fix(security): improve oidc_user_info DX + introduce base_uri option

vincentchalamon · vincentchalamon · commit dab1d315bba0 · 2023-05-30T14:09:21.000+02:00
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcUserInfoTokenHandlerFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcUserInfoTokenHandlerFactory.php
@@ -15,7 +15,7 @@
 use Symfony\Component\DependencyInjection\ChildDefinition;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Reference;
-use Symfony\Component\HttpClient\HttpClient;
+use Symfony\Contracts\HttpClient\HttpClientInterface;
 
 /**
  * Configures a token handler for an OIDC server.
@@ -30,20 +30,19 @@ public function create(ContainerBuilder $container, string $id, array|string $co
         $tokenHandlerDefinition->replaceArgument(2, $config['claim']);
 
         // Create the client service
-        if (!isset($config['client']['id'])) {
+        if (isset($config['base_uri'])) {
             $clientDefinitionId = 'http_client.security.access_token_handler.oidc_user_info';
-            if (!ContainerBuilder::willBeAvailable('symfony/http-client', HttpClient::class, ['symfony/security-bundle'])) {
+            if (!ContainerBuilder::willBeAvailable('symfony/http-client', HttpClientInterface::class, ['symfony/security-bundle'])) {
                 $container->register($clientDefinitionId, 'stdClass')
                     ->addError('You cannot use the "oidc_user_info" token handler since the HttpClient component is not installed. Try running "composer require symfony/http-client".');
             } else {
-                $container->register($clientDefinitionId, HttpClient::class)
-                    ->setFactory([HttpClient::class, 'create'])
-                    ->setArguments([$config['client']])
+                $container->setDefinition($clientDefinitionId, new ChildDefinition('security.access_token_handler.oidc_user_info.http_client'))
+                    ->setArguments(['base_uri' => $config['base_uri']])
                     ->addTag('http_client.client');
             }
         }
 
-        $tokenHandlerDefinition->replaceArgument(0, new Reference($config['client']['id'] ?? $clientDefinitionId));
+        $tokenHandlerDefinition->replaceArgument(0, new Reference($clientDefinitionId ?? $config['client']));
     }
 
     public function getKey(): string
@@ -56,19 +55,28 @@ public function addConfiguration(NodeBuilder $node): void
         $node
             ->arrayNode($this->getKey())
                 ->fixXmlConfig($this->getKey())
+                ->beforeNormalization()
+                    ->ifString()
+                    ->then(static function ($v): array { return ['claim' => 'sub', 'base_uri' => $v]; })
+                ->end()
+                ->validate()
+                    ->ifTrue(function ($v) { return !empty($v['base_uri']) && !empty($v['client']); })
+                    ->thenInvalid('You cannot configure the base_uri and the client together.')
+                ->end()
+                ->validate()
+                    ->ifTrue(function ($v) { return empty($v['base_uri']) && empty($v['client']); })
+                    ->thenInvalid('You must configure the "base_uri" or the "client" option.')
+                ->end()
                 ->children()
                     ->scalarNode('claim')
                         ->info('Claim which contains the user identifier (e.g.: sub, email..).')
                         ->defaultValue('sub')
                     ->end()
-                    ->arrayNode('client')
-                        ->info('HttpClient to call the OIDC server.')
-                        ->isRequired()
-                        ->beforeNormalization()
-                            ->ifString()
-                            ->then(static function ($v): array { return ['id' => $v]; })
-                        ->end()
-                        ->prototype('scalar')->end()
+                    ->scalarNode('base_uri')
+                        ->info('HttpClient base_uri to call the OIDC server.')
+                    ->end()
+                    ->scalarNode('client')
+                        ->info('HttpClient service id to call the OIDC server.')
                     ->end()
                 ->end()
             ->end()
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
@@ -18,6 +18,7 @@
 use Symfony\Component\Security\Http\AccessToken\Oidc\OidcUserInfoTokenHandler;
 use Symfony\Component\Security\Http\AccessToken\QueryAccessTokenExtractor;
 use Symfony\Component\Security\Http\Authenticator\AccessTokenAuthenticator;
+use Symfony\Contracts\HttpClient\HttpClientInterface;
 
 return static function (ContainerConfigurator $container) {
     $container->services()
@@ -44,6 +45,10 @@
             ])
 
         // OIDC
+        ->set('security.access_token_handler.oidc_user_info.http_client', HttpClientInterface::class)
+            ->abstract()
+            ->factory([service('http_client'), 'withOptions'])
+
         ->set('security.access_token_handler.oidc_user_info', OidcUserInfoTokenHandler::class)
             ->abstract()
             ->args([
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php
@@ -89,11 +89,14 @@ public function testOidcUserInfoTokenHandlerConfigurationWithExistingClient()
         $this->assertFalse($container->hasDefinition('http_client.security.access_token_handler.oidc_user_info'));
     }
 
-    public function testOidcUserInfoTokenHandlerConfigurationWithClientCreation()
+    /**
+     * @dataProvider getOidcUserInfoConfiguration
+     */
+    public function testOidcUserInfoTokenHandlerConfigurationWithBaseUri(array $configuration)
     {
         $container = new ContainerBuilder();
         $config = [
-            'token_handler' => ['oidc_user_info' => ['client' => ['base_uri' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo']]],
+            'token_handler' => ['oidc_user_info' => $configuration],
         ];
 
         $factory = new AccessTokenFactory($this->createTokenHandlerFactories());
@@ -106,6 +109,12 @@ public function testOidcUserInfoTokenHandlerConfigurationWithClientCreation()
         $this->assertTrue($container->hasDefinition('http_client.security.access_token_handler.oidc_user_info'));
     }
 
+    public function getOidcUserInfoConfiguration(): iterable
+    {
+        yield [['base_uri' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo']];
+        yield ['https://www.example.com/realms/demo/protocol/openid-connect/userinfo'];
+    }
+
     public function testMultipleTokenHandlersSet()
     {
         $this->expectException(InvalidConfigurationException::class);
@@ -114,7 +123,7 @@ public function testMultipleTokenHandlersSet()
         $config = [
             'token_handler' => [
                 'id' => 'in_memory_token_handler_service_id',
-                'oidc_user_info' => ['client' => 'oidc.client'],
+                'oidc_user_info' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo',
             ],
         ];
 
