Step 2: Configuring resource owners

HWIOAuthBundle creates a dedicated service for each resource owner you want to use in your application. These resource owners will be used in the oauth firewall. The bundle ships several pre-configured resource owners that need only a little configuration.

Otherwise, to make this bundle work you need to add the following to your config/packages/hwi_oauth.yaml:

# config/packages/hwi_oauth.yaml
hwi_oauth:
    # an optional setting to configure a query string parameter which can be used to redirect
    # the user after authentication, e.g. /connect/facebook?_destination=/my/destination will
    # redirect the user to /my/destination after facebook authenticates them.  If this is not
    # set then the user will be redirected to the original resource that they requested, or
    # the base address if no resource was requested.  This is similar to the behaviour of
    # [target_path_parameter for form login](https://symfony.com/doc/5.4/security/form_login.html).
    # target_path_parameter: _destination

    # an optional setting to use the HTTP REFERER header to be used in case no
    # previous URL was stored in the session (i.e. no resource was requested).
    # This is similar to the behaviour of
    # [using the referring URL for form login](https://symfony.com/doc/5.4/security/form_login.html#using-the-referring-url).
    # use_referer: true

    # here you will add one (or more) configurations for resource owners
    # and other settings you want to adjust in this bundle, just checkout the list below!

Built-in resource owners:

• 37signals
• Asana
• Amazon
• Amazon Cognito
• Apple
• Auth0
• Azure
• Bitbucket
• Bitly
• BufferApp
• Clever
• DeviantArt
• Discogs
• Disqus
• Dropbox
• EVE Online
• Eventbrite
• Facebook
• FI-WARE
• Flickr
• Foursquare
• Genius
• GitHub
• GitLab
• Google
• Hubic
• Instagram
• itembase
• Jira
• Keycloak
• LinkedIn OpenID
• LinkedIn
• Mail.ru
• Odnoklassniki
• Passage
• PayPal
• QQ
• Reddit
• Salesforce
• Symfony Connect
• Sina Weibo
• Spotify
• Soundcloud
• Stack Exchange
• Stereomood
• Strava
• Telegram
• Toshl
• Trello
• Twitch
• Twitter
• Vkontakte
• Windows Live
• XING
• Yahoo
• Yandex
• Others

CSRF protection

Set the csrf option to true in the resource owner's configuration in order to protect your users from CSRF attacks. This will be round-tripped to your application in the state parameter.

Other types of state can be configured under the state key, either as a single string or key/value pairs. State can also be passed directly in the state query parameter of your request, provided they don't override the configured keys and are json and base64 encoded, as can be seen in OAuth/State/State.

Auto refreshing of expired access tokens

This option is experimental and can be enabled for GenericOAuth2ResourceOwner with option refresh_on_expire: true

# config/package/hwi_oauth.yaml
hwi_oauth:
    resource_owners:
        any_name:
            type:                resource_owner_of_choice
            client_id:           <client_id>
            client_secret:       <client_secret>
            options:
                csrf: true
                refresh_on_expire: true
                state:
                  some: parameter
                  some-other: parameter

Continue to the next step!

When you're done. Continue by configuring the security layer.

Step 3: Configuring the security layer.