From 3991c2f58c9d4e2303a77ce5d2d3ee0c12aad1cb Mon Sep 17 00:00:00 2001 From: louismariegaborit Date: Fri, 15 Sep 2023 12:05:42 +0200 Subject: [PATCH 01/10] Support JWKS json from url --- .../AccessToken/OidcTokenHandlerFactory.php | 23 +++++++++++++++---- .../Factory/SignatureAlgorithmFactory.php | 1 + .../security_authenticator_access_token.php | 8 +++---- .../AccessToken/Oidc/OidcTokenHandler.php | 6 ++--- .../AccessToken/Oidc/OidcTokenHandlerTest.php | 12 +++++++--- 5 files changed, 36 insertions(+), 14 deletions(-) diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php index 7be00eaff35d..2d39fc1ce1bd 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php @@ -12,6 +12,8 @@ namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\AccessToken; use Jose\Component\Core\Algorithm; +use Jose\Component\Core\JWK; +use Jose\Component\Core\JWKSet; use Symfony\Component\Config\Definition\Builder\NodeBuilder; use Symfony\Component\DependencyInjection\ChildDefinition; use Symfony\Component\DependencyInjection\ContainerBuilder; @@ -45,9 +47,20 @@ public function create(ContainerBuilder $container, string $id, array|string $co ); } - $tokenHandlerDefinition->replaceArgument(1, (new ChildDefinition('security.access_token_handler.oidc.jwk')) - ->replaceArgument(0, $config['key']) - ); + if (!isset($config['jwks_url']) && !isset($config['key'])) { + throw new LogicException('You should defined key or jwks_url parameter in configuration.'); + } + + if (isset($config['jwks_url'])) { + $jwksJson = file_get_contents($config['jwks_url']); + } elseif (isset($config['key'])) { + $jwksJson = json_encode((new JWKSet([JWK::createFromJson($config['key'])]))->jsonSerialize()); + } + + $jwkSetDefinition = (new ChildDefinition('security.access_token_handler.oidc.jwk_set')) + ->replaceArgument(0, $jwksJson); + + $tokenHandlerDefinition->replaceArgument(1, $jwkSetDefinition); } public function getKey(): string @@ -80,7 +93,9 @@ public function addConfiguration(NodeBuilder $node): void ->end() ->scalarNode('key') ->info('JSON-encoded JWK used to sign the token (must contain a "kty" key).') - ->isRequired() + ->end() + ->scalarNode('jwks_url') + ->info('Url to retrieve JWKSet JSON-encoded (must contain a "keys" key).') ->end() ->end() ->end() diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php index feb63c26350b..11b225eb14c6 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php @@ -29,6 +29,7 @@ public static function create(string $algorithm): AlgorithmInterface case 'ES256': case 'ES384': case 'ES512': + case 'RS256': if (!class_exists(Algorithm::class.'\\'.$algorithm)) { throw new \LogicException(sprintf('You cannot use the "%s" signature algorithm since "web-token/jwt-signature-algorithm-ecdsa" is not installed. Try running "composer require web-token/jwt-signature-algorithm-ecdsa".', $algorithm)); } diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php index 66716b23ad89..0a89f6fe3c76 100644 --- a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php +++ b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php @@ -12,7 +12,7 @@ namespace Symfony\Component\DependencyInjection\Loader\Configurator; use Jose\Component\Core\Algorithm; -use Jose\Component\Core\JWK; +use Jose\Component\Core\JWKSet; use Jose\Component\Signature\Algorithm\ES256; use Jose\Component\Signature\Algorithm\ES384; use Jose\Component\Signature\Algorithm\ES512; @@ -75,11 +75,11 @@ service('clock'), ]) - ->set('security.access_token_handler.oidc.jwk', JWK::class) + ->set('security.access_token_handler.oidc.jwk_set', JWKSet::class) ->abstract() - ->factory([JWK::class, 'createFromJson']) + ->factory([JWKSet::class, 'createFromJson']) ->args([ - abstract_arg('signature key'), + abstract_arg('signature keys'), ]) ->set('security.access_token_handler.oidc.signature', Algorithm::class) diff --git a/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php b/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php index e72e0d1eb67c..3778b061e899 100644 --- a/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php +++ b/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php @@ -15,7 +15,7 @@ use Jose\Component\Checker\ClaimCheckerManager; use Jose\Component\Core\Algorithm; use Jose\Component\Core\AlgorithmManager; -use Jose\Component\Core\JWK; +use Jose\Component\Core\JWKSet; use Jose\Component\Signature\JWSTokenSupport; use Jose\Component\Signature\JWSVerifier; use Jose\Component\Signature\Serializer\CompactSerializer; @@ -39,7 +39,7 @@ final class OidcTokenHandler implements AccessTokenHandlerInterface public function __construct( private Algorithm $signatureAlgorithm, - private JWK $jwk, + private JWKSet $jwkSet, private string $audience, private array $issuers, private string $claim = 'sub', @@ -62,7 +62,7 @@ public function getUserBadgeFrom(string $accessToken): UserBadge $claims = json_decode($jws->getPayload(), true); // Verify the signature - if (!$jwsVerifier->verifyWithKey($jws, $this->jwk, 0)) { + if (!$jwsVerifier->verifyWithKeySet($jws, $this->jwkSet, 0)) { throw new InvalidSignatureException(); } diff --git a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php index ae3ca5308b06..cd9d9b72cf22 100644 --- a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php +++ b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php @@ -13,6 +13,7 @@ use Jose\Component\Core\AlgorithmManager; use Jose\Component\Core\JWK; +use Jose\Component\Core\JWKSet; use Jose\Component\Signature\Algorithm\ES256; use Jose\Component\Signature\JWSBuilder; use Jose\Component\Signature\Serializer\CompactSerializer; @@ -54,7 +55,7 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp $userBadge = (new OidcTokenHandler( new ES256(), - $this->getJWK(), + $this->getJWKSet(), self::AUDIENCE, ['https://www.example.com'], $claim, @@ -88,7 +89,7 @@ public function testThrowsAnErrorIfTokenIsInvalid(string $token) (new OidcTokenHandler( new ES256(), - $this->getJWK(), + $this->getJWKSet(), self::AUDIENCE, ['https://www.example.com'], 'sub', @@ -147,7 +148,7 @@ public function testThrowsAnErrorIfUserPropertyIsMissing() (new OidcTokenHandler( new ES256(), - self::getJWK(), + self::getJWKSet(), self::AUDIENCE, ['https://www.example.com'], 'email', @@ -177,4 +178,9 @@ private static function getJWK(): JWK 'd' => 'iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220', ]); } + + private static function getJWKSet(): JWKSet + { + return new JWKSet([self::getJWK()]); + } } From 3b17a05f6cf280f947a3ba62e757744f769abc64 Mon Sep 17 00:00:00 2001 From: louismariegaborit Date: Fri, 15 Sep 2023 13:13:08 +0200 Subject: [PATCH 02/10] Fix for complete RS256 algorithm support --- composer.json | 3 ++- .../AccessToken/OidcTokenHandlerFactory.php | 2 +- .../Security/Factory/SignatureAlgorithmFactory.php | 13 ++++++++++--- .../config/security_authenticator_access_token.php | 5 +++++ src/Symfony/Component/Security/Http/composer.json | 3 ++- 5 files changed, 20 insertions(+), 6 deletions(-) diff --git a/composer.json b/composer.json index 0996d063e425..d0ef4180b7dc 100644 --- a/composer.json +++ b/composer.json @@ -157,7 +157,8 @@ "twig/inky-extra": "^2.12|^3", "twig/markdown-extra": "^2.12|^3", "web-token/jwt-checker": "^3.1", - "web-token/jwt-signature-algorithm-ecdsa": "^3.1" + "web-token/jwt-signature-algorithm-ecdsa": "^3.1", + "web-token/jwt-signature-algorithm-rsa": "^3.1" }, "conflict": { "ext-psr": "<1.1|>=2", diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php index 2d39fc1ce1bd..1e561c89df11 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php @@ -39,7 +39,7 @@ public function create(ContainerBuilder $container, string $id, array|string $co // @see Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SignatureAlgorithmFactory // for supported algorithms - if (\in_array($config['algorithm'], ['ES256', 'ES384', 'ES512'], true)) { + if (\in_array($config['algorithm'], ['ES256', 'ES384', 'ES512', 'RS256'], true)) { $tokenHandlerDefinition->replaceArgument(0, new Reference('security.access_token_handler.oidc.signature.'.$config['algorithm'])); } else { $tokenHandlerDefinition->replaceArgument(0, (new ChildDefinition('security.access_token_handler.oidc.signature')) diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php index 11b225eb14c6..17eb3396eb92 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php @@ -29,16 +29,23 @@ public static function create(string $algorithm): AlgorithmInterface case 'ES256': case 'ES384': case 'ES512': - case 'RS256': if (!class_exists(Algorithm::class.'\\'.$algorithm)) { throw new \LogicException(sprintf('You cannot use the "%s" signature algorithm since "web-token/jwt-signature-algorithm-ecdsa" is not installed. Try running "composer require web-token/jwt-signature-algorithm-ecdsa".', $algorithm)); } $algorithm = Algorithm::class.'\\'.$algorithm; + break; + case 'RS256': + if (!class_exists(Algorithm::class.'\\'.$algorithm)) { + throw new \LogicException(sprintf('You cannot use the "%s" signature algorithm since "web-token/jwt-signature-algorithm-rsa" is not installed. Try running "composer require web-token/jwt-signature-algorithm-rsa".', $algorithm)); + } - return new $algorithm(); + $algorithm = Algorithm::class.'\\'.$algorithm; + break; + default: + throw new InvalidArgumentException(sprintf('Unsupported signature algorithm "%s". Only ES* and RS256 algorithms are supported. If you want to use another algorithm, create your TokenHandler as a service.', $algorithm)); } - throw new InvalidArgumentException(sprintf('Unsupported signature algorithm "%s". Only ES* algorithms are supported. If you want to use another algorithm, create your TokenHandler as a service.', $algorithm)); + return new $algorithm(); } } diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php index 0a89f6fe3c76..5175be07f1e7 100644 --- a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php +++ b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php @@ -16,6 +16,7 @@ use Jose\Component\Signature\Algorithm\ES256; use Jose\Component\Signature\Algorithm\ES384; use Jose\Component\Signature\Algorithm\ES512; +use Jose\Component\Signature\Algorithm\RS256; use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SignatureAlgorithmFactory; use Symfony\Component\Security\Http\AccessToken\ChainAccessTokenExtractor; use Symfony\Component\Security\Http\AccessToken\FormEncodedBodyExtractor; @@ -100,5 +101,9 @@ ->set('security.access_token_handler.oidc.signature.ES512', ES512::class) ->parent('security.access_token_handler.oidc.signature') ->args(['index_0' => 'ES512']) + + ->set('security.access_token_handler.oidc.signature.RS256', RS256::class) + ->parent('security.access_token_handler.oidc.signature') + ->args(['index_0' => 'RS256']) ; }; diff --git a/src/Symfony/Component/Security/Http/composer.json b/src/Symfony/Component/Security/Http/composer.json index 3f96dc20c137..038745bdaba5 100644 --- a/src/Symfony/Component/Security/Http/composer.json +++ b/src/Symfony/Component/Security/Http/composer.json @@ -35,7 +35,8 @@ "symfony/translation": "^6.4|^7.0", "psr/log": "^1|^2|^3", "web-token/jwt-checker": "^3.1", - "web-token/jwt-signature-algorithm-ecdsa": "^3.1" + "web-token/jwt-signature-algorithm-ecdsa": "^3.1", + "web-token/jwt-signature-algorithm-rsa": "^3.1" }, "conflict": { "symfony/clock": "<6.4", From 1adc96d532f0a454fdc6bbf118d659ac32fa5cae Mon Sep 17 00:00:00 2001 From: louismariegaborit Date: Fri, 15 Sep 2023 13:30:15 +0200 Subject: [PATCH 03/10] Fix BC Break --- .../AccessToken/OidcTokenHandlerFactory.php | 12 +++++------- .../config/security_authenticator_access_token.php | 8 ++++++++ .../Http/AccessToken/Oidc/OidcTokenHandler.php | 13 +++++++++++-- .../Tests/AccessToken/Oidc/OidcTokenHandlerTest.php | 12 +++--------- 4 files changed, 27 insertions(+), 18 deletions(-) diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php index 1e561c89df11..6ceae1cc23be 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php @@ -12,8 +12,6 @@ namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\AccessToken; use Jose\Component\Core\Algorithm; -use Jose\Component\Core\JWK; -use Jose\Component\Core\JWKSet; use Symfony\Component\Config\Definition\Builder\NodeBuilder; use Symfony\Component\DependencyInjection\ChildDefinition; use Symfony\Component\DependencyInjection\ContainerBuilder; @@ -53,14 +51,14 @@ public function create(ContainerBuilder $container, string $id, array|string $co if (isset($config['jwks_url'])) { $jwksJson = file_get_contents($config['jwks_url']); + $jwkDefinition = (new ChildDefinition('security.access_token_handler.oidc.jwk_set')) + ->replaceArgument(0, $jwksJson); } elseif (isset($config['key'])) { - $jwksJson = json_encode((new JWKSet([JWK::createFromJson($config['key'])]))->jsonSerialize()); + $jwkDefinition = (new ChildDefinition('security.access_token_handler.oidc.jwk')) + ->replaceArgument(0, $config['key']); } - $jwkSetDefinition = (new ChildDefinition('security.access_token_handler.oidc.jwk_set')) - ->replaceArgument(0, $jwksJson); - - $tokenHandlerDefinition->replaceArgument(1, $jwkSetDefinition); + $tokenHandlerDefinition->replaceArgument(1, $jwkDefinition); } public function getKey(): string diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php index 5175be07f1e7..db61c9e37e79 100644 --- a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php +++ b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php @@ -12,6 +12,7 @@ namespace Symfony\Component\DependencyInjection\Loader\Configurator; use Jose\Component\Core\Algorithm; +use Jose\Component\Core\JWK; use Jose\Component\Core\JWKSet; use Jose\Component\Signature\Algorithm\ES256; use Jose\Component\Signature\Algorithm\ES384; @@ -76,6 +77,13 @@ service('clock'), ]) + ->set('security.access_token_handler.oidc.jwk', JWK::class) + ->abstract() + ->factory([JWK::class, 'createFromJson']) + ->args([ + abstract_arg('signature key'), + ]) + ->set('security.access_token_handler.oidc.jwk_set', JWKSet::class) ->abstract() ->factory([JWKSet::class, 'createFromJson']) diff --git a/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php b/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php index 3778b061e899..c02f67947eba 100644 --- a/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php +++ b/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php @@ -15,6 +15,7 @@ use Jose\Component\Checker\ClaimCheckerManager; use Jose\Component\Core\Algorithm; use Jose\Component\Core\AlgorithmManager; +use Jose\Component\Core\JWK; use Jose\Component\Core\JWKSet; use Jose\Component\Signature\JWSTokenSupport; use Jose\Component\Signature\JWSVerifier; @@ -39,7 +40,7 @@ final class OidcTokenHandler implements AccessTokenHandlerInterface public function __construct( private Algorithm $signatureAlgorithm, - private JWKSet $jwkSet, + private JWK|JWKSet $jwk, private string $audience, private array $issuers, private string $claim = 'sub', @@ -62,7 +63,15 @@ public function getUserBadgeFrom(string $accessToken): UserBadge $claims = json_decode($jws->getPayload(), true); // Verify the signature - if (!$jwsVerifier->verifyWithKeySet($jws, $this->jwkSet, 0)) { + if ($this->jwk instanceof JWK) { + if (!$jwsVerifier->verifyWithKey($jws, $this->jwk, 0)) { + throw new InvalidSignatureException(); + } + } elseif ($this->jwk instanceof JWKSet) { + if (!$jwsVerifier->verifyWithKeySet($jws, $this->jwk, 0)) { + throw new InvalidSignatureException(); + } + } else { throw new InvalidSignatureException(); } diff --git a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php index cd9d9b72cf22..ae3ca5308b06 100644 --- a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php +++ b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php @@ -13,7 +13,6 @@ use Jose\Component\Core\AlgorithmManager; use Jose\Component\Core\JWK; -use Jose\Component\Core\JWKSet; use Jose\Component\Signature\Algorithm\ES256; use Jose\Component\Signature\JWSBuilder; use Jose\Component\Signature\Serializer\CompactSerializer; @@ -55,7 +54,7 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp $userBadge = (new OidcTokenHandler( new ES256(), - $this->getJWKSet(), + $this->getJWK(), self::AUDIENCE, ['https://www.example.com'], $claim, @@ -89,7 +88,7 @@ public function testThrowsAnErrorIfTokenIsInvalid(string $token) (new OidcTokenHandler( new ES256(), - $this->getJWKSet(), + $this->getJWK(), self::AUDIENCE, ['https://www.example.com'], 'sub', @@ -148,7 +147,7 @@ public function testThrowsAnErrorIfUserPropertyIsMissing() (new OidcTokenHandler( new ES256(), - self::getJWKSet(), + self::getJWK(), self::AUDIENCE, ['https://www.example.com'], 'email', @@ -178,9 +177,4 @@ private static function getJWK(): JWK 'd' => 'iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220', ]); } - - private static function getJWKSet(): JWKSet - { - return new JWKSet([self::getJWK()]); - } } From 177642e45c1dda3af357046ead36bbb7ff22c8e6 Mon Sep 17 00:00:00 2001 From: louismariegaborit Date: Fri, 15 Sep 2023 13:38:46 +0200 Subject: [PATCH 04/10] Update changelog --- src/Symfony/Bundle/SecurityBundle/CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md index f704e00d92de..c119f900c0f1 100644 --- a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md +++ b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md @@ -5,6 +5,8 @@ CHANGELOG --- * Mark class `ExpressionCacheWarmer` as `final` + * Add `jwks_url` option in oidc token handler configuration + * Support RS256 algorithm for oidc token signature 7.0 --- From dbf157c47f1c9c531410cf608c04ce87680881e6 Mon Sep 17 00:00:00 2001 From: louismariegaborit Date: Fri, 15 Sep 2023 16:34:17 +0200 Subject: [PATCH 05/10] Use HttpClient to get json from url --- .../Security/AccessToken/OidcTokenHandlerFactory.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php index 6ceae1cc23be..848d0dd79357 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php @@ -17,6 +17,7 @@ use Symfony\Component\DependencyInjection\ContainerBuilder; use Symfony\Component\DependencyInjection\Exception\LogicException; use Symfony\Component\DependencyInjection\Reference; +use Symfony\Component\HttpClient\HttpClient; /** * Configures a token handler for decoding and validating an OIDC token. @@ -50,9 +51,16 @@ public function create(ContainerBuilder $container, string $id, array|string $co } if (isset($config['jwks_url'])) { - $jwksJson = file_get_contents($config['jwks_url']); + if (!class_exists(HttpClient::class)) { + throw new LogicException(sprintf('You cannot use "%s" as the HttpClient component is not installed. Try running "composer require symfony/http-client".', __CLASS__)); + } + $httpClient = HttpClient::create(); + $response = $httpClient->request( + 'GET', + $config['jwks_url'] + ); $jwkDefinition = (new ChildDefinition('security.access_token_handler.oidc.jwk_set')) - ->replaceArgument(0, $jwksJson); + ->replaceArgument(0, $response->getContent()); } elseif (isset($config['key'])) { $jwkDefinition = (new ChildDefinition('security.access_token_handler.oidc.jwk')) ->replaceArgument(0, $config['key']); From 3166188664c9601d849f25ea18dd9e5d58d8e118 Mon Sep 17 00:00:00 2001 From: louismariegaborit Date: Fri, 15 Sep 2023 16:48:32 +0200 Subject: [PATCH 06/10] OidcTokenHandlerTest : add test for JWKSet case --- .../AccessToken/Oidc/OidcTokenHandlerTest.php | 27 ++++++++++++++----- 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php index ae3ca5308b06..4fa6c5f2272a 100644 --- a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php +++ b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php @@ -13,6 +13,7 @@ use Jose\Component\Core\AlgorithmManager; use Jose\Component\Core\JWK; +use Jose\Component\Core\JWKSet; use Jose\Component\Signature\Algorithm\ES256; use Jose\Component\Signature\JWSBuilder; use Jose\Component\Signature\Serializer\CompactSerializer; @@ -32,9 +33,9 @@ class OidcTokenHandlerTest extends TestCase private const AUDIENCE = 'Symfony OIDC'; /** - * @dataProvider getClaims + * @dataProvider getClaimsAndJwk */ - public function testGetsUserIdentifierFromSignedToken(string $claim, string $expected) + public function testGetsUserIdentifierFromSignedToken(string $claim, string $expected, JWK|JWKSet $jwk) { $time = time(); $claims = [ @@ -54,7 +55,7 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp $userBadge = (new OidcTokenHandler( new ES256(), - $this->getJWK(), + $jwk, self::AUDIENCE, ['https://www.example.com'], $claim, @@ -69,10 +70,12 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp $this->assertEquals($claims['sub'], $actualUser->getUserIdentifier()); } - public static function getClaims(): iterable + public static function getClaimsAndJwk(): iterable { - yield ['sub', 'e21bf182-1538-406e-8ccb-e25a17aba39f']; - yield ['email', 'foo@example.com']; + yield ['sub', 'e21bf182-1538-406e-8ccb-e25a17aba39f', self::getJWK()]; + yield ['email', 'foo@example.com', self::getJWK()]; + yield ['sub', 'e21bf182-1538-406e-8ccb-e25a17aba39f', self::getJWKSet()]; + yield ['email', 'foo@example.com', self::getJWKSet()]; } /** @@ -177,4 +180,16 @@ private static function getJWK(): JWK 'd' => 'iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220', ]); } + + private static function getJWKSet(): JWKSet + { + // tip: use https://mkjwk.org/ to generate a JWK + return new JWKSet([new JWK([ + 'kty' => 'EC', + 'crv' => 'P-256', + 'x' => '0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4', + 'y' => 'KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo', + 'd' => 'iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220', + ])]); + } } From 615b64eaa9e799b29fdd8139972b1ab4d963942f Mon Sep 17 00:00:00 2001 From: louismariegaborit Date: Fri, 15 Sep 2023 17:17:25 +0200 Subject: [PATCH 07/10] Fix psalm error --- .../Security/Factory/SignatureAlgorithmFactory.php | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php index 17eb3396eb92..0af26f5b6d8d 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php @@ -25,27 +25,25 @@ final class SignatureAlgorithmFactory { public static function create(string $algorithm): AlgorithmInterface { + $algorithmFqcn = Algorithm::class.'\\'.$algorithm; + switch ($algorithm) { case 'ES256': case 'ES384': case 'ES512': - if (!class_exists(Algorithm::class.'\\'.$algorithm)) { + if (!class_exists($algorithmFqcn)) { throw new \LogicException(sprintf('You cannot use the "%s" signature algorithm since "web-token/jwt-signature-algorithm-ecdsa" is not installed. Try running "composer require web-token/jwt-signature-algorithm-ecdsa".', $algorithm)); } - - $algorithm = Algorithm::class.'\\'.$algorithm; break; case 'RS256': - if (!class_exists(Algorithm::class.'\\'.$algorithm)) { + if (!class_exists($algorithmFqcn)) { throw new \LogicException(sprintf('You cannot use the "%s" signature algorithm since "web-token/jwt-signature-algorithm-rsa" is not installed. Try running "composer require web-token/jwt-signature-algorithm-rsa".', $algorithm)); } - - $algorithm = Algorithm::class.'\\'.$algorithm; break; default: throw new InvalidArgumentException(sprintf('Unsupported signature algorithm "%s". Only ES* and RS256 algorithms are supported. If you want to use another algorithm, create your TokenHandler as a service.', $algorithm)); } - return new $algorithm(); + return new $algorithmFqcn(); } } From aa228fc502bb021e136839d227e22f6f724742b7 Mon Sep 17 00:00:00 2001 From: louismariegaborit Date: Tue, 30 Jan 2024 13:54:14 +0100 Subject: [PATCH 08/10] Remove RSA algorithm support --- composer.json | 3 +-- src/Symfony/Bundle/SecurityBundle/CHANGELOG.md | 1 - .../AccessToken/OidcTokenHandlerFactory.php | 2 +- .../Factory/SignatureAlgorithmFactory.php | 18 ++++++------------ .../security_authenticator_access_token.php | 5 ----- .../Component/Security/Http/composer.json | 3 +-- 6 files changed, 9 insertions(+), 23 deletions(-) diff --git a/composer.json b/composer.json index d0ef4180b7dc..0996d063e425 100644 --- a/composer.json +++ b/composer.json @@ -157,8 +157,7 @@ "twig/inky-extra": "^2.12|^3", "twig/markdown-extra": "^2.12|^3", "web-token/jwt-checker": "^3.1", - "web-token/jwt-signature-algorithm-ecdsa": "^3.1", - "web-token/jwt-signature-algorithm-rsa": "^3.1" + "web-token/jwt-signature-algorithm-ecdsa": "^3.1" }, "conflict": { "ext-psr": "<1.1|>=2", diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md index c119f900c0f1..f6cdd19c83a0 100644 --- a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md +++ b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md @@ -6,7 +6,6 @@ CHANGELOG * Mark class `ExpressionCacheWarmer` as `final` * Add `jwks_url` option in oidc token handler configuration - * Support RS256 algorithm for oidc token signature 7.0 --- diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php index 848d0dd79357..cb482f0020e1 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php @@ -38,7 +38,7 @@ public function create(ContainerBuilder $container, string $id, array|string $co // @see Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SignatureAlgorithmFactory // for supported algorithms - if (\in_array($config['algorithm'], ['ES256', 'ES384', 'ES512', 'RS256'], true)) { + if (\in_array($config['algorithm'], ['ES256', 'ES384', 'ES512'], true)) { $tokenHandlerDefinition->replaceArgument(0, new Reference('security.access_token_handler.oidc.signature.'.$config['algorithm'])); } else { $tokenHandlerDefinition->replaceArgument(0, (new ChildDefinition('security.access_token_handler.oidc.signature')) diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php index 0af26f5b6d8d..feb63c26350b 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php @@ -25,25 +25,19 @@ final class SignatureAlgorithmFactory { public static function create(string $algorithm): AlgorithmInterface { - $algorithmFqcn = Algorithm::class.'\\'.$algorithm; - switch ($algorithm) { case 'ES256': case 'ES384': case 'ES512': - if (!class_exists($algorithmFqcn)) { + if (!class_exists(Algorithm::class.'\\'.$algorithm)) { throw new \LogicException(sprintf('You cannot use the "%s" signature algorithm since "web-token/jwt-signature-algorithm-ecdsa" is not installed. Try running "composer require web-token/jwt-signature-algorithm-ecdsa".', $algorithm)); } - break; - case 'RS256': - if (!class_exists($algorithmFqcn)) { - throw new \LogicException(sprintf('You cannot use the "%s" signature algorithm since "web-token/jwt-signature-algorithm-rsa" is not installed. Try running "composer require web-token/jwt-signature-algorithm-rsa".', $algorithm)); - } - break; - default: - throw new InvalidArgumentException(sprintf('Unsupported signature algorithm "%s". Only ES* and RS256 algorithms are supported. If you want to use another algorithm, create your TokenHandler as a service.', $algorithm)); + + $algorithm = Algorithm::class.'\\'.$algorithm; + + return new $algorithm(); } - return new $algorithmFqcn(); + throw new InvalidArgumentException(sprintf('Unsupported signature algorithm "%s". Only ES* algorithms are supported. If you want to use another algorithm, create your TokenHandler as a service.', $algorithm)); } } diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php index db61c9e37e79..5aa25e00cc81 100644 --- a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php +++ b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php @@ -17,7 +17,6 @@ use Jose\Component\Signature\Algorithm\ES256; use Jose\Component\Signature\Algorithm\ES384; use Jose\Component\Signature\Algorithm\ES512; -use Jose\Component\Signature\Algorithm\RS256; use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SignatureAlgorithmFactory; use Symfony\Component\Security\Http\AccessToken\ChainAccessTokenExtractor; use Symfony\Component\Security\Http\AccessToken\FormEncodedBodyExtractor; @@ -109,9 +108,5 @@ ->set('security.access_token_handler.oidc.signature.ES512', ES512::class) ->parent('security.access_token_handler.oidc.signature') ->args(['index_0' => 'ES512']) - - ->set('security.access_token_handler.oidc.signature.RS256', RS256::class) - ->parent('security.access_token_handler.oidc.signature') - ->args(['index_0' => 'RS256']) ; }; diff --git a/src/Symfony/Component/Security/Http/composer.json b/src/Symfony/Component/Security/Http/composer.json index 038745bdaba5..3f96dc20c137 100644 --- a/src/Symfony/Component/Security/Http/composer.json +++ b/src/Symfony/Component/Security/Http/composer.json @@ -35,8 +35,7 @@ "symfony/translation": "^6.4|^7.0", "psr/log": "^1|^2|^3", "web-token/jwt-checker": "^3.1", - "web-token/jwt-signature-algorithm-ecdsa": "^3.1", - "web-token/jwt-signature-algorithm-rsa": "^3.1" + "web-token/jwt-signature-algorithm-ecdsa": "^3.1" }, "conflict": { "symfony/clock": "<6.4", From 6e047ba8ad50d6ede10d78fde81530b0487575de Mon Sep 17 00:00:00 2001 From: louismariegaborit Date: Wed, 31 Jan 2024 20:15:57 +0100 Subject: [PATCH 09/10] OidcTokenHandler first arg instance of AlgorithmManager --- .../AccessToken/OidcTokenHandlerFactory.php | 12 +++++++++--- .../config/security_authenticator_access_token.php | 7 +++++++ .../Http/AccessToken/Oidc/OidcTokenHandler.php | 14 +++++++++++--- src/Symfony/Component/Security/Http/CHANGELOG.md | 1 + .../AccessToken/Oidc/OidcTokenHandlerTest.php | 6 +++--- src/Symfony/Component/Security/Http/composer.json | 1 + 6 files changed, 32 insertions(+), 9 deletions(-) diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php index cb482f0020e1..30e4de38c35a 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php @@ -39,13 +39,19 @@ public function create(ContainerBuilder $container, string $id, array|string $co // @see Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SignatureAlgorithmFactory // for supported algorithms if (\in_array($config['algorithm'], ['ES256', 'ES384', 'ES512'], true)) { - $tokenHandlerDefinition->replaceArgument(0, new Reference('security.access_token_handler.oidc.signature.'.$config['algorithm'])); + $algorithmDefinition = new Reference('security.access_token_handler.oidc.signature.'.$config['algorithm']); } else { - $tokenHandlerDefinition->replaceArgument(0, (new ChildDefinition('security.access_token_handler.oidc.signature')) + $algorithmDefinition = (new ChildDefinition('security.access_token_handler.oidc.signature')) ->replaceArgument(0, $config['algorithm']) - ); + ; } + $algorithmManagerDefinition = $container->setDefinition($id.'.algorithm_manager', (new ChildDefinition('security.access_token_handler.oidc.algorithm_manager')) + ->replaceArgument(0, [$algorithmDefinition]) + ); + + $tokenHandlerDefinition->replaceArgument(0, $algorithmManagerDefinition); + if (!isset($config['jwks_url']) && !isset($config['key'])) { throw new LogicException('You should defined key or jwks_url parameter in configuration.'); } diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php index 5aa25e00cc81..100c3cd9ccb9 100644 --- a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php +++ b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php @@ -12,6 +12,7 @@ namespace Symfony\Component\DependencyInjection\Loader\Configurator; use Jose\Component\Core\Algorithm; +use Jose\Component\Core\AlgorithmManager; use Jose\Component\Core\JWK; use Jose\Component\Core\JWKSet; use Jose\Component\Signature\Algorithm\ES256; @@ -97,6 +98,12 @@ abstract_arg('signature algorithm'), ]) + ->set('security.access_token_handler.oidc.algorithm_manager', AlgorithmManager::class) + ->abstract() + ->args([ + abstract_arg('signature algorithms'), + ]) + ->set('security.access_token_handler.oidc.signature.ES256', ES256::class) ->parent('security.access_token_handler.oidc.signature') ->args(['index_0' => 'ES256']) diff --git a/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php b/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php index c02f67947eba..3f57b4c8a4e6 100644 --- a/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php +++ b/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php @@ -38,8 +38,10 @@ final class OidcTokenHandler implements AccessTokenHandlerInterface { use OidcTrait; + private AlgorithmManager $algorithmManager; + public function __construct( - private Algorithm $signatureAlgorithm, + private Algorithm|AlgorithmManager $signatureAlgorithm, private JWK|JWKSet $jwk, private string $audience, private array $issuers, @@ -47,6 +49,12 @@ public function __construct( private ?LoggerInterface $logger = null, private ClockInterface $clock = new Clock(), ) { + if ($this->signatureAlgorithm instanceof Algorithm) { + trigger_deprecation('symfony/security-http', '7.1', 'First argument must be instance of %s, %s given.', AlgorithmManager::class, Algorithm::class); + $this->algorithmManager = new AlgorithmManager([$this->signatureAlgorithm]); + } else { + $this->algorithmManager = $signatureAlgorithm; + } } public function getUserBadgeFrom(string $accessToken): UserBadge @@ -57,7 +65,7 @@ public function getUserBadgeFrom(string $accessToken): UserBadge try { // Decode the token - $jwsVerifier = new JWSVerifier(new AlgorithmManager([$this->signatureAlgorithm])); + $jwsVerifier = new JWSVerifier($this->algorithmManager); $serializerManager = new JWSSerializerManager([new CompactSerializer()]); $jws = $serializerManager->unserialize($accessToken); $claims = json_decode($jws->getPayload(), true); @@ -77,7 +85,7 @@ public function getUserBadgeFrom(string $accessToken): UserBadge // Verify the headers $headerCheckerManager = new Checker\HeaderCheckerManager([ - new Checker\AlgorithmChecker([$this->signatureAlgorithm->name()]), + new Checker\AlgorithmChecker($this->algorithmManager->list()), ], [ new JWSTokenSupport(), ]); diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md index 58f227f37383..45c6b746f037 100644 --- a/src/Symfony/Component/Security/Http/CHANGELOG.md +++ b/src/Symfony/Component/Security/Http/CHANGELOG.md @@ -5,6 +5,7 @@ CHANGELOG --- * Add `#[IsCsrfTokenValid]` attribute + * Deprecate passing a Algorithm object as the 1st argument to the constructor of `Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenHandler` 7.0 --- diff --git a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php index 4fa6c5f2272a..1172a944b2eb 100644 --- a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php +++ b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php @@ -54,7 +54,7 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp $loggerMock->expects($this->never())->method('error'); $userBadge = (new OidcTokenHandler( - new ES256(), + new AlgorithmManager([new ES256()]), $jwk, self::AUDIENCE, ['https://www.example.com'], @@ -90,7 +90,7 @@ public function testThrowsAnErrorIfTokenIsInvalid(string $token) $this->expectExceptionMessage('Invalid credentials.'); (new OidcTokenHandler( - new ES256(), + new AlgorithmManager([new ES256()]), $this->getJWK(), self::AUDIENCE, ['https://www.example.com'], @@ -149,7 +149,7 @@ public function testThrowsAnErrorIfUserPropertyIsMissing() $this->expectExceptionMessage('Invalid credentials.'); (new OidcTokenHandler( - new ES256(), + new AlgorithmManager([new ES256()]), self::getJWK(), self::AUDIENCE, ['https://www.example.com'], diff --git a/src/Symfony/Component/Security/Http/composer.json b/src/Symfony/Component/Security/Http/composer.json index 3f96dc20c137..34d18376b213 100644 --- a/src/Symfony/Component/Security/Http/composer.json +++ b/src/Symfony/Component/Security/Http/composer.json @@ -17,6 +17,7 @@ ], "require": { "php": ">=8.2", + "symfony/deprecation-contracts": "^2.5|^3", "symfony/http-foundation": "^6.4|^7.0", "symfony/http-kernel": "^6.4|^7.0", "symfony/polyfill-mbstring": "~1.0", From 40663120b9914c8630a74e8a288464e0d7b719b3 Mon Sep 17 00:00:00 2001 From: louismariegaborit Date: Wed, 31 Jan 2024 20:38:54 +0100 Subject: [PATCH 10/10] Remove jwks_url parameter --- .../Bundle/SecurityBundle/CHANGELOG.md | 1 - .../AccessToken/OidcTokenHandlerFactory.php | 28 ++++--------------- .../security_authenticator_access_token.php | 8 ------ 3 files changed, 5 insertions(+), 32 deletions(-) diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md index f6cdd19c83a0..f704e00d92de 100644 --- a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md +++ b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md @@ -5,7 +5,6 @@ CHANGELOG --- * Mark class `ExpressionCacheWarmer` as `final` - * Add `jwks_url` option in oidc token handler configuration 7.0 --- diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php index 30e4de38c35a..f59afef4596b 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php @@ -17,7 +17,6 @@ use Symfony\Component\DependencyInjection\ContainerBuilder; use Symfony\Component\DependencyInjection\Exception\LogicException; use Symfony\Component\DependencyInjection\Reference; -use Symfony\Component\HttpClient\HttpClient; /** * Configures a token handler for decoding and validating an OIDC token. @@ -52,27 +51,13 @@ public function create(ContainerBuilder $container, string $id, array|string $co $tokenHandlerDefinition->replaceArgument(0, $algorithmManagerDefinition); - if (!isset($config['jwks_url']) && !isset($config['key'])) { - throw new LogicException('You should defined key or jwks_url parameter in configuration.'); + if (!isset($config['key'])) { + throw new LogicException('You should defined key parameter in configuration.'); } - if (isset($config['jwks_url'])) { - if (!class_exists(HttpClient::class)) { - throw new LogicException(sprintf('You cannot use "%s" as the HttpClient component is not installed. Try running "composer require symfony/http-client".', __CLASS__)); - } - $httpClient = HttpClient::create(); - $response = $httpClient->request( - 'GET', - $config['jwks_url'] - ); - $jwkDefinition = (new ChildDefinition('security.access_token_handler.oidc.jwk_set')) - ->replaceArgument(0, $response->getContent()); - } elseif (isset($config['key'])) { - $jwkDefinition = (new ChildDefinition('security.access_token_handler.oidc.jwk')) - ->replaceArgument(0, $config['key']); - } - - $tokenHandlerDefinition->replaceArgument(1, $jwkDefinition); + $tokenHandlerDefinition->replaceArgument(1, (new ChildDefinition('security.access_token_handler.oidc.jwk')) + ->replaceArgument(0, $config['key']) + ); } public function getKey(): string @@ -106,9 +91,6 @@ public function addConfiguration(NodeBuilder $node): void ->scalarNode('key') ->info('JSON-encoded JWK used to sign the token (must contain a "kty" key).') ->end() - ->scalarNode('jwks_url') - ->info('Url to retrieve JWKSet JSON-encoded (must contain a "keys" key).') - ->end() ->end() ->end() ; diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php index 100c3cd9ccb9..aaddcf39a567 100644 --- a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php +++ b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php @@ -14,7 +14,6 @@ use Jose\Component\Core\Algorithm; use Jose\Component\Core\AlgorithmManager; use Jose\Component\Core\JWK; -use Jose\Component\Core\JWKSet; use Jose\Component\Signature\Algorithm\ES256; use Jose\Component\Signature\Algorithm\ES384; use Jose\Component\Signature\Algorithm\ES512; @@ -84,13 +83,6 @@ abstract_arg('signature key'), ]) - ->set('security.access_token_handler.oidc.jwk_set', JWKSet::class) - ->abstract() - ->factory([JWKSet::class, 'createFromJson']) - ->args([ - abstract_arg('signature keys'), - ]) - ->set('security.access_token_handler.oidc.signature', Algorithm::class) ->abstract() ->factory([SignatureAlgorithmFactory::class, 'create'])