ibexa · mnocon · Sep 22, 2025 · Mar 6, 2026 · Mar 6, 2026 · Mar 9, 2026
diff --git a/docs/users/oauth_server.md b/docs/users/oauth_server.md
@@ -22,14 +22,14 @@ Add the tables needed by the bundle:
 
 === "MySQL"
 
-    ```bash
-    php bin/console ibexa:doctrine:schema:dump-sql vendor/ibexa/oauth2-server/src/bundle/Resources/config/schema.yaml | mysql -u <username> -p <password> <database_name>
+    ``` sql
+    [[= include_file('docs/users/sql/install_mysql.sql', glue='    ') =]]
     ```
 
 === "PostgreSQL"
 
-    ```bash
-    php bin/console ibexa:doctrine:schema:dump-sql --force-platform=postgres vendor/ibexa/oauth2-server/src/bundle/Resources/config/schema.yaml | psql <database_name>
+    ``` sql
+    [[= include_file('docs/users/sql/install_postgresql.sql', glue='    ') =]]
     ```
 
 Then, in `config/bundles.php`, at the end of an array with a list of bundles, add the following two lines :

diff --git a/docs/users/sql/install_mysql.sql b/docs/users/sql/install_mysql.sql
@@ -0,0 +1,142 @@
+CREATE TABLE
+    ibexa_oauth2_client (
+        id INT AUTO_INCREMENT NOT NULL,
+        client_name VARCHAR(128) NOT NULL,
+        client_identifier VARCHAR(32) NOT NULL,
+        client_secret VARCHAR(128) DEFAULT NULL,
+        client_active TINYINT (1) DEFAULT '0' NOT NULL,
+        client_plain_pkce TINYINT (1) DEFAULT '0' NOT NULL,
+        UNIQUE INDEX ibexa_oauth2_client_identifier_idx (client_identifier),
+        PRIMARY KEY (id)
+    ) DEFAULT CHARACTER
+SET
+    utf8mb4 COLLATE `utf8mb4_unicode_520_ci` ENGINE = InnoDB;
+
+CREATE TABLE
+    ibexa_oauth2_client_redirect_uri (
+        id INT AUTO_INCREMENT NOT NULL,
+        client_id INT NOT NULL,
+        client_redirect_uri VARCHAR(255) NOT NULL,
+        INDEX ibexa_oauth2_client_redirect_uri_client_id_idx (client_id),
+        INDEX ibexa_oauth2_client_redirect_uri_client_redirect_uri_idx (client_redirect_uri),
+        UNIQUE INDEX ibexa_oauth2_client_redirect_uri_unique_idx (client_id, client_redirect_uri),
+        PRIMARY KEY (id)
+    ) DEFAULT CHARACTER
+SET
+    utf8mb4 COLLATE `utf8mb4_unicode_520_ci` ENGINE = InnoDB;
+
+CREATE TABLE
+    ibexa_oauth2_client_grant (
+        id INT AUTO_INCREMENT NOT NULL,
+        client_id INT NOT NULL,
+        client_grant VARCHAR(255) NOT NULL,
+        INDEX ibexa_oauth2_client_grant_client_id_idx (client_id),
+        INDEX ibexa_oauth2_client_grant_client_grant_idx (client_grant),
+        UNIQUE INDEX ibexa_oauth2_client_grant_unique_idx (client_id, client_grant),
+        PRIMARY KEY (id)
+    ) DEFAULT CHARACTER
+SET
+    utf8mb4 COLLATE `utf8mb4_unicode_520_ci` ENGINE = InnoDB;
+
+CREATE TABLE
+    ibexa_oauth2_client_token (
+        id INT AUTO_INCREMENT NOT NULL,
+        client_id INT NOT NULL,
+        token_id INT NOT NULL,
+        INDEX ibexa_oauth2_client_token_client_id_idx (client_id),
+        INDEX ibexa_oauth2_client_token_token_id_idx (token_id),
+        UNIQUE INDEX ibexa_oauth2_client_token_unique_idx (client_id, token_id),
+        PRIMARY KEY (id)
+    ) DEFAULT CHARACTER
+SET
+    utf8mb4 COLLATE `utf8mb4_unicode_520_ci` ENGINE = InnoDB;
+
+CREATE TABLE
+    ibexa_oauth2_client_scope (
+        id INT AUTO_INCREMENT NOT NULL,
+        client_id INT NOT NULL,
+        client_scope VARCHAR(255) NOT NULL,
+        INDEX ibexa_oauth2_client_scope_client_id_idx (client_id),
+        INDEX ibexa_oauth2_client_scope_client_scope_idx (client_scope),
+        UNIQUE INDEX ibexa_oauth2_client_scope_unique_idx (client_id, client_scope),
+        PRIMARY KEY (id)
+    ) DEFAULT CHARACTER
+SET
+    utf8mb4 COLLATE `utf8mb4_unicode_520_ci` ENGINE = InnoDB;
+
+CREATE TABLE
+    ibexa_oauth2_token_scope (
+        id INT AUTO_INCREMENT NOT NULL,
+        token_id INT NOT NULL,
+        token_scope VARCHAR(255) NOT NULL,
+        INDEX ibexa_oauth2_token_scope_token_id_idx (token_id),
+        INDEX ibexa_oauth2_token_scope_scope_idx (token_scope),
+        UNIQUE INDEX ibexa_oauth2_token_scope_unique_idx (token_id, token_scope),
+        PRIMARY KEY (id)
+    ) DEFAULT CHARACTER
+SET
+    utf8mb4 COLLATE `utf8mb4_unicode_520_ci` ENGINE = InnoDB;
+
+CREATE TABLE
+    ibexa_oauth2_refresh_access_token (
+        id INT AUTO_INCREMENT NOT NULL,
+        access_token_id INT NOT NULL,
+        refresh_token_id INT NOT NULL,
+        INDEX ibexa_oauth2_refresh_access_token_access_token_id_idx (access_token_id),
+        INDEX ibexa_oauth2_refresh_access_token_refresh_token_id_idx (refresh_token_id),
+        UNIQUE INDEX ibexa_oauth2_refresh_access_token_unique_idx (access_token_id, refresh_token_id),
+        PRIMARY KEY (id)
+    ) DEFAULT CHARACTER
+SET
+    utf8mb4 COLLATE `utf8mb4_unicode_520_ci` ENGINE = InnoDB;
+
+CREATE TABLE
+    ibexa_oauth2_consent (
+        id INT AUTO_INCREMENT NOT NULL,
+        user_identifier VARCHAR(150) NOT NULL,
+        client_identifier VARCHAR(32) NOT NULL,
+        created INT DEFAULT 0 NOT NULL,
+        updated INT DEFAULT 0 NOT NULL,
+        INDEX IDX_40497C0FD0494586 (user_identifier),
+        INDEX IDX_40497C0FE77ABE2B (client_identifier),
+        INDEX ibexa_oauth2_consent_consent_idx (user_identifier, client_identifier),
+        UNIQUE INDEX ibexa_oauth2_consent_unique_idx (user_identifier, client_identifier),
+        PRIMARY KEY (id)
+    ) DEFAULT CHARACTER
+SET
+    utf8mb4 COLLATE `utf8mb4_unicode_520_ci` ENGINE = InnoDB;
+
+CREATE TABLE
+    ibexa_oauth2_consent_scope (
+        id INT AUTO_INCREMENT NOT NULL,
+        consent_id INT NOT NULL,
+        consent_scope VARCHAR(255) NOT NULL,
+        INDEX ibexa_oauth2_consent_scope_consent_id_idx (consent_id),
+        INDEX ibexa_oauth2_consent_scope_consent_scope_idx (consent_scope),
+        UNIQUE INDEX ibexa_oauth2_consent_scope_unique_idx (consent_id, consent_scope),
+        PRIMARY KEY (id)
+    ) DEFAULT CHARACTER
+SET
+    utf8mb4 COLLATE `utf8mb4_unicode_520_ci` ENGINE = InnoDB;
+
+ALTER TABLE ibexa_oauth2_client_redirect_uri ADD CONSTRAINT ibexa_oauth2_client_redirect_uri_fk FOREIGN KEY (client_id) REFERENCES ibexa_oauth2_client (id) ON UPDATE CASCADE ON DELETE CASCADE;
+
+ALTER TABLE ibexa_oauth2_client_grant ADD CONSTRAINT ibexa_oauth2_client_grant_fk FOREIGN KEY (client_id) REFERENCES ibexa_oauth2_client (id) ON UPDATE CASCADE ON DELETE CASCADE;
+
+ALTER TABLE ibexa_oauth2_client_token ADD CONSTRAINT ibexa_oauth2_client_token_client_fk FOREIGN KEY (client_id) REFERENCES ibexa_oauth2_client (id) ON UPDATE CASCADE ON DELETE CASCADE;
+
+ALTER TABLE ibexa_oauth2_client_token ADD CONSTRAINT ibexa_oauth2_client_token_token_fk FOREIGN KEY (token_id) REFERENCES ibexa_token (id) ON UPDATE CASCADE ON DELETE CASCADE;
+
+ALTER TABLE ibexa_oauth2_client_scope ADD CONSTRAINT ibexa_oauth2_client_scope_fk FOREIGN KEY (client_id) REFERENCES ibexa_oauth2_client (id) ON UPDATE CASCADE ON DELETE CASCADE;
+
+ALTER TABLE ibexa_oauth2_token_scope ADD CONSTRAINT ibexa_oauth2_token_scope_fk FOREIGN KEY (token_id) REFERENCES ibexa_token (id) ON UPDATE CASCADE ON DELETE CASCADE;
+
+ALTER TABLE ibexa_oauth2_refresh_access_token ADD CONSTRAINT ibexa_oauth2_refresh_access_token_access_token_fk FOREIGN KEY (access_token_id) REFERENCES ibexa_token (id) ON UPDATE CASCADE ON DELETE CASCADE;
+
+ALTER TABLE ibexa_oauth2_refresh_access_token ADD CONSTRAINT ibexa_oauth2_refresh_access_token_refresh_token_fk FOREIGN KEY (refresh_token_id) REFERENCES ibexa_token (id) ON UPDATE CASCADE ON DELETE CASCADE;
+
+ALTER TABLE ibexa_oauth2_consent ADD CONSTRAINT ibexa_oauth2_consent_user_fk FOREIGN KEY (user_identifier) REFERENCES ezuser (login) ON UPDATE CASCADE ON DELETE CASCADE;
+
+ALTER TABLE ibexa_oauth2_consent ADD CONSTRAINT ibexa_oauth2_consent_client_fk FOREIGN KEY (client_identifier) REFERENCES ibexa_oauth2_client (client_identifier) ON UPDATE CASCADE ON DELETE CASCADE;
+
+ALTER TABLE ibexa_oauth2_consent_scope ADD CONSTRAINT ibexa_oauth2_consent_scope_fk FOREIGN KEY (consent_id) REFERENCES ibexa_oauth2_consent (id) ON UPDATE CASCADE ON DELETE CASCADE;
diff --git a/docs/users/sql/install_postgresql.sql b/docs/users/sql/install_postgresql.sql
@@ -0,0 +1,150 @@
+CREATE TABLE
+    ibexa_oauth2_client (
+        id SERIAL NOT NULL,
+        client_name VARCHAR(128) NOT NULL,
+        client_identifier VARCHAR(32) NOT NULL,
+        client_secret VARCHAR(128) DEFAULT NULL,
+        client_active BOOLEAN DEFAULT 'false' NOT NULL,
+        client_plain_pkce BOOLEAN DEFAULT 'false' NOT NULL,
+        PRIMARY KEY (id)
+    );
+
+CREATE UNIQUE INDEX ibexa_oauth2_client_identifier_idx ON ibexa_oauth2_client (client_identifier);
+
+CREATE TABLE
+    ibexa_oauth2_client_redirect_uri (
+        id SERIAL NOT NULL,
+        client_id INT NOT NULL,
+        client_redirect_uri VARCHAR(255) NOT NULL,
+        PRIMARY KEY (id)
+    );
+
+CREATE INDEX ibexa_oauth2_client_redirect_uri_client_id_idx ON ibexa_oauth2_client_redirect_uri (client_id);
+
+CREATE INDEX ibexa_oauth2_client_redirect_uri_client_redirect_uri_idx ON ibexa_oauth2_client_redirect_uri (client_redirect_uri);
+
+CREATE UNIQUE INDEX ibexa_oauth2_client_redirect_uri_unique_idx ON ibexa_oauth2_client_redirect_uri (client_id, client_redirect_uri);
+
+CREATE TABLE
+    ibexa_oauth2_client_grant (
+        id SERIAL NOT NULL,
+        client_id INT NOT NULL,
+        client_grant VARCHAR(255) NOT NULL,
+        PRIMARY KEY (id)
+    );
+
+CREATE INDEX ibexa_oauth2_client_grant_client_id_idx ON ibexa_oauth2_client_grant (client_id);
+
+CREATE INDEX ibexa_oauth2_client_grant_client_grant_idx ON ibexa_oauth2_client_grant (client_grant);
+
+CREATE UNIQUE INDEX ibexa_oauth2_client_grant_unique_idx ON ibexa_oauth2_client_grant (client_id, client_grant);
+
+CREATE TABLE
+    ibexa_oauth2_client_token (
+        id SERIAL NOT NULL,
+        client_id INT NOT NULL,
+        token_id INT NOT NULL,
+        PRIMARY KEY (id)
+    );
+
+CREATE INDEX ibexa_oauth2_client_token_client_id_idx ON ibexa_oauth2_client_token (client_id);
+
+CREATE INDEX ibexa_oauth2_client_token_token_id_idx ON ibexa_oauth2_client_token (token_id);
+
+CREATE UNIQUE INDEX ibexa_oauth2_client_token_unique_idx ON ibexa_oauth2_client_token (client_id, token_id);
+
+CREATE TABLE
+    ibexa_oauth2_client_scope (
+        id SERIAL NOT NULL,
+        client_id INT NOT NULL,
+        client_scope VARCHAR(255) NOT NULL,
+        PRIMARY KEY (id)
+    );
+
+CREATE INDEX ibexa_oauth2_client_scope_client_id_idx ON ibexa_oauth2_client_scope (client_id);
+
+CREATE INDEX ibexa_oauth2_client_scope_client_scope_idx ON ibexa_oauth2_client_scope (client_scope);
+
+CREATE UNIQUE INDEX ibexa_oauth2_client_scope_unique_idx ON ibexa_oauth2_client_scope (client_id, client_scope);
+
+CREATE TABLE
+    ibexa_oauth2_token_scope (
+        id SERIAL NOT NULL,
+        token_id INT NOT NULL,
+        token_scope VARCHAR(255) NOT NULL,
+        PRIMARY KEY (id)
+    );
+
+CREATE INDEX ibexa_oauth2_token_scope_token_id_idx ON ibexa_oauth2_token_scope (token_id);
+
+CREATE INDEX ibexa_oauth2_token_scope_scope_idx ON ibexa_oauth2_token_scope (token_scope);
+
+CREATE UNIQUE INDEX ibexa_oauth2_token_scope_unique_idx ON ibexa_oauth2_token_scope (token_id, token_scope);
+
+CREATE TABLE
+    ibexa_oauth2_refresh_access_token (
+        id SERIAL NOT NULL,
+        access_token_id INT NOT NULL,
+        refresh_token_id INT NOT NULL,
+        PRIMARY KEY (id)
+    );
+
+CREATE INDEX ibexa_oauth2_refresh_access_token_access_token_id_idx ON ibexa_oauth2_refresh_access_token (access_token_id);
+
+CREATE INDEX ibexa_oauth2_refresh_access_token_refresh_token_id_idx ON ibexa_oauth2_refresh_access_token (refresh_token_id);
+
+CREATE UNIQUE INDEX ibexa_oauth2_refresh_access_token_unique_idx ON ibexa_oauth2_refresh_access_token (access_token_id, refresh_token_id);
+
+CREATE TABLE
+    ibexa_oauth2_consent (
+        id SERIAL NOT NULL,
+        user_identifier VARCHAR(150) NOT NULL,
+        client_identifier VARCHAR(32) NOT NULL,
+        created INT DEFAULT 0 NOT NULL,
+        updated INT DEFAULT 0 NOT NULL,
+        PRIMARY KEY (id)
+    );
+
+CREATE INDEX IDX_40497C0FD0494586 ON ibexa_oauth2_consent (user_identifier);
+
+CREATE INDEX IDX_40497C0FE77ABE2B ON ibexa_oauth2_consent (client_identifier);
+
+CREATE INDEX ibexa_oauth2_consent_consent_idx ON ibexa_oauth2_consent (user_identifier, client_identifier);
+
+CREATE UNIQUE INDEX ibexa_oauth2_consent_unique_idx ON ibexa_oauth2_consent (user_identifier, client_identifier);
+
+CREATE TABLE
+    ibexa_oauth2_consent_scope (
+        id SERIAL NOT NULL,
+        consent_id INT NOT NULL,
+        consent_scope VARCHAR(255) NOT NULL,
+        PRIMARY KEY (id)
+    );
+
+CREATE INDEX ibexa_oauth2_consent_scope_consent_id_idx ON ibexa_oauth2_consent_scope (consent_id);
+
+CREATE INDEX ibexa_oauth2_consent_scope_consent_scope_idx ON ibexa_oauth2_consent_scope (consent_scope);
+
+CREATE UNIQUE INDEX ibexa_oauth2_consent_scope_unique_idx ON ibexa_oauth2_consent_scope (consent_id, consent_scope);
+
+ALTER TABLE ibexa_oauth2_client_redirect_uri ADD CONSTRAINT ibexa_oauth2_client_redirect_uri_fk FOREIGN KEY (client_id) REFERENCES ibexa_oauth2_client (id) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;
+
+ALTER TABLE ibexa_oauth2_client_grant ADD CONSTRAINT ibexa_oauth2_client_grant_fk FOREIGN KEY (client_id) REFERENCES ibexa_oauth2_client (id) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;
+
+ALTER TABLE ibexa_oauth2_client_token ADD CONSTRAINT ibexa_oauth2_client_token_client_fk FOREIGN KEY (client_id) REFERENCES ibexa_oauth2_client (id) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;
+
+ALTER TABLE ibexa_oauth2_client_token ADD CONSTRAINT ibexa_oauth2_client_token_token_fk FOREIGN KEY (token_id) REFERENCES ibexa_token (id) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;
+
+ALTER TABLE ibexa_oauth2_client_scope ADD CONSTRAINT ibexa_oauth2_client_scope_fk FOREIGN KEY (client_id) REFERENCES ibexa_oauth2_client (id) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;
+
+ALTER TABLE ibexa_oauth2_token_scope ADD CONSTRAINT ibexa_oauth2_token_scope_fk FOREIGN KEY (token_id) REFERENCES ibexa_token (id) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;
+
+ALTER TABLE ibexa_oauth2_refresh_access_token ADD CONSTRAINT ibexa_oauth2_refresh_access_token_access_token_fk FOREIGN KEY (access_token_id) REFERENCES ibexa_token (id) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;
+
+ALTER TABLE ibexa_oauth2_refresh_access_token ADD CONSTRAINT ibexa_oauth2_refresh_access_token_refresh_token_fk FOREIGN KEY (refresh_token_id) REFERENCES ibexa_token (id) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;
+
+ALTER TABLE ibexa_oauth2_consent ADD CONSTRAINT ibexa_oauth2_consent_user_fk FOREIGN KEY (user_identifier) REFERENCES ezuser (login) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;
+
+ALTER TABLE ibexa_oauth2_consent ADD CONSTRAINT ibexa_oauth2_consent_client_fk FOREIGN KEY (client_identifier) REFERENCES ibexa_oauth2_client (client_identifier) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;
+
+ALTER TABLE ibexa_oauth2_consent_scope ADD CONSTRAINT ibexa_oauth2_consent_scope_fk FOREIGN KEY (consent_id) REFERENCES ibexa_oauth2_consent (id) ON UPDATE CASCADE ON DELETE CASCADE NOT DEFERRABLE INITIALLY IMMEDIATE;