- Can I use this bundle directly in Laravel, or is it only for Symfony?
- This bundle is designed for Symfony and isn’t natively compatible with Laravel. For Laravel, you’d need to either embed Symfony components via a bridge like `spatie/symfony-laravel` or deploy it as a separate microservice. Alternatively, consider Laravel-native alternatives like `php-openid/light-openid-connect` for a simpler integration.
- Does this bundle support PKCE (Proof Key for Code Exchange) for enhanced security?
- No, this bundle does not include PKCE support out of the box. PKCE is critical for modern OAuth2 security, and you’d need to manually configure it in the underlying `league/oauth2-server-bundle`. Ensure your clients enforce PKCE for authorization code flow to mitigate interception risks.
- How do I configure custom claims like `sub` or `email` for OpenID Connect responses?
- Custom claims are resolved via the `UserClaimsResolveEvent` in Symfony’s event dispatcher. You’ll need to create a custom event listener to map user data (e.g., from Doctrine or another source) to OIDC claims like `sub` (subject) or `email`. Refer to the `league/oauth2-server-bundle` documentation for event handling examples.
- What Laravel versions and PHP versions are supported by this bundle?
- This bundle is built for Symfony 6.4+, 7.4+, and 8.0+, requiring PHP 8.2+. While Laravel 10+ (PHP 8.2+) could technically integrate it via a Symfony bridge, there’s no direct Laravel support. Ensure your Laravel app’s PHP version aligns with Symfony’s requirements if embedding components.
- Do I need to set up a database for OAuth2 storage, and if so, which tables are required?
- Yes, you’ll need to configure storage for OAuth2 entities like `authorization_codes`, `clients`, and `access_tokens`. The bundle relies on `league/oauth2-server-bundle`, which supports Doctrine, Redis, or custom adapters. No migrations are provided—you’ll need to manually create tables or use Doctrine migrations for your schema.
- Is Implicit Flow (deprecated in OIDC 1.0) supported, and should I use it?
- Implicit Flow is supported but deprecated in OIDC 1.0. Avoid using it for new projects, as it lacks security features like PKCE and is being phased out. Instead, use Authorization Code Flow with PKCE for modern, secure OIDC implementations. Configure this in `league/oauth2-server-bundle`’s storage layer.
- How do I test my OpenID Connect provider before deploying to production?
- Use tools like [oidcdebugger.com](https://oidcdebugger.com/) to validate your OIDC endpoints (e.g., `/authorize`, `/token`, `/jwks`). Test with a sample Relying Party (RP) to ensure proper token issuance, claim resolution, and RP-Initiated Logout. Mock user data in your tests to avoid database dependencies.
- Are there any built-in logging or observability features for OIDC events?
- No, the bundle doesn’t include built-in logging for OIDC events like token issuance or logout. You’ll need to manually instrument Symfony’s event dispatcher or use a logging library (e.g., Monolog) to track critical OIDC operations. Consider creating custom listeners for audit trails.
- What are the alternatives to this bundle for Laravel applications?
- For Laravel, consider `php-openid/light-openid-connect`, which is a lightweight OIDC library without Symfony dependencies. Alternatively, `laravel/socialite` (for OAuth providers) or `gloudemans/shopware-provider` (for Shopware integrations) may fit narrower use cases. Evaluate based on your need for full OIDC compliance vs. simplicity.
- How do I handle HTTPS and CORS for OIDC endpoints in production?
- OIDC requires HTTPS for all endpoints. Configure your web server (e.g., Nginx, Apache) to enforce HTTPS and set proper `issuer` and `redirect_uris` in client configurations. For CORS, restrict access to trusted Relying Parties (RPs) by configuring the `league/oauth2-server-bundle`’s `grant` and `access_token` handlers to validate `Origin` headers.