You are browsing documentation for version 5.1 of OroCommerce, supported until March 2026. Read the documentation for version 6.0 (the latest LTS version) to get up-to-date information.

See our Release Process documentation for more information on the currently supported and upcoming releases.


OroOAuth2ServerBundle provides OAuth 2.0 authorization and resource server capabilities implemented on top of thephpleague/oauth2-server library.

Currently, Authorization Code (with PKCE extention), Client Credentials and Password grants are implemented.

See OAuth 2.0 Server Authorization Code Grant and OAuth 2.0 Authorization Code Grant for details of Authorization Code grant.

See OAuth 2.0 Server Client Credentials Grant and OAuth 2.0 Client Credentials Grant for details of the Client Credentials grant.

See OAuth 2.0 Server Resource Owner Password Credentials Grant and OAuth 2.0 Password Grant for details on the Password grant.


The default configuration of OroOAuth2ServerBundle is illustrated below:


        # The lifetime in seconds of the access token.
        access_token_lifetime: 3600 # 1 hour

        # The lifetime in seconds of the refresh token.
        refresh_token_lifetime: 18144000 # 30 days

        # The lifetime in seconds of the authorization code.
        auth_code_lifetime: 600 # 10 minutes

        # Determines if the refresh token grant is enabled.
        enable_refresh_token: true

        # Determines if the authorization code grant is enabled.
        enable_auth_code: true

        # The full path to the private key file that is used to sign JWT tokens.
        private_key: '%kernel.project_dir%/var/oauth_private.key'

        # The string that is used to encrypt refresh token and authorization token payload.
        # How to generate an encryption key:
        encryption_key: '%kernel.secret%'

        # The configuration of CORS requests
            # The amount of seconds the user agent is allowed to cache CORS preflight requests
            preflight_max_age: 600

            # The list of origins that are allowed to send CORS requests
            allow_origins: [] # Example: ['', '']

            # The list of headers that are allowed to send by CORS requests.
            # This option specifies a list of headers that are sent
            # in the "Access-Control-Allow-Headers" response header of CORS preflight requests
            allow_headers: [] # Example: ['X-Foo', 'X-Bar']


        # The full path to the public key file that is used to verify JWT tokens.
        public_key: '%kernel.project_dir%/var/oauth_public.key'


To use OAuth 2.0 authorization, generate the private and public keys and place them into locations specified in the authorization_server / private_key and resource_server / public_key options. See Generating public and private keys for details on how to generate the keys.

Manage OAuth Applications 

See Manage OAuth Applications and Manage Customer User OAuth Applications.

Create OAuth Application via Data Fixtures 

The OAuth applications can be added using data fixtures. For example:

namespace Oro\Bundle\OAuth2ServerBundle\Migrations\Data\ORM;

use Doctrine\Common\DataFixtures\AbstractFixture;
use Doctrine\Persistence\ObjectManager;
use Oro\Bundle\OAuth2ServerBundle\Entity\Client;
use Oro\Bundle\OAuth2ServerBundle\Entity\Manager\ClientManager;
use Oro\Bundle\OrganizationBundle\Entity\Organization;
use Symfony\Component\DependencyInjection\ContainerAwareInterface;
use Symfony\Component\DependencyInjection\ContainerAwareTrait;

class LoadOAuthApplication extends AbstractFixture implements ContainerAwareInterface
    use ContainerAwareTrait;

     * {@inheritdoc}
    public function load(ObjectManager $manager)
        $client = new Client();
        $client->setName('My Application');

        $this->container->get(ClientManager::class)->updateClient($client, false);


To load data fixtures, use either oro:migration:data:load or oro:platform:update command.

Using OAuth Authorization in REST API 

See OAuth Authentication in API.

Business Tip

Find out what sets B2B eCommerce apart from B2C and whether your company needs digital commerce.