Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Support RSA algorithm signature for OIDC tokens #53682

Merged
merged 1 commit into from Apr 3, 2024
Merged

[Security] Support RSA algorithm signature for OIDC tokens #53682

merged 1 commit into from Apr 3, 2024

Conversation

louismariegaborit
Copy link
Contributor

Q A
Branch? 7.1
Bug fix? no
New feature? yes
Deprecations? no
Issues
License MIT

Add support for RSA signature algorithm for OidcTokenHandler.
Amazon Cognito uses RS256 algorithm for its tokens.

@carsonbot carsonbot added this to the 7.1 milestone Jan 30, 2024
@louismariegaborit louismariegaborit mentioned this pull request Jan 30, 2024
Closed
@louismariegaborit louismariegaborit force-pushed the security_support_rsa branch 3 times, most recently from bc94265 to 9c46285 Compare January 30, 2024 12:49
@nicolas-grekas nicolas-grekas changed the title [Security] Support RSA algorithm signature [Security] Support RSA algorithm signature for OIDC tokens Jan 30, 2024
@louismariegaborit louismariegaborit force-pushed the security_support_rsa branch 3 times, most recently from 84e1317 to 6b4e728 Compare January 30, 2024 13:10
@Spomky
Copy link
Contributor

Spomky commented Feb 1, 2024

Hi,

Is it possible to put this PR on hold?
The reason is that algorithms from the web-token/ suite will be grouped and, very soon, with web-token/jwt-library you will have all at once (including encryption to help #50441)

@Spomky
Copy link
Contributor

Spomky commented Feb 1, 2024
edited

Hi @louismariegaborit,

Can you test with "web-token/jwt-library": "3.3.0@dev" adn "ext-openssl": "*"?
Both web-token/jwt-signature-algorithm-ecdsa and web-token/jwt-signature-algorithm-rsa dependencies can be removed.

Also, because the new web-token/jwt-library contains more than ESxxx and RSxxx algorithms, I am wondering if this PR could be renamed to [Security] Support any signature algorithms for OIDC tokens and allow developers picking the algorthims they need.

Note: web-token/jwt-library will be tagged in a couple of days.

@louismariegaborit
Copy link
Contributor Author

louismariegaborit commented Feb 1, 2024
edited

Hi @Spomky

This seems ok. I removed also web-token/jwt-checker.
For the ext-openssl, I added it in the require-dev but it's in suggest like in your repository that you want that be added ?

I will look so that developers picked the algorithms they need.

I will update the PR title when we validate the work.

@louismariegaborit
Copy link
Contributor Author

@Spomky I did a try. WDYT ?
I don't know if I can delete old algorithm services without deprecations. And if I keep the services with deprecations, could you tell me how do it ?

@Spomky
Copy link
Contributor

Spomky commented Feb 2, 2024
edited

This seems ok. I removed also web-token/jwt-checker.
For the ext-openssl, I added it in the require-dev but it's in suggest like in your repository that you want that be added ?

Indeed, most of jwt-* packages are now under jwt-library.
OK for ext-openssl in the required-dev section. I'll make sure the algorithms complain if it's missing.

@vincentchalamon do you have any recommendation to have a better algorithm support architecture.
What could be interesting is to allow multiple algorithms

# config/packages/security.yaml
security:
    firewalls:
        main:
            access_token:
                token_handler:
                    oidc:
                        # Algorithms used to sign the JWS
                        algorithms:
                            - 'ES256'
                            - 'RS256'
                            - 'PS256'
                        # A JSON-encoded JWK
                        key: '{"kty":"...","k":"..."}'

From my understanding, it will require:

  • If the configuraition key algorithm is present: to normaliwe the current configuration fro; ["algorithm" => $alg] to ["algorithms" => [$alg]]
  • Change the OidcTokenHandler first argument to accept an algorithm manager object instead a single algorithm
  • Use the algorithm manager factory to create the algorithm manager according to the configuration

Any ideas on this?

@louismariegaborit
Copy link
Contributor Author

@vincentchalamon do you have any recommendation to have a better algorithm support architecture. What could be interesting is to allow multiple algorithms

# config/packages/security.yaml
security:
    firewalls:
        main:
            access_token:
                token_handler:
                    oidc:
                        # Algorithms used to sign the JWS
                        algorithms:
                            - 'ES256'
                            - 'RS256'
                            - 'PS256'
                        # A JSON-encoded JWK
                        key: '{"kty":"...","k":"..."}'

From my understanding, it will require:

  • If the configuraition key algorithm is present: to normaliwe the current configuration fro; ["algorithm" => $alg] to ["algorithms" => [$alg]]
  • Change the OidcTokenHandler first argument to accept an algorithm manager object instead a single algorithm
  • Use the algorithm manager factory to create the algorithm manager according to the configuration

Any ideas on this?

@Spomky I started this work in another PR (#51665).
I still need to support an array for the algorithms.
I think, we must decide what is the responsability of each PR.

@vincentchalamon
Copy link
Contributor

@Spomky on an OIDC server (e.g.: Keycloak), is it possible to allow multiple algorithms on a single realm?

If true, multiple algorithms configuration could be interesting, indeed. I'm just wondering if the key configuration (JWK) shouldn't be associated to the corresponding algorithm, as I think they're linked (cf. JWA).

If false, I don't think we should allow multiple algorithms configuration as multiple realms are not supported.

@Spomky
Copy link
Contributor

Spomky commented Mar 22, 2024

The CI seems to be fixed. Errors are not related to the changes.
fabbot is asking me to apply an empty patch. Not sure what is causing this error.
Any advice for the next step?

nicolas-grekas
nicolas-grekas reviewed Mar 22, 2024
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with minor CS fixes

chalasr
chalasr previously approved these changes Mar 24, 2024
View reviewed changes
@chalasr chalasr dismissed their stale review March 24, 2024 19:21

Some tests are broken due to this change

chalasr
chalasr requested changes Mar 24, 2024
View reviewed changes
Copy link
Member

@chalasr chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you look at failing tests?

@Spomky Spomky force-pushed the security_support_rsa branch 3 times, most recently from 949281a to d930172 Compare March 24, 2024 20:56
@Spomky
Copy link
Contributor

Spomky commented Mar 24, 2024

Hi @chalasr,

It seems to be fine now.
I corrected one of the tests without the @group legacy. Other errors are not related to this PR.

@nicolas-grekas nicolas-grekas added the ❄️ Feature Freeze Important Pull Requests to finish before the next Symfony "feature freeze" label Apr 2, 2024
@chalasr
Copy link
Member

chalasr commented Apr 3, 2024
edited

Thank you @louismariegaborit and @Spomky.

@chalasr chalasr merged commit 09437dc into symfony:7.1 Apr 3, 2024
6 of 10 checks passed
@louismariegaborit louismariegaborit deleted the security_support_rsa branch April 3, 2024 19:44
@louismariegaborit louismariegaborit mentioned this pull request Apr 4, 2024
Closed
@chalasr chalasr mentioned this pull request Apr 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@GregoireHebert GregoireHebert GregoireHebert left review comments

@Spomky Spomky Spomky left review comments

@stof stof stof requested changes

@vincentchalamon vincentchalamon vincentchalamon approved these changes

@chalasr chalasr chalasr approved these changes

Assignees
No one assigned
Labels
Feature Security ❄️ Feature Freeze Important Pull Requests to finish before the next Symfony "feature freeze" Status: Reviewed
Projects
None yet
Milestone
7.1
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@louismariegaborit @Spomky @vincentchalamon @chalasr @nicolas-grekas @stof @GregoireHebert @carsonbot