New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] OidcTokenHandler support JWKSet #51665
Conversation
5d262c7
to
8a422ab
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This misses updating the changelog to mention the addition of support for the RS256 algorithm and the jwks_url
option
...y/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
Outdated
Show resolved
Hide resolved
...ony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/SignatureAlgorithmFactory.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php
Outdated
Show resolved
Hide resolved
89572fe
to
a13393c
Compare
Changelog added. |
81d8d0d
to
2cc0fc5
Compare
2a29ae9
to
7fee273
Compare
ea1da07
to
736f7b3
Compare
6b8ccf9
to
aa228fc
Compare
Indeed, the JWKSet may change from time to time. It completely depends on the distant service policy and keys may rotate on a periodic manner or be revoked.
In the past, such feature was implemented, but removed because of caching/performance issues. |
Thanks @nicolas-grekas and @Spomky for review. You're right. Let's start by supporting JWKSet from a file. The OidcTokenHandler class is final. Can I change the construct signature to replace the type of the first argument with AlgorithmManager or I must keep the type Algorithm and add a deprecate notice to accept only AlgorithManager in 8.0 ? WDYT ? |
@louismariegaborit you must change the type to a union type of the old and new one, and trigger a deprecation when the old one is passed. |
8ed8001
to
e124d0a
Compare
b69e465
to
5d9a3ac
Compare
@stof Can I rename the argument ? |
5d9a3ac
to
4066312
Compare
As we discuss with @Spomky and @vincentchalamon in the #53682 (comment) PR/comment, we propose an update of the oidc_token_handler in the SecurityBundle to authorize JWKSet and multiple algorithms. One proposal would be to replace the algorithm and key properties with algorithms and keys to process arrays. WDYT ? (cc @nicolas-grekas) |
Agreed! |
Duplicate #53682 |
This PR can supports now :
RSA256 algorithm if(dedicated PR [Security] Support RSA algorithm signature for OIDC tokens #53682)web-token/jwt-signature-algorithm-rsa
package is installed.The need comes from the validation of an AWS Cognito Token.
Amazon gived a url to get JWKSet and signature is RS256.
P.S.: It's my first feature PR on Symfony. The description may be missing information or the changes may be clumsy. 😊