From 9d155e2d3df8a143dd1c3fa860c2ff3d0af070ff Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:28:39 +0000 Subject: [PATCH 1/4] Initial plan From d427e85d3867167a891c94a7ce268937d9a4b9e5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:46:19 +0000 Subject: [PATCH 2/4] Document OpenID bundle decision and comparison with Symfony native OIDC Co-authored-by: ambroisemaupate <380026+ambroisemaupate@users.noreply.github.com> --- CHANGELOG.md | 9 + UPGRADE.md | 16 ++ .../security/openid-native-comparison.md | 177 ++++++++++++++++++ docs/developer/security/security.md | 4 + lib/OpenId/MIGRATION_GUIDE.md | 157 ++++++++++++++++ lib/OpenId/README.md | 35 +++- 6 files changed, 397 insertions(+), 1 deletion(-) create mode 100644 docs/developer/security/openid-native-comparison.md create mode 100644 lib/OpenId/MIGRATION_GUIDE.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 7508b1152..431d10a34 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ All notable changes to Roadiz will be documented in this file. +## Unreleased + +### Documentation + +- **OpenID Authentication**: Documented the decision to maintain Roadiz's custom OpenID Connect implementation rather than migrating to Symfony's native OIDC support. The two systems serve different use cases: + - Symfony's native OIDC is designed for stateless API authentication with Bearer tokens + - Roadiz OpenID implements the OAuth2 Authorization Code Flow for web application SSO + - See [OpenID vs Native Symfony OIDC Comparison](docs/developer/security/openid-native-comparison.md) for details + ## [2.6.26](https://github.com/roadiz/core-bundle-dev-app/compare/v2.6.25...v2.6.26) - 2025-11-21 ### Bug Fixes diff --git a/UPGRADE.md b/UPGRADE.md index d52112b3d..d43a30f1a 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -1,5 +1,21 @@ # Upgrade to 2.7 +## OpenID Authentication + +Roadiz continues to use its custom OpenID Connect implementation (`roadiz/openid` package) for web application SSO, rather than Symfony's native OIDC support. This decision is intentional because: + +- Symfony's native OIDC (`OidcTokenHandler`) is designed for **stateless API authentication** with Bearer tokens +- Roadiz requires the **OAuth2 Authorization Code Flow** for web-based SSO with session management +- The Roadiz implementation provides UI integration, callback handling, and hybrid user support + +For a detailed explanation, see: +- [OpenID vs Native Symfony OIDC Comparison](docs/developer/security/openid-native-comparison.md) +- [OpenID Bundle Migration Guide](lib/OpenId/MIGRATION_GUIDE.md) + +**No migration is required.** The existing OpenID configuration remains unchanged. + +--- + ## ⚠ Breaking changes - NodeSourceWalkerContext requires a new service `NodeTypeClassLocatorInterface` in its constructor. diff --git a/docs/developer/security/openid-native-comparison.md b/docs/developer/security/openid-native-comparison.md new file mode 100644 index 000000000..407af2db9 --- /dev/null +++ b/docs/developer/security/openid-native-comparison.md @@ -0,0 +1,177 @@ +# Roadiz OpenID Bundle vs Symfony Native OIDC + +## Overview + +This document compares Roadiz's custom OpenID Connect implementation with Symfony's native OIDC authentication support introduced in Symfony 6.3 and enhanced in 7.3. + +## Symfony Native OIDC Support + +### What Symfony Provides (6.3+) + +Symfony introduced native OIDC support through the `access_token` authenticator system: + +- **OidcTokenHandler**: Validates OIDC JWT tokens (ID tokens or access tokens) +- **OidcUserInfoTokenHandler**: Fetches user information from the OIDC UserInfo endpoint +- Built-in JWT validation with automatic JWKS discovery +- Support for token introspection (OAuth2 RFC 7662) + +### Configuration Example + +```yaml +# config/packages/security.yaml +security: + firewalls: + api: + stateless: true + access_token: + token_handler: + oidc_user_info: https://your-oidc-server.com/realms/demo/protocol/openid-connect/userinfo +``` + +Or with JWT validation: + +```yaml +security: + firewalls: + api: + stateless: true + access_token: + token_handler: + oidc: + claim: sub + audience: your-client-id + issuers: + - https://your-oidc-server.com/realms/demo +``` + +### Use Cases + +Symfony's native OIDC is designed for: + +1. **Stateless API authentication** with Bearer tokens +2. **Resource server** validation of access tokens +3. **Service-to-service** authentication +4. **Mobile and SPA** applications that obtain tokens independently + +## Roadiz OpenID Bundle + +### What Roadiz Provides + +The `roadiz/openid` package implements a complete OpenID Connect authentication flow: + +- **Authorization Code Flow**: Full OAuth2/OIDC authorization code flow with PKCE support +- **Discovery Service**: Automatic configuration from `.well-known/openid-configuration` +- **Session-based Authentication**: Traditional web application authentication with sessions +- **UI Integration**: Seamless integration with Rozier backoffice login page +- **Hybrid User Support**: Both local database users and virtual OIDC-only users +- **Role Mapping**: Maps OIDC claims to Symfony roles + +### Current Implementation + +```yaml +# config/packages/roadiz_rozier.yaml +roadiz_rozier: + open_id: + discovery_url: '%env(string:OPEN_ID_DISCOVERY_URL)%' + hosted_domain: '%env(string:OPEN_ID_HOSTED_DOMAIN)%' + oauth_client_id: '%env(string:OPEN_ID_CLIENT_ID)%' + oauth_client_secret: '%env(string:OPEN_ID_CLIENT_SECRET)%' + requires_local_user: false + granted_roles: + - ROLE_USER + - ROLE_BACKEND_USER +``` + +### Use Cases + +Roadiz OpenID is designed for: + +1. **Web application SSO** for Rozier backoffice +2. **User-facing login flows** with redirect-based authentication +3. **Enterprise SSO** with providers like Authentik, Keycloak, Azure AD +4. **Session-based** authenticated users +5. **Mixed authentication** (local users + OIDC users) + +## Key Differences + +| Feature | Symfony Native OIDC | Roadiz OpenID Bundle | +|---------|-------------------|---------------------| +| **Authentication Flow** | Bearer Token (stateless) | Authorization Code Flow (stateful) | +| **Use Case** | API / Resource Server | Web Application SSO | +| **State Management** | Stateless | Session-based | +| **User Flow** | Token already obtained | Full login redirect flow | +| **UI Integration** | None (API-focused) | Rozier login button | +| **Discovery** | Manual or auto | Automatic with caching | +| **Local Users** | Not applicable | Optional requirement | +| **Role Mapping** | Basic | Advanced with strategies | +| **CSRF Protection** | Not needed | Built-in with state parameter | +| **Redirect Handling** | Not applicable | Full callback handling | + +## Why Both Are Relevant + +### Roadiz OpenID Bundle Should Be Kept Because: + +1. **Different Use Case**: Symfony's native OIDC is for stateless API authentication, while Roadiz needs stateful web SSO +2. **Authorization Code Flow**: Symfony doesn't provide the OAuth2 authorization code flow (redirect to provider, callback handling, token exchange) +3. **UI Integration**: The bundle integrates with Rozier's login page and provides redirect links +4. **Callback Handling**: Manages the OAuth2 callback endpoint, state verification, and session establishment +5. **Hybrid Authentication**: Supports mixing OIDC authentication with local database users in the same firewall + +### Potential Refactoring Opportunities + +While the full bundle should be maintained, some components could leverage Symfony's native features: + +1. **JWT Validation**: Use Symfony's JWT validation infrastructure instead of manual lcobucci/jwt implementation +2. **JWKS Caching**: Leverage Symfony's OIDC discovery caching mechanisms +3. **Token Introspection**: For API scenarios, add support for Symfony's token introspection +4. **UserInfo Endpoint**: Consider using `OidcUserInfoTokenHandler` for user info fetching + +## Recommended Architecture + +### For Rozier Backoffice (Web UI) +**Use Roadiz OpenID Bundle** - Provides the complete authorization code flow needed for web-based SSO. + +```yaml +security: + firewalls: + main: + custom_authenticator: + - RZ\Roadiz\RozierBundle\Security\RozierAuthenticator + - roadiz_rozier.open_id.authenticator # Roadiz OpenID +``` + +### For API Endpoints +**Could Use Symfony Native OIDC** - For stateless API authentication with Bearer tokens. + +```yaml +security: + firewalls: + api: + stateless: true + access_token: + token_handler: + oidc_user_info: https://your-provider.com/userinfo +``` + +## Migration Path (Future) + +If Symfony adds authorization code flow support in the future: + +1. **Phase 1**: Refactor JWT validation to use Symfony's infrastructure +2. **Phase 2**: Replace discovery mechanism with Symfony's native discovery +3. **Phase 3**: Evaluate if Symfony provides sufficient authorization code flow support +4. **Phase 4**: Only if Symfony provides full flow, migrate or deprecate custom implementation + +## Conclusion + +**The Roadiz OpenID bundle remains necessary and relevant** because it solves a different problem than Symfony's native OIDC support. Symfony focuses on stateless API token validation, while Roadiz provides a complete web application SSO flow with UI integration. + +The bundle could be enhanced by leveraging some of Symfony's native OIDC infrastructure for JWT validation and discovery, but a complete replacement is not appropriate at this time. + +## References + +- [Symfony Access Token Authentication](https://symfony.com/doc/current/security/access_token.html) +- [Symfony 6.3 OpenID Connect Token Handler](https://symfony.com/blog/new-in-symfony-6-3-openid-connect-token-handler) +- [Symfony 7.3 Security Improvements](https://symfony.com/blog/new-in-symfony-7-3-security-improvements) +- [OAuth 2.0 Authorization Code Flow](https://oauth.net/2/grant-types/authorization-code/) +- [OpenID Connect Core Specification](https://openid.net/specs/openid-connect-core-1_0.html) diff --git a/docs/developer/security/security.md b/docs/developer/security/security.md index dd3b12326..388a98231 100644 --- a/docs/developer/security/security.md +++ b/docs/developer/security/security.md @@ -5,6 +5,10 @@ Roadiz uses Symfony's security component to manage user authentication and autho entity to manage roles in bulk. This user entity can be used in classic session firewall, in API authentication with JWT tokens or even with OpenID (openid user must match a local user). +::: tip +Roadiz provides its own OpenID Connect implementation for web application SSO. See the [OpenID vs Native Symfony OIDC comparison](./openid-native-comparison.md) to understand the differences between Roadiz's OpenID bundle and Symfony's native OIDC token authentication. +::: + ```yaml # config/packages/security.yaml security: diff --git a/lib/OpenId/MIGRATION_GUIDE.md b/lib/OpenId/MIGRATION_GUIDE.md new file mode 100644 index 000000000..6eda795b4 --- /dev/null +++ b/lib/OpenId/MIGRATION_GUIDE.md @@ -0,0 +1,157 @@ +# OpenID Bundle - Future Enhancement Opportunities + +This document outlines potential enhancements to the Roadiz OpenID bundle that could leverage Symfony's native OIDC infrastructure while maintaining the authorization code flow functionality. + +## Current Status + +The Roadiz OpenID bundle is **actively maintained and necessary** for web application SSO. It implements the OAuth2 Authorization Code Flow which is not provided by Symfony's native OIDC support. + +## Potential Enhancements + +### 1. JWT Validation with Symfony Infrastructure (Medium Priority) + +**Current Implementation:** +- Uses `lcobucci/jwt` directly for JWT parsing and validation +- Manual JWKS fetching and PEM conversion with `codercat/jwk-to-pem` + +**Potential Enhancement:** +```php +// Current approach in OpenIdAuthenticator +$configuration = $this->jwtConfigurationFactory->create(); +$jwt = $configuration->parser()->parse($jsonResponse['id_token']); +$configuration->validator()->assert($jwt, ...$constraints); +``` + +**Could Leverage:** +- Symfony's `Web\Token\*` components if they provide better integration +- However, `lcobucci/jwt` is well-maintained and works well, so this is low priority + +**Benefits:** +- Potential performance improvements +- Better integration with Symfony's security system +- Reduced maintenance burden + +**Risks:** +- Breaking changes in token validation logic +- Migration effort may not justify benefits + +### 2. Discovery Caching (Low Priority) + +**Current Implementation:** +- Custom caching with PSR-6 CacheItemPoolInterface +- Manual cache key management + +**Potential Enhancement:** +Could align with Symfony's OIDC discovery caching if they expose reusable components. + +**Benefits:** +- Standardized caching approach +- Potential performance improvements + +**Note:** Current implementation works well, this is very low priority. + +### 3. Hybrid API Token Support (Future Feature) + +**Current Limitation:** +The bundle focuses on web SSO and doesn't provide Bearer token validation for APIs. + +**Potential Enhancement:** +Add an optional API authenticator that uses Symfony's native `OidcTokenHandler` for stateless API endpoints while keeping the Authorization Code Flow for web UI. + +**Example Configuration:** +```yaml +# config/packages/security.yaml +security: + firewalls: + # Web UI - uses Authorization Code Flow + main: + custom_authenticator: + - roadiz_rozier.open_id.authenticator + + # API - uses Bearer tokens (new) + api: + stateless: true + access_token: + token_handler: + oidc_user_info: '%env(OPEN_ID_DISCOVERY_URL)%/userinfo' +``` + +**Benefits:** +- Unified OIDC configuration +- Support for both web and API authentication +- Leverage Symfony's stateless token validation + +**Implementation Notes:** +- Keep web SSO separate from API token validation +- Share OIDC configuration (discovery URL, client ID) between both +- Different user providers may be needed + +### 4. User Info Endpoint Integration (Low Priority) + +**Current Implementation:** +User information comes from ID token claims. + +**Potential Enhancement:** +Optionally fetch additional user info from the UserInfo endpoint using `OidcUserInfoTokenHandler` patterns. + +**Benefits:** +- Access to additional user claims not in ID token +- Better compatibility with providers that return minimal ID tokens + +**Note:** Most providers include sufficient claims in the ID token, making this optional. + +## What NOT to Migrate + +### Authorization Code Flow ❌ +**Do NOT migrate** the authorization code flow to Symfony native OIDC because: +- Symfony doesn't provide this flow +- It requires stateful session management +- It needs UI integration with login buttons and redirects +- The current implementation is mature and works well + +### Session-Based Authentication ❌ +**Do NOT migrate** to stateless authentication because: +- Rozier backoffice requires sessions +- CSRF protection needs session state +- Remember me functionality needs sessions +- User experience depends on traditional web app sessions + +### Custom User Providers ❌ +**Do NOT remove** `OpenIdAccountProvider` and virtual user support because: +- Enterprise customers need to authenticate without local users +- Role mapping strategies are essential +- The provider chain with local users is a key feature + +## Decision Matrix + +When considering migrating a component, ask: + +| Question | Migrate if YES | Keep Custom if YES | +|----------|---------------|-------------------| +| Does Symfony provide this feature? | ✓ | | +| Is it core to authorization code flow? | | ✓ | +| Would it simplify the codebase significantly? | ✓ | | +| Is the current implementation problematic? | ✓ | | +| Would it break existing functionality? | | ✓ | +| Is it actively used by customers? | | ✓ | + +## Recommendations + +### Short Term (Current) +- ✅ **Document** the differences between Roadiz OpenID and Symfony native OIDC +- ✅ **Maintain** the current implementation as-is +- ⚠️ **Monitor** Symfony's OIDC development for authorization code flow support + +### Medium Term (6-12 months) +- 🔍 **Evaluate** JWT validation migration if Symfony provides clear benefits +- 🔍 **Consider** hybrid API token support for unified authentication + +### Long Term (12+ months) +- 🔍 **Reassess** if Symfony adds authorization code flow support +- 🔍 **Plan** migration path only if Symfony provides equivalent functionality + +## Conclusion + +The Roadiz OpenID bundle should remain independent because it solves a fundamentally different problem than Symfony's native OIDC support. Any future enhancements should be carefully evaluated to ensure they provide clear benefits without compromising the current functionality. + +**Key Principle:** Only adopt Symfony native components when they provide equivalent or superior functionality for the specific use case (web application SSO with authorization code flow). diff --git a/lib/OpenId/README.md b/lib/OpenId/README.md index fbd403298..0ba152c9b 100644 --- a/lib/OpenId/README.md +++ b/lib/OpenId/README.md @@ -1,8 +1,41 @@ # openid -Roadiz sub-package for handling OpenID authentication +Roadiz sub-package for handling OpenID Connect authentication [![Unit tests, static analysis and code style](https://github.com/roadiz/openid/actions/workflows/run-test.yml/badge.svg?branch=develop)](https://github.com/roadiz/openid/actions/workflows/run-test.yml) +## Purpose + +This package implements the **OAuth2 Authorization Code Flow** for OpenID Connect, providing web application Single Sign-On (SSO) for the Roadiz CMS backoffice. This is different from Symfony's native OIDC support (introduced in 6.3+), which focuses on stateless API authentication with Bearer tokens. + +## Why Not Use Symfony's Native OIDC? + +Symfony's native `OidcTokenHandler` and `OidcUserInfoTokenHandler` are designed for: +- **Stateless API authentication** with access tokens +- **Resource servers** validating tokens from external identity providers +- **Bearer token** authentication (the token is already obtained by the client) + +This package provides: +- **Authorization Code Flow** with redirect-based authentication +- **Session-based** authentication for web applications +- **UI integration** with Rozier backoffice login +- **OAuth2 callback handling** (state verification, token exchange) +- **Hybrid user support** (local users + virtual OIDC users) +- **Role mapping strategies** from OIDC claims + +For a detailed comparison, see the [OpenID vs Native Symfony OIDC documentation](../../docs/developer/security/openid-native-comparison.md). + +## Features + +- OpenID Connect Discovery (.well-known/openid-configuration) +- OAuth2 Authorization Code Flow with PKCE support +- JWT token validation with JWK Set verification +- Session-based authentication +- Optional local user requirement +- Configurable role mapping from JWT claims +- CSRF protection with state parameter +- Automatic token refresh +- Support for multiple identity providers (Google, Authentik, Keycloak, Azure AD, etc.) + ## Contributing Report [issues](https://github.com/roadiz/core-bundle-dev-app/issues) and send [Pull Requests](https://github.com/roadiz/core-bundle-dev-app/pulls) in the [main Roadiz repository](https://github.com/roadiz/core-bundle-dev-app) From 05cacc25cab6e82ea7afda914e3c43cb9bd3c03d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:48:12 +0000 Subject: [PATCH 3/4] Address code review feedback: improve documentation clarity Co-authored-by: ambroisemaupate <380026+ambroisemaupate@users.noreply.github.com> --- docs/developer/security/openid-native-comparison.md | 2 +- lib/OpenId/MIGRATION_GUIDE.md | 13 ++++++++----- lib/OpenId/README.md | 4 +++- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/docs/developer/security/openid-native-comparison.md b/docs/developer/security/openid-native-comparison.md index 407af2db9..88524495b 100644 --- a/docs/developer/security/openid-native-comparison.md +++ b/docs/developer/security/openid-native-comparison.md @@ -51,7 +51,7 @@ Symfony's native OIDC is designed for: 1. **Stateless API authentication** with Bearer tokens 2. **Resource server** validation of access tokens 3. **Service-to-service** authentication -4. **Mobile and SPA** applications that obtain tokens independently +4. **Mobile and Single Page Application (SPA)** applications that obtain tokens independently ## Roadiz OpenID Bundle diff --git a/lib/OpenId/MIGRATION_GUIDE.md b/lib/OpenId/MIGRATION_GUIDE.md index 6eda795b4..dfb936c70 100644 --- a/lib/OpenId/MIGRATION_GUIDE.md +++ b/lib/OpenId/MIGRATION_GUIDE.md @@ -14,17 +14,20 @@ The Roadiz OpenID bundle is **actively maintained and necessary** for web applic - Uses `lcobucci/jwt` directly for JWT parsing and validation - Manual JWKS fetching and PEM conversion with `codercat/jwk-to-pem` -**Potential Enhancement:** +**Current Approach:** ```php -// Current approach in OpenIdAuthenticator +// In OpenIdAuthenticator::authenticate() $configuration = $this->jwtConfigurationFactory->create(); $jwt = $configuration->parser()->parse($jsonResponse['id_token']); $configuration->validator()->assert($jwt, ...$constraints); ``` -**Could Leverage:** -- Symfony's `Web\Token\*` components if they provide better integration -- However, `lcobucci/jwt` is well-maintained and works well, so this is low priority +**Potential Enhancement:** +```php +// Could leverage Symfony's Web Token components if available +// However, lcobucci/jwt is well-maintained and works well +// This is low priority unless clear benefits emerge +``` **Benefits:** - Potential performance improvements diff --git a/lib/OpenId/README.md b/lib/OpenId/README.md index 0ba152c9b..571152107 100644 --- a/lib/OpenId/README.md +++ b/lib/OpenId/README.md @@ -5,7 +5,9 @@ Roadiz sub-package for handling OpenID Connect authentication ## Purpose -This package implements the **OAuth2 Authorization Code Flow** for OpenID Connect, providing web application Single Sign-On (SSO) for the Roadiz CMS backoffice. This is different from Symfony's native OIDC support (introduced in 6.3+), which focuses on stateless API authentication with Bearer tokens. +This package implements the **OAuth2 Authorization Code Flow** for OpenID Connect, providing web application Single Sign-On (SSO) for the Roadiz CMS backoffice. + +This is different from Symfony's native OIDC support (introduced in 6.3+). Symfony's implementation focuses on stateless API authentication with Bearer tokens. ## Why Not Use Symfony's Native OIDC? From c7cb30f6444559f513c50f9d4579cd48688f91bc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 2 Dec 2025 09:49:51 +0000 Subject: [PATCH 4/4] Add comprehensive summary of OpenID decision Co-authored-by: ambroisemaupate <380026+ambroisemaupate@users.noreply.github.com> --- OPENID_DECISION_SUMMARY.md | 115 +++++++++++++++++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 OPENID_DECISION_SUMMARY.md diff --git a/OPENID_DECISION_SUMMARY.md b/OPENID_DECISION_SUMMARY.md new file mode 100644 index 000000000..ded1be922 --- /dev/null +++ b/OPENID_DECISION_SUMMARY.md @@ -0,0 +1,115 @@ +# OpenID Authentication Decision Summary + +## Issue +The issue requested an investigation into migrating from Roadiz's custom OpenID bundle to Symfony's native OIDC authentication (introduced in Symfony 6.3+). + +## Investigation Findings + +### Symfony's Native OIDC (6.3+) +Symfony introduced native OpenID Connect support through: +- `OidcTokenHandler`: Validates OIDC JWT tokens +- `OidcUserInfoTokenHandler`: Fetches user info from OIDC UserInfo endpoint +- `access_token` authenticator: Built-in access token authentication + +**Design Purpose**: Stateless API authentication with Bearer tokens +**Use Cases**: Resource servers, API authentication, mobile apps, SPAs + +### Roadiz OpenID Bundle +The `roadiz/openid` package provides: +- Full OAuth2 Authorization Code Flow implementation +- Session-based web application authentication +- UI integration with Rozier backoffice login +- Discovery service with automatic configuration +- Hybrid user support (local + virtual OIDC users) +- Role mapping from JWT claims + +**Design Purpose**: Web application Single Sign-On (SSO) +**Use Cases**: Rozier backoffice login, enterprise SSO, session-based authentication + +## Decision: Maintain Roadiz OpenID Bundle + +**The Roadiz OpenID bundle remains necessary** because: + +1. **Different Authentication Flow** + - Symfony: Token validation (assumes token already obtained) + - Roadiz: Authorization code flow (redirect to provider, obtain token) + +2. **Different State Management** + - Symfony: Stateless (no sessions) + - Roadiz: Stateful (session-based) + +3. **Different Use Cases** + - Symfony: API authentication + - Roadiz: Web application SSO + +4. **UI Integration** + - Symfony: No UI components + - Roadiz: Login button, callback handling, session management + +5. **User Management** + - Symfony: Basic token validation + - Roadiz: Hybrid local/virtual users, role strategies + +## No Migration Required + +**No code changes are necessary.** The existing OpenID configuration continues to work as designed. + +## Documentation Added + +This PR adds comprehensive documentation: + +1. **[openid-native-comparison.md](docs/developer/security/openid-native-comparison.md)** (177 lines) + - Detailed comparison of Symfony native OIDC vs Roadiz OpenID + - Use cases for each approach + - Feature comparison table + - Recommended architecture patterns + +2. **[MIGRATION_GUIDE.md](lib/OpenId/MIGRATION_GUIDE.md)** (160 lines) + - Potential future enhancements + - Decision matrix for considering migrations + - What should NOT be migrated + - Short/medium/long term recommendations + +3. **Updated [lib/OpenId/README.md](lib/OpenId/README.md)** + - Clarified purpose of the bundle + - Explained differences from Symfony native OIDC + - Listed key features + +4. **Updated [docs/developer/security/security.md](docs/developer/security/security.md)** + - Added reference to comparison documentation + +5. **Updated [UPGRADE.md](UPGRADE.md)** + - Added section explaining the decision + - Confirmed no migration required + +6. **Updated [CHANGELOG.md](CHANGELOG.md)** + - Documented the decision + +## Future Considerations + +While maintaining the bundle, potential future enhancements could include: +- Using Symfony's JWT validation infrastructure (if beneficial) +- Adding optional API token support using native OIDC for API endpoints +- Leveraging Symfony's OIDC discovery caching mechanisms + +However, the core authorization code flow implementation should remain custom. + +## Conclusion + +**The Roadiz OpenID bundle is still relevant and necessary.** Symfony's native OIDC support solves a different problem (stateless API authentication) than what Roadiz requires (stateful web SSO). + +The documentation now clearly explains: +- Why both solutions exist +- When to use each approach +- That no migration is required or recommended +- Potential future enhancements that could leverage Symfony's infrastructure + +## Files Changed +- `CHANGELOG.md` - Added entry documenting the decision +- `UPGRADE.md` - Added clarification that no migration is needed +- `docs/developer/security/security.md` - Added reference to comparison doc +- `docs/developer/security/openid-native-comparison.md` - **NEW** - Comprehensive comparison +- `lib/OpenId/MIGRATION_GUIDE.md` - **NEW** - Future enhancement guide +- `lib/OpenId/README.md` - Updated with purpose and comparison + +Total: 402 lines of new documentation added