[Security] OidcTokenHandler support JWKSet

[louismariegaborit]

Q	A
Branch?	7.1
Bug fix?	no
New feature?	yes
Deprecations?	no
Tickets	Fix #53491
License	MIT
Doc PR	ToDo

This PR can supports now :

• RSA256 algorithm if web-token/jwt-signature-algorithm-rsa package is installed. (dedicated PR [Security] Support RSA algorithm signature for OIDC tokens #53682)
• JWKSet from url

The need comes from the validation of an AWS Cognito Token.
Amazon gived a url to get JWKSet and signature is RS256.

P.S.: It's my first feature PR on Symfony. The description may be missing information or the changes may be clumsy. 😊

[stof]

This misses updating the changelog to mention the addition of support for the RS256 algorithm and the jwks_url option

[louismariegaborit]

This misses updating the changelog to mention the addition of support for the RS256 algorithm and the jwks_url option

Changelog added.
Thanks for your review. I do the last change in few days.

[Spomky]

Or maybe @Spomky has a better idea?

Indeed, the JWKSet may change from time to time. It completely depends on the distant service policy and keys may rotate on a periodic manner or be revoked.
Having a HTTP Client with caching features is a solution I used in the past. Another solution I prefer if to share the keysets to the application using a read-only file. The keys are changed by cron task that periodically. In other words: the application is not responsible of managing the keys. This way, there is no client injection or latency waiting for the keysets to be updated.
It requires a bit more work, but does not impact the application performance and reduces its complexity.

Or we could extend JKWSet to make a variant of it that does it instead.

In the past, such feature was implemented, but removed because of caching/performance issues.

[louismariegaborit]

Thanks @nicolas-grekas and @Spomky for review.

You're right. Let's start by supporting JWKSet from a file.
And in review my first draft of this work, I realize that it's not complete. Support JWKSet means that many algorithm signatures could be verify.

The OidcTokenHandler class is final. Can I change the construct signature to replace the type of the first argument with AlgorithmManager or I must keep the type Algorithm and add a deprecate notice to accept only AlgorithManager in 8.0 ?
Which means that we must also update the SecurityBundle to accept an array in the algorithm config key.

WDYT ?

[stof]

@louismariegaborit you must change the type to a union type of the old and new one, and trigger a deprecation when the old one is passed.

[louismariegaborit]

@louismariegaborit you must change the type to a union type of the old and new one, and trigger a deprecation when the old one is passed.

@stof Can I rename the argument ?

[louismariegaborit]

As we discuss with @Spomky and @vincentchalamon in the #53682 (comment) PR/comment, we propose an update of the oidc_token_handler in the SecurityBundle to authorize JWKSet and multiple algorithms.

One proposal would be to replace the algorithm and key properties with algorithms and keys to process arrays.

WDYT ? (cc @nicolas-grekas)

[louismariegaborit]

@Spomky We are agree that this PR can be closed as the PR #53682 was merged ?

[Spomky]

Agreed!

[louismariegaborit]

Duplicate #53682