Support RSA algorithm signature

symfony · Jan 30, 2024 · 6b4e728 · 6b4e728
1 parent e172491
commit 6b4e728
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 8 deletions.
diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -5,6 +5,7 @@ CHANGELOG
 ---
 
  * Mark class `ExpressionCacheWarmer` as `final`
+ * Support RSA algorithm for oidc token signature
 
 7.0
 ---

diff --git a/...undle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php b/...undle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
@@ -37,7 +37,7 @@ public function create(ContainerBuilder $container, string $id, array|string $co
 
         // @see Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SignatureAlgorithmFactory
         // for supported algorithms
-        if (\in_array($config['algorithm'], ['ES256', 'ES384', 'ES512'], true)) {
+        if (\in_array($config['algorithm'], ['ES256', 'ES384', 'ES512', 'RS256', 'RS384', 'RS512'], true)) {
             $tokenHandlerDefinition->replaceArgument(0, new Reference('security.access_token_handler.oidc.signature.'.$config['algorithm']));
         } else {
             $tokenHandlerDefinition->replaceArgument(0, (new ChildDefinition('security.access_token_handler.oidc.signature'))

diff --git a/.../Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php b/.../Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php
@@ -25,19 +25,27 @@ final class SignatureAlgorithmFactory
 {
     public static function create(string $algorithm): AlgorithmInterface
     {
+        $algorithmFqcn = Algorithm::class.'\\'.$algorithm;
+
         switch ($algorithm) {
             case 'ES256':
             case 'ES384':
             case 'ES512':
-                if (!class_exists(Algorithm::class.'\\'.$algorithm)) {
+                if (!class_exists($algorithmFqcn)) {
                     throw new \LogicException(sprintf('You cannot use the "%s" signature algorithm since "web-token/jwt-signature-algorithm-ecdsa" is not installed. Try running "composer require web-token/jwt-signature-algorithm-ecdsa".', $algorithm));
                 }
-
-                $algorithm = Algorithm::class.'\\'.$algorithm;
-
-                return new $algorithm();
+                break;
+            case 'RS256':
+            case 'RS384':
+            case 'RS512':
+                if (!class_exists($algorithmFqcn)) {
+                    throw new \LogicException(sprintf('You cannot use the "%s" signature algorithm since "web-token/jwt-signature-algorithm-rsa" is not installed. Try running "composer require web-token/jwt-signature-algorithm-rsa".', $algorithm));
+                }
+                break;
+            default:
+                throw new InvalidArgumentException(sprintf('Unsupported signature algorithm "%s". Only ES* and RS* algorithms are supported. If you want to use another algorithm, create your TokenHandler as a service.', $algorithm));
         }
 
-        throw new InvalidArgumentException(sprintf('Unsupported signature algorithm "%s". Only ES* algorithms are supported. If you want to use another algorithm, create your TokenHandler as a service.', $algorithm));
+        return new $algorithmFqcn();
     }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
@@ -16,6 +16,9 @@
 use Jose\Component\Signature\Algorithm\ES256;
 use Jose\Component\Signature\Algorithm\ES384;
 use Jose\Component\Signature\Algorithm\ES512;
+use Jose\Component\Signature\Algorithm\RS256;
+use Jose\Component\Signature\Algorithm\RS384;
+use Jose\Component\Signature\Algorithm\RS512;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SignatureAlgorithmFactory;
 use Symfony\Component\Security\Http\AccessToken\ChainAccessTokenExtractor;
 use Symfony\Component\Security\Http\AccessToken\FormEncodedBodyExtractor;
@@ -100,5 +103,17 @@
         ->set('security.access_token_handler.oidc.signature.ES512', ES512::class)
             ->parent('security.access_token_handler.oidc.signature')
             ->args(['index_0' => 'ES512'])
+
+        ->set('security.access_token_handler.oidc.signature.RS256', RS256::class)
+            ->parent('security.access_token_handler.oidc.signature')
+            ->args(['index_0' => 'RS256'])
+
+        ->set('security.access_token_handler.oidc.signature.RS384', RS384::class)
+            ->parent('security.access_token_handler.oidc.signature')
+            ->args(['index_0' => 'RS384'])
+
+        ->set('security.access_token_handler.oidc.signature.RS512', RS512::class)
+            ->parent('security.access_token_handler.oidc.signature')
+            ->args(['index_0' => 'RS512'])
     ;
 };
diff --git a/src/Symfony/Component/Security/Http/composer.json b/src/Symfony/Component/Security/Http/composer.json
@@ -35,7 +35,8 @@
         "symfony/translation": "^6.4|^7.0",
         "psr/log": "^1|^2|^3",
         "web-token/jwt-checker": "^3.1",
-        "web-token/jwt-signature-algorithm-ecdsa": "^3.1"
+        "web-token/jwt-signature-algorithm-ecdsa": "^3.1",
+        "web-token/jwt-signature-algorithm-rsa": "^3.1"
     },
     "conflict": {
         "symfony/clock": "<6.4",