Support JWKS json from url

louismariegaborit · louismariegaborit · commit 8a422ab2e908 · 2023-09-15T12:47:00.000+02:00
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
@@ -13,6 +13,7 @@
 
 use Jose\Component\Core\Algorithm;
 use Jose\Component\Core\JWK;
+use Jose\Component\Core\JWKSet;
 use Symfony\Component\Config\Definition\Builder\NodeBuilder;
 use Symfony\Component\DependencyInjection\ChildDefinition;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
@@ -46,9 +47,20 @@ public function create(ContainerBuilder $container, string $id, array|string $co
             );
         }
 
-        $tokenHandlerDefinition->replaceArgument(1, (new ChildDefinition('security.access_token_handler.oidc.jwk'))
-            ->replaceArgument(0, $config['key'])
-        );
+        if (!isset($config['jwks_url']) && !isset($config['key'])) {
+            throw new LogicException('You should defined key or jwks_url parameter in configuration.');
+        }
+
+        if (isset($config['jwks_url'])) {
+            $jwksJson = file_get_contents($config['jwks_url']);
+        } elseif (isset($config['key'])) {
+            $jwksJson = json_encode((new JWKSet([JWK::createFromJson($config['key'])]))->jsonSerialize());
+        }
+
+        $jwkSetDefinition = (new ChildDefinition('security.access_token_handler.oidc.jwk_set'))
+            ->replaceArgument(0, $jwksJson);
+
+        $tokenHandlerDefinition->replaceArgument(1, $jwkSetDefinition);
     }
 
     public function getKey(): string
@@ -81,7 +93,9 @@ public function addConfiguration(NodeBuilder $node): void
                     ->end()
                     ->scalarNode('key')
                         ->info('JSON-encoded JWK used to sign the token (must contain a "kty" key).')
-                        ->isRequired()
+                    ->end()
+                    ->scalarNode('jwks_url')
+                        ->info('Url to retrieve JWKSet JSON-encoded (must contain a "keys" key).')
                     ->end()
                 ->end()
             ->end()
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php
@@ -29,6 +29,7 @@ public static function create(string $algorithm): AlgorithmInterface
             case 'ES256':
             case 'ES384':
             case 'ES512':
+            case 'RS256':
                 if (!class_exists(Algorithm::class.'\\'.$algorithm)) {
                     throw new \LogicException(sprintf('You cannot use the "%s" signature algorithm since "web-token/jwt-signature-algorithm-ecdsa" is not installed. Try running "composer require web-token/jwt-signature-algorithm-ecdsa".', $algorithm));
                 }
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
@@ -12,7 +12,7 @@
 namespace Symfony\Component\DependencyInjection\Loader\Configurator;
 
 use Jose\Component\Core\Algorithm;
-use Jose\Component\Core\JWK;
+use Jose\Component\Core\JWKSet;
 use Jose\Component\Signature\Algorithm\ES256;
 use Jose\Component\Signature\Algorithm\ES384;
 use Jose\Component\Signature\Algorithm\ES512;
@@ -75,11 +75,11 @@
                 service('clock'),
             ])
 
-        ->set('security.access_token_handler.oidc.jwk', JWK::class)
+        ->set('security.access_token_handler.oidc.jwk_set', JWKSet::class)
             ->abstract()
-            ->factory([JWK::class, 'createFromJson'])
+            ->factory([JWKSet::class, 'createFromJson'])
             ->args([
-                abstract_arg('signature key'),
+                abstract_arg('signature keys'),
             ])
 
         ->set('security.access_token_handler.oidc.signature', Algorithm::class)
diff --git a/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php b/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php
@@ -15,7 +15,7 @@
 use Jose\Component\Checker\ClaimCheckerManager;
 use Jose\Component\Core\Algorithm;
 use Jose\Component\Core\AlgorithmManager;
-use Jose\Component\Core\JWK;
+use Jose\Component\Core\JWKSet;
 use Jose\Component\Signature\JWSTokenSupport;
 use Jose\Component\Signature\JWSVerifier;
 use Jose\Component\Signature\Serializer\CompactSerializer;
@@ -39,7 +39,7 @@ final class OidcTokenHandler implements AccessTokenHandlerInterface
 
     public function __construct(
         private Algorithm $signatureAlgorithm,
-        private JWK $jwk,
+        private JWKSet $jwkSet,
         private string $audience,
         private array $issuers,
         private string $claim = 'sub',
@@ -62,7 +62,7 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
             $claims = json_decode($jws->getPayload(), true);
 
             // Verify the signature
-            if (!$jwsVerifier->verifyWithKey($jws, $this->jwk, 0)) {
+            if (!$jwsVerifier->verifyWithKeySet($jws, $this->jwkSet, 0)) {
                 throw new InvalidSignatureException();
             }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php
@@ -13,6 +13,7 @@
 
 use Jose\Component\Core\AlgorithmManager;
 use Jose\Component\Core\JWK;
+use Jose\Component\Core\JWKSet;
 use Jose\Component\Signature\Algorithm\ES256;
 use Jose\Component\Signature\JWSBuilder;
 use Jose\Component\Signature\Serializer\CompactSerializer;
@@ -54,7 +55,7 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp
 
         $userBadge = (new OidcTokenHandler(
             new ES256(),
-            $this->getJWK(),
+            $this->getJWKSet(),
             self::AUDIENCE,
             ['https://www.example.com'],
             $claim,
@@ -88,7 +89,7 @@ public function testThrowsAnErrorIfTokenIsInvalid(string $token)
 
         (new OidcTokenHandler(
             new ES256(),
-            $this->getJWK(),
+            $this->getJWKSet(),
             self::AUDIENCE,
             ['https://www.example.com'],
             'sub',
@@ -147,7 +148,7 @@ public function testThrowsAnErrorIfUserPropertyIsMissing()
 
         (new OidcTokenHandler(
             new ES256(),
-            self::getJWK(),
+            self::getJWKSet(),
             self::AUDIENCE,
             ['https://www.example.com'],
             'email',
@@ -177,4 +178,9 @@ private static function getJWK(): JWK
             'd' => 'iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220',
         ]);
     }
+
+    private static function getJWKSet(): JWKSet
+    {
+        return new JWKSet([self::getJWK()]);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ public static function create(string $algorithm): AlgorithmInterface`
`29`	`29`	`case 'ES256':`
`30`	`30`	`case 'ES384':`
`31`	`31`	`case 'ES512':`
	`32`	`+ case 'RS256':`
`32`	`33`	`if (!class_exists(Algorithm::class.'\\'.$algorithm)) {`
`33`	`34`	`throw new \LogicException(sprintf('You cannot use the "%s" signature algorithm since "web-token/jwt-signature-algorithm-ecdsa" is not installed. Try running "composer require web-token/jwt-signature-algorithm-ecdsa".', $algorithm));`
`34`	`35`	`}`