Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[Security][SecurityBundle] Add encryption support to OIDC tokens #57721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 17, 2025
Merged

[Security][SecurityBundle] Add encryption support to OIDC tokens #57721

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
[Security] OAuth2 Introspection Endpoint (RFC7662) 
In addition to the excellent work of @vincentchalamon #48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
  • Loading branch information
@Spomky
Spomky committed Jan 5, 2025
commit 04c53b4bae0557d5f37fc9fc1dd3d5ae8a066e82
1 change: 1 addition & 0 deletions 1 src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/UnusedTagsPass.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ class UnusedTagsPass implements CompilerPassInterface
'routing.route_loader',
'scheduler.schedule_provider',
'scheduler.task',
'security.access_token_handler.oidc.encryption_algorithm',
'security.access_token_handler.oidc.signature_algorithm',
'security.authenticator.login_linker',
'security.expression_language_provider',
Expand Down
1 change: 1 addition & 0 deletions 1 src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ CHANGELOG
---

* Add `Security::isGrantedForUser()` to test user authorization without relying on the session. For example, users not currently logged in, or while processing a message from a message queue
* Add encryption support to `OidcTokenHandler` (JWE)

7.2
---
Expand Down
37 changes: 36 additions & 1 deletion 37 ...undle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,22 @@ public function create(ContainerBuilder $container, string $id, array|string $co
$tokenHandlerDefinition->replaceArgument(1, (new ChildDefinition('security.access_token_handler.oidc.jwkset'))
->replaceArgument(0, $config['keyset'])
);

if ($config['encryption']['enabled']) {
$algorithmManager = (new ChildDefinition('security.access_token_handler.oidc.encryption'))
->replaceArgument(0, $config['encryption']['algorithms']);
$keyset = (new ChildDefinition('security.access_token_handler.oidc.jwkset'))
->replaceArgument(0, $config['encryption']['keyset']);

$tokenHandlerDefinition->addMethodCall(
'enabledJweSupport',
[
$keyset,
$algorithmManager,
$config['encryption']['enforce'],
]
);
}
}

public function getKey(): string
Expand Down Expand Up @@ -112,9 +128,28 @@ public function addConfiguration(NodeBuilder $node): void
->setDeprecated('symfony/security-bundle', '7.1', 'The "%node%" option is deprecated and will be removed in 8.0. Use the "keyset" option instead.')
->end()
->scalarNode('keyset')
->info('JSON-encoded JWKSet used to sign the token (must contain a list of valid keys).')
->info('JSON-encoded JWKSet used to sign the token (must contain a list of valid public keys).')
->isRequired()
->end()
->arrayNode('encryption')
->canBeEnabled()
->children()
->booleanNode('enforce')
->info('When enabled, the token shall be encrypted.')
->defaultFalse()
->end()
->arrayNode('algorithms')
->info('Algorithms used to decrypt the token.')
->isRequired()
->requiresAtLeastOneElement()
->scalarPrototype()->end()
->end()
->scalarNode('keyset')
->info('JSON-encoded JWKSet used to decrypt the token (must contain a list of valid private keys).')
->isRequired()
->end()
->end()
->end()
->end()
->end()
;
Expand Down
16 changes: 16 additions & 0 deletions 16 src/Symfony/Bundle/SecurityBundle/Resources/config/schema/security-1.0.xsd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -338,13 +338,29 @@
<xsd:choice maxOccurs="unbounded">
<xsd:element name="issuers" type="oidc_issuers" minOccurs="0" maxOccurs="1" />
<xsd:element name="issuer" type="password_hasher" minOccurs="0" maxOccurs="unbounded" />
<xsd:element name="encryption" type="oidc_encryption" />
</xsd:choice>
<xsd:attribute name="claim" type="xsd:string" />
<xsd:attribute name="audience" type="xsd:string" use="required" />
<xsd:attribute name="algorithm" type="xsd:string" use="required" />
<xsd:attribute name="key" type="xsd:string" use="required" />
</xsd:complexType>

<xsd:complexType name="oidc_encryption">
<xsd:choice maxOccurs="unbounded">
<xsd:element name="algorithms" type="oidc_encryption_algorithms" minOccurs="1" maxOccurs="1" />
</xsd:choice>
<xsd:attribute name="enabled" type="xsd:boolean" />
<xsd:attribute name="enforce" type="xsd:boolean" />
<xsd:attribute name="keyset" type="xsd:string" use="required" />
</xsd:complexType>

<xsd:complexType name="oidc_encryption_algorithms">
<xsd:sequence>
<xsd:element name="algorithm" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
</xsd:sequence>
</xsd:complexType>

<xsd:complexType name="oidc_issuers">
<xsd:sequence>
<xsd:element name="issuer" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
Expand Down
51 changes: 51 additions & 0 deletions 51 src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,15 @@
use Jose\Component\Core\AlgorithmManagerFactory;
use Jose\Component\Core\JWK;
use Jose\Component\Core\JWKSet;
use Jose\Component\Encryption\Algorithm\ContentEncryption\A128CBCHS256;
use Jose\Component\Encryption\Algorithm\ContentEncryption\A128GCM;
use Jose\Component\Encryption\Algorithm\ContentEncryption\A192CBCHS384;
use Jose\Component\Encryption\Algorithm\ContentEncryption\A192GCM;
use Jose\Component\Encryption\Algorithm\ContentEncryption\A256CBCHS512;
use Jose\Component\Encryption\Algorithm\ContentEncryption\A256GCM;
use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHES;
use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHSS;
use Jose\Component\Encryption\Algorithm\KeyEncryption\RSAOAEP;
use Jose\Component\Signature\Algorithm\ES256;
use Jose\Component\Signature\Algorithm\ES384;
use Jose\Component\Signature\Algorithm\ES512;
Expand Down Expand Up @@ -135,5 +144,47 @@

->set('security.access_token_handler.oidc.signature.PS512', PS512::class)
->tag('security.access_token_handler.oidc.signature_algorithm')

// Encryption
// Note that - all xxxKW algorithms are not defined as an extra dependency is required
// - The RSA_1.5 is missing as deprecated
->set('security.access_token_handler.oidc.encryption_algorithm_manager_factory', AlgorithmManagerFactory::class)
->args([
tagged_iterator('security.access_token_handler.oidc.encryption_algorithm'),
])

->set('security.access_token_handler.oidc.encryption', AlgorithmManager::class)
->abstract()
->factory([service('security.access_token_handler.oidc.encryption_algorithm_manager_factory'), 'create'])
->args([
abstract_arg('encryption algorithms'),
])

->set('security.access_token_handler.oidc.encryption.RSAOAEP', RSAOAEP::class)
->tag('security.access_token_handler.oidc.encryption_algorithm')

->set('security.access_token_handler.oidc.encryption.ECDHES', ECDHES::class)
->tag('security.access_token_handler.oidc.encryption_algorithm')

->set('security.access_token_handler.oidc.encryption.ECDHSS', ECDHSS::class)
->tag('security.access_token_handler.oidc.encryption_algorithm')

->set('security.access_token_handler.oidc.encryption.A128CBCHS256', A128CBCHS256::class)
->tag('security.access_token_handler.oidc.encryption_algorithm')

->set('security.access_token_handler.oidc.encryption.A192CBCHS384', A192CBCHS384::class)
->tag('security.access_token_handler.oidc.encryption_algorithm')

->set('security.access_token_handler.oidc.encryption.A256CBCHS512', A256CBCHS512::class)
->tag('security.access_token_handler.oidc.encryption_algorithm')

->set('security.access_token_handler.oidc.encryption.A128GCM', A128GCM::class)
->tag('security.access_token_handler.oidc.encryption_algorithm')

->set('security.access_token_handler.oidc.encryption.A192GCM', A192GCM::class)
->tag('security.access_token_handler.oidc.encryption_algorithm')

->set('security.access_token_handler.oidc.encryption.A256GCM', A256GCM::class)
->tag('security.access_token_handler.oidc.encryption_algorithm')
;
};
84 changes: 83 additions & 1 deletion 84 ...ndle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ public function testInvalidOidcTokenHandlerConfigurationKeyMissing()
$factory = new AccessTokenFactory($this->createTokenHandlerFactories());

$this->expectException(InvalidConfigurationException::class);
$this->expectExceptionMessage('The child config "keyset" under "access_token.token_handler.oidc" must be configured: JSON-encoded JWKSet used to sign the token (must contain a list of valid keys).');
$this->expectExceptionMessage('The child config "keyset" under "access_token.token_handler.oidc" must be configured: JSON-encoded JWKSet used to sign the token (must contain a list of valid public keys).');

$this->processConfig($config, $factory);
}
Expand Down Expand Up @@ -257,6 +257,88 @@ public function testOidcTokenHandlerConfigurationWithMultipleAlgorithms()
$this->assertEquals($expected, $container->getDefinition('security.access_token_handler.firewall1')->getArguments());
}

public function testOidcTokenHandlerConfigurationWithEncryption()
{
$container = new ContainerBuilder();
$jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
$config = [
'token_handler' => [
'oidc' => [
'algorithms' => ['RS256', 'ES256'],
'issuers' => ['https://www.example.com'],
'audience' => 'audience',
'keyset' => $jwkset,
'encryption' => [
'enabled' => true,
'keyset' => $jwkset,
'algorithms' => ['RSA-OAEP', 'RSA1_5'],
],
],
],
];

$factory = new AccessTokenFactory($this->createTokenHandlerFactories());
$finalizedConfig = $this->processConfig($config, $factory);

$factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider');

$this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1'));
$this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1'));
}

public function testInvalidOidcTokenHandlerConfigurationMissingEncryptionKeyset()
{
$jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
$config = [
'token_handler' => [
'oidc' => [
'algorithms' => ['RS256', 'ES256'],
'issuers' => ['https://www.example.com'],
'audience' => 'audience',
'keyset' => $jwkset,
'encryption' => [
'enabled' => true,
'algorithms' => ['RSA-OAEP', 'RSA1_5'],
],
],
],
];

$factory = new AccessTokenFactory($this->createTokenHandlerFactories());

$this->expectException(InvalidConfigurationException::class);
$this->expectExceptionMessage('The child config "keyset" under "access_token.token_handler.oidc.encryption" must be configured: JSON-encoded JWKSet used to decrypt the token (must contain a list of valid private keys).');

$this->processConfig($config, $factory);
}

public function testInvalidOidcTokenHandlerConfigurationMissingAlgorithm()
{
$jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
$config = [
'token_handler' => [
'oidc' => [
'algorithms' => ['RS256', 'ES256'],
'issuers' => ['https://www.example.com'],
'audience' => 'audience',
'keyset' => $jwkset,
'encryption' => [
'enabled' => true,
'keyset' => $jwkset,
'algorithms' => [],
],
],
],
];

$factory = new AccessTokenFactory($this->createTokenHandlerFactories());

$this->expectException(InvalidConfigurationException::class);
$this->expectExceptionMessage('The path "access_token.token_handler.oidc.encryption.algorithms" should have at least 1 element(s) defined.');

$this->processConfig($config, $factory);
}

public function testOidcUserInfoTokenHandlerConfigurationWithExistingClient()
{
$container = new ContainerBuilder();
Expand Down
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.