Description

On OIDC User Info (experimental) feature, Symfony Security Bundle configuration allows to pass a custom client, or auto-create a client with the configuration passed (e.g.: base_uri).

The OIDC Discovery Specification specifies a .well-known entrypoint to discover the User Info entrypoint, and other public infos. It should be better to consume this entrypoint instead of statically specifying the client base_uri.

As some OIDC servers don't implement this Discovery Specification, and for backward compatibility, it should still be possible to use the OIDC User Info feature without any .well-known entrypoint (as it's already the case in 6.3).

Question: should it be a new feature or a bugfix?

Example

Current implementation (still valid):

security:
  firewalls:
    main:
      oidc_user_info:
        # using a custom Symfony HTTP Client
        client: my-client
        # using an auto-generated client
        client:
          base_uri: https://www.example.com/protocol/openid-connect/userinfo

Using OIDC Discovery:

security:
  firewalls:
    main:
      oidc_user_info:
        # proposal 1: add a "well_known" option non combinable with "client" option
        well_known: https://www.example.com/.well-known/openid-configuration
        # proposal 2: use "client" option to set the Well Known URI, and detect it in the token handler
        client:
          base_uri: https://www.example.com/.well-known/openid-configuration