ->issuers(['https://oidc1.example.com', 'https://oidc2.example.com'])
-                            ->discovery()
-                                ->baseUri([
-                                    'https://idp1.example.com/realms/demo/',
-                                    'https://idp2.example.com/realms/demo/',
-                                ])
-                                ->cache(['id' => 'cache.app'])
+                            ->issuers(['https://oidc.example.com'])
             ;
         };
 
-The token handler fetches the JWK sets from all configured discovery endpoints
-and builds a combined JWK set for token validation. This enables your application
-to accept and validate tokens from multiple identity providers in a single firewall.
+By default, the ``OidcTokenHandler`` creates an ``OidcUser`` with the claims. To
+create your own User from the claims, you must
+:doc:`create your own UserProvider </security/user_providers>`::
 
-Following the `OpenID Connect Specification`_, the ``sub`` claim is used by
-default as user identifier. To use another claim, specify it on the
-configuration:
+    // src/Security/Core/User/OidcUserProvider.php
+    use Symfony\Component\Security\Core\User\AttributesBasedUserProviderInterface;
+
+    class OidcUserProvider implements AttributesBasedUserProviderInterface
+    {
+        public function loadUserByIdentifier(string $identifier, array $attributes = []): UserInterface
+        {
+            // implement your own logic to load and return the user object
+        }
+    }
+
+Configuring Multiple OIDC Discovery Endpoints
+.............................................
+
+.. versionadded:: 7.4
+
+    Support for multiple OIDC discovery endpoints was introduced in Symfony 7.4.
+
+The ``OidcTokenHandler`` supports multiple OIDC discovery endpoints, allowing it
+to validate tokens from different identity providers:
 
 .. configuration-block::
 
@@ -900,11 +898,15 @@ configuration:
                     access_token:
                         token_handler:
                             oidc:
-                                claim: email
                                 algorithms: ['ES256', 'RS256']
-                                keyset: '{"keys":[{"kty":"...","k":"..."}]}'
                                 audience: 'api-example'
-                                issuers: ['https://oidc.example.com']
+                                issuers: ['https://oidc1.example.com', 'https://oidc2.example.com']
+                                discovery:
+                                    base_uri:
+                                        - https://idp1.example.com/realms/demo/
+                                        - https://idp2.example.com/realms/demo/
+                                    cache:
+                                        id: cache.app
 
     .. code-block:: xml
 
@@ -922,10 +924,15 @@ configuration:
                 <firewall name="main">
                     <access-token>
                         <token-handler>
-                            <oidc claim="email" keyset="{'keys':[{'kty':'...','k':'...'}]}" audience="api-example">
+                            <oidc audience="api-example">
                                 <algorithm>ES256</algorithm>
                                 <algorithm>RS256</algorithm>
-                                <issuer>https://oidc.example.com</issuer>
+                                <issuer>https://oidc1.example.com</issuer>
+                                <issuer>https://oidc2.example.com</issuer>
+                                <discovery cache="cache.app">
+                                    <base-uri>https://idp1.example.com/realms/demo/</base-uri>
+                                    <base-uri>https://idp2.example.com/realms/demo/</base-uri>
+                                </discovery>
                             </oidc>
                         </token-handler>
                     </access-token>
@@ -943,28 +950,21 @@ configuration:
                 ->accessToken()
                     ->tokenHandler()
                         ->oidc()
-                            ->claim('email')
                             ->algorithms(['ES256', 'RS256'])
-                            ->keyset('{"keys":[{"kty":"...","k":"..."}]}')
                             ->audience('api-example')
-                            ->issuers(['https://oidc.example.com'])
+                            ->issuers(['https://oidc1.example.com', 'https://oidc2.example.com'])
+                            ->discovery()
+                                ->baseUri([
+                                    'https://idp1.example.com/realms/demo/',
+                                    'https://idp2.example.com/realms/demo/',
+                                ])
+                                ->cache(['id' => 'cache.app'])
             ;
         };
 
-By default, the ``OidcTokenHandler`` creates an ``OidcUser`` with the claims. To
-create your own User from the claims, you must
-:doc:`create your own UserProvider </security/user_providers>`::
-
-    // src/Security/Core/User/OidcUserProvider.php
-    use Symfony\Component\Security\Core\User\AttributesBasedUserProviderInterface;
-
-    class OidcUserProvider implements AttributesBasedUserProviderInterface
-    {
-        public function loadUserByIdentifier(string $identifier, array $attributes = []): UserInterface
-        {
-            // implement your own logic to load and return the user object
-        }
-    }
+The token handler fetches the JWK sets from all configured discovery endpoints
+and builds a combined JWK set for token validation. This lets your application
+accept and validate tokens from multiple identity providers within a single firewall.
 
 Creating a OIDC token from the command line
 -------------------------------------------