Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] Support JWE on OidcTokenHandler #50441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
vincentchalamon opened this issue May 26, 2023 · 5 comments · Fixed by #57721
Closed

[Security] Support JWE on OidcTokenHandler #50441

vincentchalamon opened this issue May 26, 2023 · 5 comments · Fixed by #57721
Labels
Feature Security

Comments

@vincentchalamon
Copy link
Contributor

Description

The OIDC Core Specification recommends to decrypt the ID Token if it's encrypted:

If the ID Token is encrypted, decrypt it using the keys and algorithms that the Client specified during Registration that the OP was to use to encrypt the ID Token. If encryption was negotiated with the OP at Registration time and the ID Token is not encrypted, the RP SHOULD reject it.

AFAIK, JWE are not often used. But as Symfony supports OIDC feature (experimentally), it could be interesting to support JWE. It concerns only OidcTokenHandler.

Question: should it be a new feature or a bugfix (as it's part of the Core Specification)?

Example

To decrypt a JWE, a public JWK is required. Hopefully, it is available on /certs endpoint on OIDC server, so we can import it dynamically (cf. #50434).

security:
  firewalls:
    main:
      oidc:
        # add new "encryption" option
        encryption:
          # proposal 1: same approach than "signature.key" option, the JWK is set here as JSON string
          key: '{"kid": "...","kty": "RSA","alg": "RS256","use": "sig","n": "3G..."}'
          # proposal 2: detect value is an URI, call it to import the JWK
          key: 'https://www.example.com/protocol/openid-connect/certs'
          # proposal 3: add "certs" option non combinable with "key" to import and set "key" option dynamically
          certs: 'https://www.example.com/protocol/openid-connect/certs'
This was referenced May 26, 2023
Merged
Merged
@chalasr chalasr added the Feature label Jun 6, 2023
@chalasr
Copy link
Member

chalasr commented Jun 9, 2023
edited
Loading

I'd say it's a new feature given solving it implies to extend the configuration.

It concerns only OidcTokenHandler.

Note that pretty much everything may be encrypted in OIDC interactions, even UserInfo success responses used by OidcUserInfoTokenHandler. Use cases are probably even less common though.

@carsonbot
Copy link

Thank you for this suggestion.
There has not been a lot of activity here for a while. Would you still like to see this feature?

@vincentchalamon
Copy link
Contributor Author

Hey @carsonbot, let's keep this one open, I just didn't have time to focus on it yet.

@carsonbot carsonbot removed the Stalled label Dec 10, 2023
@Spomky Spomky mentioned this issue Feb 1, 2024
Merged
@carsonbot
Copy link

Thank you for this suggestion.
There has not been a lot of activity here for a while. Would you still like to see this feature?

@vincentchalamon
Copy link
Contributor Author

Hey @carsonbot, let's keep this one open, I just didn't have time to focus on it yet.

@carsonbot carsonbot removed the Stalled label Jun 11, 2024
@Spomky Spomky mentioned this issue Jul 13, 2024
Merged
@fabpot fabpot closed this as completed Jan 17, 2025
fabpot added a commit that referenced this issue Jan 17, 2025
@fabpot
feature #57721 [Security][SecurityBundle] Add encryption support to O…
0051b15 
…IDC tokens (Spomky)

This PR was merged into the 7.3 branch.

Discussion
----------

[Security][SecurityBundle] Add encryption support to OIDC tokens

| Q             | A
| ------------- | ---
| Branch?       | 7.3
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Issues        | Fix #50441
| License       | MIT

The changes add encryption support to OpenID Connect (OIDC) tokens in the Symfony Security Bundle. This is useful in making the application more secure. They also ensure the tokens are correctly decrypted and validated before use. Additionally, tests have been expanded to cover these new scenarios.

```yaml
security:
    firewalls:
        main:
            pattern: ^/
            access_token:
                token_handler:
                    oidc:
                        ...
                        encryption:
                            enabled: true
                            algorithms: [...]
                            keyset: '{"keys": [{...}]}'
```

Commits
-------

04c53b4 [Security] OAuth2 Introspection Endpoint (RFC7662)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security][SecurityBundle] Add encryption support to OIDC tokens Spomky/symfony
4 participants
@fabpot @vincentchalamon @chalasr @carsonbot