JWKSet support for OIDCTokenHandler

[adzfaulkner]

Description

We would like to use the symfony/security-http OIDCTokenHandler but the Identity and Access Management system currently employed exposes a JWK Keyset via it's realm certs url as opposed to a single JWK of which the token hander in question only currently supports.

It would be great if the OIDCTokenHandler could also accept an instance of JWKSet to be passed into it's constuctor which will also incur modifications in how the jms is verified.

Example

final class OidcTokenHandler implements AccessTokenHandlerInterface
{
    use OidcTrait;

    public function __construct(
        private Algorithm $signatureAlgorithm,
-       private JWK$jwk,
+       private JWK|JWKSet $jwk,
        private string $audience,
        private array $issuers,
        private string $claim = 'sub',
        private ?LoggerInterface $logger = null,
        private ClockInterface $clock = new Clock()
    ) {
    }
}

[chalasr]

Possible duplicate of #50434

[chalasr]

I didn't mean to close as I'm not entirely sure it's the same feature request. Can you please confirm @adzfaulkner?

[adzfaulkner]

@chalasr I can confirm it's not a duplicate as the suspected related ticket refers to downloading a single key from a certs URL as opposed to my request which is JWKSet support to be added to the underlying Token Handler

[OskarStark]

I made the example in the PR header a diff to be more readable, can you confirm my change is correct? Thanks

[adzfaulkner]

@OskarStark spot on thank you :-)

[louismariegaborit]

I worked few months ago on this #51665. 😉

[louismariegaborit]

I think this issue was resolved by #53682.

[adzfaulkner]

@louismariegaborit your assertion looks correct. Hence issue has been closed. Cheers for the hard work to make it happen!