Installation
Bundle Installation
For Pimcore >= 10.5
To install Pimcore OpenID Connect for Pimcore 10.5 or higher, follow the three steps below:
- Install the required dependencies:
composer require pimcore/openid-connect
- Make sure the bundle is enabled in the
config/bundles.phpfile. The following lines should be added:
use Pimcore\Bundle\OpenIdConnectBundle\PimcoreOpenIdConnectBundle;
// ...
return [
// ...
PimcoreOpenIdConnectBundle::class => ['all' => true],
// ...
];
- Install the bundle:
bin/console pimcore:bundle:install PimcoreOpenIdConnectBundle
For Older Versions
To install the OpenID Connect bundle for older versions of Pimcore, please run the following commands instead:
composer require pimcore/openid-connect
bin/console pimcore:bundle:enable PimcoreOpenIdConnectBundle
bin/console pimcore:bundle:install PimcoreOpenIdConnectBundle
PHP Extensions
Depending on the algorithm(s) used by the OpenID Connect provider, installing the bcmath and gmp PHP extensions can provide significant performance improvements.
Possible Configuration Clashes
The route pimcore_openidconnect_buttoninjection_script needs to be accessible publicly for the Pimcore public domain
for the login buttons to show up.
If other modules or implementations add additional firewall configurations, make sure the route is still public accessible.
For example, when using the Pimcore portal engine, you need to add following configuration to your symfony configuration
(e.g. in config.yaml):
pimcore_portal_engine:
custom_public_routes:
- pimcore_openidconnect_buttoninjection_script
Pimcore Studio UI
When using the OpenID Connect bundle with Pimcore Studio, the OAuth2 auth endpoints need to be publicly accessible. Add the following access_control rule to your config/packages/security.yaml before the catch-all Studio API rule:
security:
access_control:
# ... other rules ...
- {
path: ^/pimcore-studio/api/(docs|docs/json|translations|user/reset-password|setting/admin/thumbnail)$,
roles: PUBLIC_ACCESS,
}
- { path: ^/pimcore-studio/api/bundle/openid-connect/auth/, roles: PUBLIC_ACCESS }
- { path: ^/pimcore-studio/api, roles: ROLE_PIMCORE_USER }
The OpenID Connect rule must be placed before ^/pimcore-studio/api — otherwise the firewall will reject unauthenticated requests to the auth endpoints before the OAuth2 flow can complete.