Description
Description
On OIDC User Info (experimental) feature, Symfony Security Bundle configuration allows to pass a custom client, or auto-create a client with the configuration passed (e.g.: base_uri
).
The OIDC Discovery Specification specifies a .well-known
entrypoint to discover the User Info entrypoint, and other public infos. It should be better to consume this entrypoint instead of statically specifying the client base_uri
.
As some OIDC servers don't implement this Discovery Specification, and for backward compatibility, it should still be possible to use the OIDC User Info feature without any .well-known
entrypoint (as it's already the case in 6.3).
Question: should it be a new feature or a bugfix?
Example
Current implementation (still valid):
security:
firewalls:
main:
oidc_user_info:
# using a custom Symfony HTTP Client
client: my-client
# using an auto-generated client
client:
base_uri: https://www.example.com/protocol/openid-connect/userinfo
Using OIDC Discovery:
security:
firewalls:
main:
oidc_user_info:
# proposal 1: add a "well_known" option non combinable with "client" option
well_known: https://www.example.com/.well-known/openid-configuration
# proposal 2: use "client" option to set the Well Known URI, and detect it in the token handler
client:
base_uri: https://www.example.com/.well-known/openid-configuration