OroOAuth2ServerBundle provides OAuth 2.0 authorization and resource server capabilities implemented on top of thephpleague/oauth2-server library.

Currently, Client Credentials and Password grants are implemented.

See OAuth 2.0 Server Client Credentials Grant and OAuth 2.0 Client Credentials Grant for details of Client Credentials grant.

See OAuth 2.0 Server Resource Owner Password Credentials Grant and OAuth 2.0 Password Grant for details of Password grant.


The default configuration of OroOAuth2ServerBundle is illustrated below:


        # The lifetime in seconds of the access token.
        access_token_lifetime: 3600 # 1 hour

        # The lifetime in seconds of the refresh token.
        refresh_token_lifetime: 18144000 # 30 days

        # Determines if refresh token grant is enabled.
        enable_refresh_token: true

        # The full path to the private key file that is used to sign JWT tokens.
        private_key: '%kernel.project_dir%/var/oauth_private.key'

        # The string that is used to encrypt refresh token and authorization token payload.
        # How to generate an encryption key: https://oauth2.thephpleague.com/installation/#string-password
        encryption_key: '%secret%'

        # The configuration of CORS requests
            # The amount of seconds the user agent is allowed to cache CORS preflight requests
            preflight_max_age: 600

            # The list of origins that are allowed to send CORS requests
            allow_origins: [] # Example: ['https://foo.com', 'https://bar.com']


        # The full path to the public key file that is used to verify JWT tokens.
        public_key: '%kernel.project_dir%/var/oauth_public.key'

In order to use OAuth 2.0 authorization, you need to generate private and public keys and place them to locations specified in authorization_server / private_key and resource_server / public_key options. See Generating public and private keys for details how to generate the keys.

Create OAuth Application via Data Fixtures

The OAuth applications can be added using data fixtures. For example:


namespace Oro\Bundle\OAuth2ServerBundle\Migrations\Data\ORM;

use Doctrine\Common\DataFixtures\AbstractFixture;
use Doctrine\Common\Persistence\ObjectManager;
use Oro\Bundle\OAuth2ServerBundle\Entity\Client;
use Oro\Bundle\OAuth2ServerBundle\Entity\Manager\ClientManager;
use Oro\Bundle\OrganizationBundle\Entity\Organization;
use Symfony\Component\DependencyInjection\ContainerAwareInterface;
use Symfony\Component\DependencyInjection\ContainerAwareTrait;

class LoadOAuthApplication extends AbstractFixture implements ContainerAwareInterface
    use ContainerAwareTrait;

     * {@inheritdoc}
    public function load(ObjectManager $manager)
        $client = new Client();
        $client->setName('My Application');

        $this->container->get(ClientManager::class)->updateClient($client, false);


To load data fixtures, use either oro:migration:data:load or oro:platform:update command.

Using OAuth Authorization in REST API

See OAuth Authentication in API.