From 9c46285664324884570f241e0c0ba70560f478ba Mon Sep 17 00:00:00 2001 From: louismariegaborit Date: Tue, 30 Jan 2024 13:32:44 +0100 Subject: [PATCH] Support RSA algorithm signature --- .../Bundle/SecurityBundle/CHANGELOG.md | 1 + .../AccessToken/OidcTokenHandlerFactory.php | 2 +- .../Factory/SignatureAlgorithmFactory.php | 22 +++++++++++++------ .../security_authenticator_access_token.php | 15 +++++++++++++ .../Component/Security/Http/composer.json | 3 ++- 5 files changed, 34 insertions(+), 9 deletions(-) diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md index f704e00d92de1..6111f7cefee01 100644 --- a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md +++ b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md @@ -5,6 +5,7 @@ CHANGELOG --- * Mark class `ExpressionCacheWarmer` as `final` + * Support RSA algorithm for oidc token signature 7.0 --- diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php index 7be00eaff35df..ec45b8660867c 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php @@ -37,7 +37,7 @@ public function create(ContainerBuilder $container, string $id, array|string $co // @see Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SignatureAlgorithmFactory // for supported algorithms - if (\in_array($config['algorithm'], ['ES256', 'ES384', 'ES512'], true)) { + if (\in_array($config['algorithm'], ['ES256', 'ES384', 'ES512', 'RS256', 'RS384', 'RS512'], true)) { $tokenHandlerDefinition->replaceArgument(0, new Reference('security.access_token_handler.oidc.signature.'.$config['algorithm'])); } else { $tokenHandlerDefinition->replaceArgument(0, (new ChildDefinition('security.access_token_handler.oidc.signature')) diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php index feb63c26350be..f74c9a77ead37 100644 --- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php +++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php @@ -25,19 +25,27 @@ final class SignatureAlgorithmFactory { public static function create(string $algorithm): AlgorithmInterface { + $algorithmFqcn = Algorithm::class.'\\'.$algorithm; + switch ($algorithm) { case 'ES256': case 'ES384': case 'ES512': - if (!class_exists(Algorithm::class.'\\'.$algorithm)) { + if (!class_exists($algorithmFqcn)) { throw new \LogicException(sprintf('You cannot use the "%s" signature algorithm since "web-token/jwt-signature-algorithm-ecdsa" is not installed. Try running "composer require web-token/jwt-signature-algorithm-ecdsa".', $algorithm)); } - - $algorithm = Algorithm::class.'\\'.$algorithm; - - return new $algorithm(); + break; + case 'RS256': + case 'RS384': + case 'RS512': + if (!class_exists($algorithmFqcn)) { + throw new \LogicException(sprintf('You cannot use the "%s" signature algorithm since "web-token/jwt-signature-algorithm-rsa" is not installed. Try running "composer require web-token/jwt-signature-algorithm-rsa".', $algorithm)); + } + break; + default: + throw new InvalidArgumentException(sprintf('Unsupported signature algorithm "%s". Only ES* and RS256 algorithms are supported. If you want to use another algorithm, create your TokenHandler as a service.', $algorithm)); } - - throw new InvalidArgumentException(sprintf('Unsupported signature algorithm "%s". Only ES* algorithms are supported. If you want to use another algorithm, create your TokenHandler as a service.', $algorithm)); + + return new $algorithmFqcn(); } } diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php index 66716b23ad892..9fa8395db44f1 100644 --- a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php +++ b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php @@ -16,6 +16,9 @@ use Jose\Component\Signature\Algorithm\ES256; use Jose\Component\Signature\Algorithm\ES384; use Jose\Component\Signature\Algorithm\ES512; +use Jose\Component\Signature\Algorithm\RS256; +use Jose\Component\Signature\Algorithm\RS384; +use Jose\Component\Signature\Algorithm\RS512; use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SignatureAlgorithmFactory; use Symfony\Component\Security\Http\AccessToken\ChainAccessTokenExtractor; use Symfony\Component\Security\Http\AccessToken\FormEncodedBodyExtractor; @@ -100,5 +103,17 @@ ->set('security.access_token_handler.oidc.signature.ES512', ES512::class) ->parent('security.access_token_handler.oidc.signature') ->args(['index_0' => 'ES512']) + + ->set('security.access_token_handler.oidc.signature.RS256', RS256::class) + ->parent('security.access_token_handler.oidc.signature') + ->args(['index_0' => 'RS256']) + + ->set('security.access_token_handler.oidc.signature.RS384', RS384::class) + ->parent('security.access_token_handler.oidc.signature') + ->args(['index_0' => 'RS384']) + + ->set('security.access_token_handler.oidc.signature.RS512', RS512::class) + ->parent('security.access_token_handler.oidc.signature') + ->args(['index_0' => 'RS512']) ; }; diff --git a/src/Symfony/Component/Security/Http/composer.json b/src/Symfony/Component/Security/Http/composer.json index 3f96dc20c137b..b034b3671f59a 100644 --- a/src/Symfony/Component/Security/Http/composer.json +++ b/src/Symfony/Component/Security/Http/composer.json @@ -35,7 +35,8 @@ "symfony/translation": "^6.4|^7.0", "psr/log": "^1|^2|^3", "web-token/jwt-checker": "^3.1", - "web-token/jwt-signature-algorithm-ecdsa": "^3.1" + "web-token/jwt-signature-algorithm-ecdsa": "^3.1", + "web-token/jwt-signature-algorithm-rsa": "^3.1", }, "conflict": { "symfony/clock": "<6.4",