{"id":28696013,"url":"https://github.com/l-vo/sf_keycloak_example","last_synced_at":"2025-10-08T23:43:34.978Z","repository":{"id":42513895,"uuid":"427782672","full_name":"l-vo/sf_keycloak_example","owner":"l-vo","description":"Example of Symfony authentication with openid connect (Keycloak as identity provider)","archived":false,"fork":false,"pushed_at":"2024-09-27T13:46:15.000Z","size":3818,"stargazers_count":54,"open_issues_count":0,"forks_count":12,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-06-14T09:43:45.224Z","etag":null,"topics":["authentication","authenticators","keycloak","openid","security","symfony"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/l-vo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-11-13T22:07:17.000Z","updated_at":"2025-04-15T22:51:35.000Z","dependencies_parsed_at":"2022-09-01T18:00:29.185Z","dependency_job_id":null,"html_url":"https://github.com/l-vo/sf_keycloak_example","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/l-vo/sf_keycloak_example","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l-vo%2Fsf_keycloak_example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l-vo%2Fsf_keycloak_example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l-vo%2Fsf_keycloak_example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l-vo%2Fsf_keycloak_example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/l-vo","download_url":"https://codeload.github.com/l-vo/sf_keycloak_example/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l-vo%2Fsf_keycloak_example/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259875530,"owners_count":22925200,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authenticators","keycloak","openid","security","symfony"],"created_at":"2025-06-14T09:38:40.744Z","updated_at":"2025-10-08T23:43:29.936Z","avatar_url":"https://github.com/l-vo.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Example of Symfony authentication with Keycloak server as SSO\n\n## Start Keycloak server\n\nThe application is intended to be used with a Keycloak server in a Docker container. To start it:\n\n```bash\n$ docker compose up -d\n```\nKeycloak now runs on the arbitrary chosen port `52957`. In your browser, go to `http://localhost:52957/` and follow *Administration Console* link. The credentials are **admin**/**admin**.\n\n## Keycloak configuration\n\n### Client configuration\n\nFirst, let's create a new OpenId client. Go to the *Clients* link in the menu and use the *Create client* button. Use `symfony-app` as *Client ID* and keep `OpenID Connect` as *Client type*. Then, click on the *Next* button.\n\nOn the *Capability config* screen, switch on the *Client authentication* toggle. Let the other settings unchanged and click on the *Next* button. On the *Login settings screen*, type `http://localhost:8000/redirect-uri` in *Valid Redirect URIs*. You can now save the configuration.\n\nYou should now see all the `symfony-app` client settings. Go to the *Credentials* tab and copy the *Client Secret* field content somewhere. You are going to need it for the Symfony application configuration.\n\n### Add Symfony specific roles\nWe are going to add a specific role for the application. Go to *Realm roles* on the left menu, click on the *Create role* button, type `ROLE_USER` as *Role name* (case matters) and save your modification.\n\n### User creation\nLet's create an user for logging into our Symfony application. Go to the *Users* link from the left menu and click on the *Add user* button. Fill the *username*, *email*, *first name* and *last name* fields. Then create the user.\n\nSome extra configuration options are now available. Go to the *Credentials* tab, click on the *set password* button. On the displayed modal, choose a password, confirm it and disable the *Temporary* feature. Then save your modifications (a confirmation modal should appear, you can confirm your modifications clicking on *Save password*).\n\nYou also need to add the `ROLE_USER` previously created to your user to be allowed to access to the profile page in the Symfony application. Go to *Role Mapping*, click on *Assign role*. In the top left select box, choose *Filter by realm roles*, tick `ROLE_USER` and click on the *Assign* button.\n\n### Add roles to ID token\nBy default, role are not present in the ID token. To be allowed to get roles from the ID token, go to *Client Scopes* (left menu) and click on the *roles* scope. Then chose the *Mappers* tab, edit the *realm roles* line and set the *Add to ID token* toggle to `ON`. Save your modification. For a sake of transparency, in the settings tab, switch on the *Include in token Scope* toggle and save the modification. Otherwise roles won't be displayed in the scope list of keycloak responses.\n\n### Public key\nKeycloak configuration is done. But you need the public key to check JWT signature. Go to the left menu entry *Realm Settings* and chose the *Keys* tab. Click on the *Public key* button of the `RS256` algorithm for a signing (`SIG`) usage. Copy the displayed value somewhere.\n\n### Disconnect from admin account\n\nDon't forget to logout, you can't use admin to login in the Symfony application since admin has no email (having an email is only a requirement for our implementation, not a general rule).\n\n## Symfony application configuration\n\n## Environment variables\n\nYou need to create a `.env.local` file at the root of the project. Add the following content:\n```env\nKEYCLOAK_CLIENTSECRET=624e2565-a612-4255-9522-35d27636e8c7\nKEYCLOAK_PK=\"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhHUOz9Fwkx9TFR07flcEmn2aVCxKM9dLhTBvHwOYLzCSETWk3/lf/xwg/f2sicrsY2W/EZLrpDyKZSCuSzwbPp7DLSN9Ww8DnLJNLxFWL+LXgSY+IqoUZSKq/lPS/2N4bW61kz7clVgOMI1iWt2I+FAs6oRLfDRbOjIVWgMyT1W/pSrX5Y6nR8Q1VE+MfCE0QAlsYLpb9vxuh4jiOkpY+P+RqSj1ciTxuqic/k0HOvAaI1vJmIdJe3iQlVK/lxzHlaB+nY20WdVV2LVlFthvCVO6pH+I+pbHk1NkgYmXoKsm+on7epazT7Bg1K8eVpumcBG2sPX9R04RL5hz4WmWwwIDAQAB\n-----END PUBLIC KEY-----\"\n```\nReplace `KEYCLOAK_CLIENTSECRET` and `KEYCLOAK_PK` contents by your own values you have previously copied.\n\nAdd `KEYCLOAK_VERIFY_PEER=true` and `KEYCLOAK_VERIFY_HOST=true` by true if you want to verify the peer/host when calling the Keyclock server.\n\n## Start the Symfony application\n\nFor the sake of simplicity, we use the [Symfony local web server](https://symfony.com/doc/5.4/setup/symfony_server.html). At least PHP 8.0 is needed to run the application. Start the server:\n\n```bash\n$ symfony serve -d --no-tls\n```\n\nThen, install the dependencies:\n\n```bash\n$ symfony composer install\n```\n\nYou can now go to `http://localhost:8000` in your browser and try to login into the application with the user account you previously created :)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fl-vo%2Fsf_keycloak_example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fl-vo%2Fsf_keycloak_example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fl-vo%2Fsf_keycloak_example/lists"}