You are browsing documentation for version 5.0 of OroCommerce, OroCRM, and OroPlatform, maintained until August 2024 and supported until March 2026. See version 5.1 (the latest LTS version) of the Oro documentation for information on latest features.

See our Release Process documentation for more information on the currently supported and upcoming releases.


OroOAuth2ServerBundle provides OAuth 2.0 authorization and resource server capabilities implemented on top of thephpleague/oauth2-server library.

Currently, Authorization Code, Client Credentials and Password grants are implemented.

See OAuth 2.0 Server Authorization Code Grant and OAuth 2.0 Authorization Code Grant for details of Client Credentials grant.

See OAuth 2.0 Server Client Credentials Grant and OAuth 2.0 Client Credentials Grant for details of the Client Credentials grant.

See OAuth 2.0 Server Resource Owner Password Credentials Grant and OAuth 2.0 Password Grant for details on the Password grant.


The default configuration of OroOAuth2ServerBundle is illustrated below:


        # The lifetime in seconds of the access token.
        access_token_lifetime: 3600 # 1 hour

        # The lifetime in seconds of the refresh token.
        refresh_token_lifetime: 18144000 # 30 days

        # The lifetime in seconds of the authorization code.
        auth_code_lifetime: 600 # 10 minutes

        # Determines if the refresh token grant is enabled.
        enable_refresh_token: true

        # Determines if the authorization code grant is enabled.
        enable_auth_code: true

        # The full path to the private key file that is used to sign JWT tokens.
        private_key: '%kernel.project_dir%/var/oauth_private.key'

        # The string that is used to encrypt refresh token and authorization token payload.
        # How to generate an encryption key:
        encryption_key: '%secret%'

        # The configuration of CORS requests
            # The amount of seconds the user agent is allowed to cache CORS preflight requests
            preflight_max_age: 600

            # The list of origins that are allowed to send CORS requests
            allow_origins: [] # Example: ['', '']


        # The full path to the public key file that is used to verify JWT tokens.
        public_key: '%kernel.project_dir%/var/oauth_public.key'


To use OAuth 2.0 authorization, generate the private and public keys and place them into locations specified in the authorization_server / private_key and resource_server / public_key options. See Generating public and private keys for details on how to generate the keys.

Create OAuth Application via Data Fixtures

The OAuth applications can be added using data fixtures. For example:

namespace Oro\Bundle\OAuth2ServerBundle\Migrations\Data\ORM;

use Doctrine\Common\DataFixtures\AbstractFixture;
use Doctrine\Persistence\ObjectManager;
use Oro\Bundle\OAuth2ServerBundle\Entity\Client;
use Oro\Bundle\OAuth2ServerBundle\Entity\Manager\ClientManager;
use Oro\Bundle\OrganizationBundle\Entity\Organization;
use Symfony\Component\DependencyInjection\ContainerAwareInterface;
use Symfony\Component\DependencyInjection\ContainerAwareTrait;

class LoadOAuthApplication extends AbstractFixture implements ContainerAwareInterface
    use ContainerAwareTrait;

     * {@inheritdoc}
    public function load(ObjectManager $manager)
        $client = new Client();
        $client->setName('My Application');

        $this->container->get(ClientManager::class)->updateClient($client, false);


To load data fixtures, use either oro:migration:data:load or oro:platform:update command.

Using OAuth Authorization in REST API

See OAuth Authentication in API.

Business Tip

Find out what sets B2B eCommerce apart from B2C and whether your company needs digital commerce.