Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] OidcTokenHandler support JWKSet #51665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 10 commits into from
Closed

[Security] OidcTokenHandler support JWKSet #51665

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
3991c2f
Support JWKS json from url
louismariegaborit Sep 15, 2023
3b17a05
Fix for complete RS256 algorithm support
louismariegaborit Sep 15, 2023
1adc96d
Fix BC Break
louismariegaborit Sep 15, 2023
177642e
Update changelog
louismariegaborit Sep 15, 2023
dbf157c
Use HttpClient to get json from url
louismariegaborit Sep 15, 2023
3166188
OidcTokenHandlerTest : add test for JWKSet case
louismariegaborit Sep 15, 2023
615b64e
Fix psalm error
louismariegaborit Sep 15, 2023
aa228fc
Remove RSA algorithm support
louismariegaborit Jan 30, 2024
6e047ba
OidcTokenHandler first arg instance of AlgorithmManager
louismariegaborit Jan 31, 2024
4066312
Remove jwks_url parameter
louismariegaborit Jan 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
OidcTokenHandler first arg instance of AlgorithmManager
  • Loading branch information
@louismariegaborit
louismariegaborit committed Jan 31, 2024
commit 6e047ba8ad50d6ede10d78fde81530b0487575de
12 changes: 9 additions & 3 deletions ...undle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,13 +39,19 @@ public function create(ContainerBuilder $container, string $id, array|string $co
// @see Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SignatureAlgorithmFactory
// for supported algorithms
if (\in_array($config['algorithm'], ['ES256', 'ES384', 'ES512'], true)) {
$tokenHandlerDefinition->replaceArgument(0, new Reference('security.access_token_handler.oidc.signature.'.$config['algorithm']));
$algorithmDefinition = new Reference('security.access_token_handler.oidc.signature.'.$config['algorithm']);
} else {
$tokenHandlerDefinition->replaceArgument(0, (new ChildDefinition('security.access_token_handler.oidc.signature'))
$algorithmDefinition = (new ChildDefinition('security.access_token_handler.oidc.signature'))
->replaceArgument(0, $config['algorithm'])
);
;
}

$algorithmManagerDefinition = $container->setDefinition($id.'.algorithm_manager', (new ChildDefinition('security.access_token_handler.oidc.algorithm_manager'))
->replaceArgument(0, [$algorithmDefinition])
);

$tokenHandlerDefinition->replaceArgument(0, $algorithmManagerDefinition);

if (!isset($config['jwks_url']) && !isset($config['key'])) {
throw new LogicException('You should defined key or jwks_url parameter in configuration.');
}
Expand Down
7 changes: 7 additions & 0 deletions src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
namespace Symfony\Component\DependencyInjection\Loader\Configurator;

use Jose\Component\Core\Algorithm;
use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Core\JWK;
use Jose\Component\Core\JWKSet;
use Jose\Component\Signature\Algorithm\ES256;
Expand Down Expand Up @@ -97,6 +98,12 @@
abstract_arg('signature algorithm'),
])

->set('security.access_token_handler.oidc.algorithm_manager', AlgorithmManager::class)
->abstract()
->args([
abstract_arg('signature algorithms'),
])

->set('security.access_token_handler.oidc.signature.ES256', ES256::class)
->parent('security.access_token_handler.oidc.signature')
->args(['index_0' => 'ES256'])
Expand Down
14 changes: 11 additions & 3 deletions src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,15 +38,23 @@ final class OidcTokenHandler implements AccessTokenHandlerInterface
{
use OidcTrait;

private AlgorithmManager $algorithmManager;

public function __construct(
private Algorithm $signatureAlgorithm,
private Algorithm|AlgorithmManager $signatureAlgorithm,
private JWK|JWKSet $jwk,
private string $audience,
private array $issuers,
private string $claim = 'sub',
private ?LoggerInterface $logger = null,
private ClockInterface $clock = new Clock(),
) {
if ($this->signatureAlgorithm instanceof Algorithm) {
trigger_deprecation('symfony/security-http', '7.1', 'First argument must be instance of %s, %s given.', AlgorithmManager::class, Algorithm::class);
$this->algorithmManager = new AlgorithmManager([$this->signatureAlgorithm]);
} else {
$this->algorithmManager = $signatureAlgorithm;
}
}

public function getUserBadgeFrom(string $accessToken): UserBadge
Expand All @@ -57,7 +65,7 @@ public function getUserBadgeFrom(string $accessToken): UserBadge

try {
// Decode the token
$jwsVerifier = new JWSVerifier(new AlgorithmManager([$this->signatureAlgorithm]));
$jwsVerifier = new JWSVerifier($this->algorithmManager);
$serializerManager = new JWSSerializerManager([new CompactSerializer()]);
$jws = $serializerManager->unserialize($accessToken);
$claims = json_decode($jws->getPayload(), true);
Expand All @@ -77,7 +85,7 @@ public function getUserBadgeFrom(string $accessToken): UserBadge

// Verify the headers
$headerCheckerManager = new Checker\HeaderCheckerManager([
new Checker\AlgorithmChecker([$this->signatureAlgorithm->name()]),
new Checker\AlgorithmChecker($this->algorithmManager->list()),
], [
new JWSTokenSupport(),
]);
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Component/Security/Http/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ CHANGELOG
---

* Add `#[IsCsrfTokenValid]` attribute
* Deprecate passing a Algorithm object as the 1st argument to the constructor of `Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenHandler`

7.0
---
Expand Down
6 changes: 3 additions & 3 deletions src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp
$loggerMock->expects($this->never())->method('error');

$userBadge = (new OidcTokenHandler(
new ES256(),
new AlgorithmManager([new ES256()]),
$jwk,
self::AUDIENCE,
['https://www.example.com'],
Expand Down Expand Up @@ -90,7 +90,7 @@ public function testThrowsAnErrorIfTokenIsInvalid(string $token)
$this->expectExceptionMessage('Invalid credentials.');

(new OidcTokenHandler(
new ES256(),
new AlgorithmManager([new ES256()]),
$this->getJWK(),
self::AUDIENCE,
['https://www.example.com'],
Expand Down Expand Up @@ -149,7 +149,7 @@ public function testThrowsAnErrorIfUserPropertyIsMissing()
$this->expectExceptionMessage('Invalid credentials.');

(new OidcTokenHandler(
new ES256(),
new AlgorithmManager([new ES256()]),
self::getJWK(),
self::AUDIENCE,
['https://www.example.com'],
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Component/Security/Http/composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
],
"require": {
"php": ">=8.2",
"symfony/deprecation-contracts": "^2.5|^3",
"symfony/http-foundation": "^6.4|^7.0",
"symfony/http-kernel": "^6.4|^7.0",
"symfony/polyfill-mbstring": "~1.0",
Expand Down