From d922dcaffc6e66fb8dd9ca0d335a5ba0018dfcf4 Mon Sep 17 00:00:00 2001
From: Vincent Chalamon <407859+vincentchalamon@users.noreply.github.com>
Date: Tue, 30 May 2023 14:13:58 +0200
Subject: [PATCH] [Security] OIDC user info token handler client
---
security/access_token.rst | 137 +++++++++++---------------------------
1 file changed, 39 insertions(+), 98 deletions(-)
diff --git a/security/access_token.rst b/security/access_token.rst
index 6114d076637..bdc84e01fae 100644
--- a/security/access_token.rst
+++ b/security/access_token.rst
@@ -380,9 +380,7 @@ and retrieve the user info:
main:
access_token:
token_handler:
- oidc_user_info:
- client:
- base_uri: https://www.example.com/realms/demo/protocol/openid-connect/userinfo
+ oidc_user_info: https://www.example.com/realms/demo/protocol/openid-connect/userinfo
.. code-block:: xml
@@ -399,11 +397,7 @@ and retrieve the user info:
-
-
-
-
-
+
@@ -418,9 +412,7 @@ and retrieve the user info:
$security->firewall('main')
->accessToken()
->tokenHandler()
- ->oidcUserInfo()
- ->client()
- ->baseUri('https://www.example.com/realms/demo/protocol/openid-connect/userinfo')
+ ->oidcUserInfo('https://www.example.com/realms/demo/protocol/openid-connect/userinfo')
;
};
@@ -439,8 +431,7 @@ identifier by default. To use another claim, specify it on the configuration:
token_handler:
oidc_user_info:
claim: email
- client:
- base_uri: https://www.example.com/realms/demo/protocol/openid-connect/userinfo
+ base_uri: https://www.example.com/realms/demo/protocol/openid-connect/userinfo
.. code-block:: xml
@@ -458,9 +449,7 @@ identifier by default. To use another claim, specify it on the configuration:
-
-
-
+
@@ -478,13 +467,12 @@ identifier by default. To use another claim, specify it on the configuration:
->tokenHandler()
->oidcUserInfo()
->claim('email')
- ->client()
- ->baseUri('https://www.example.com/realms/demo/protocol/openid-connect/userinfo')
+ ->baseUri('https://www.example.com/realms/demo/protocol/openid-connect/userinfo')
;
};
The ``oidc_user_info`` token handler automatically creates an HTTP client with
-the specified configuration. If you prefer using your own client, you can
+the specified ``base_uri``. If you prefer using your own client, you can
specify the service name via the ``client`` option:
.. configuration-block::
@@ -583,11 +571,14 @@ it and retrieve the user info from it:
access_token:
token_handler:
oidc:
- signature:
- # Algorithm used to sign the JWS
- algorithm: 'HS256'
- # A JSON-encoded JWK
- key: '{"kty":"...","k":"..."}'
+ # Algorithm used to sign the JWS
+ algorithm: 'ES256'
+ # A JSON-encoded JWK
+ key: '{"kty":"...","k":"..."}'
+ # Audience (`aud` claim): required for validation purpose
+ audience: 'api-example'
+ # Issuers (`iss` claim): required for validation purpose
+ issuers: ['https://oidc.example.com']
.. code-block:: xml
@@ -605,8 +596,12 @@ it and retrieve the user info from it:
-
-
+
+
+
+
+
+ https://oidc.example.com
@@ -624,9 +619,14 @@ it and retrieve the user info from it:
->accessToken()
->tokenHandler()
->oidc()
- ->signature()
- ->algorithm('HS256')
- ->key('{"kty":"...","k":"..."}')
+ // Algorithm used to sign the JWS
+ ->algorithm('ES256')
+ // A JSON-encoded JWK
+ ->key('{"kty":"...","k":"..."}')
+ // Audience (`aud` claim): required for validation purpose
+ ->audience('api-example')
+ // Issuers (`iss` claim): required for validation purpose
+ ->issuers(['https://oidc.example.com'])
;
};
@@ -646,9 +646,10 @@ configuration:
token_handler:
oidc:
claim: email
- signature:
- algorithm: 'HS256'
- key: '{"kty":"...","k":"..."}'
+ algorithm: 'ES256'
+ key: '{"kty":"...","k":"..."}'
+ audience: 'api-example'
+ issuers: ['https://oidc.example.com']
.. code-block:: xml
@@ -666,8 +667,8 @@ configuration:
-
-
+
+ https://oidc.example.com
@@ -686,70 +687,10 @@ configuration:
->tokenHandler()
->oidc()
->claim('email')
- ->signature()
- ->algorithm('HS256')
- ->key('{"kty":"...","k":"..."}')
- ;
- };
-
-The ``oidc`` token handler also checks for the token audience. By default, this
-audience is optional. To enable this check, add the ``audience`` option:
-
-.. configuration-block::
-
- .. code-block:: yaml
-
- # config/packages/security.yaml
- security:
- firewalls:
- main:
- access_token:
- token_handler:
- oidc:
- audience: 'My audience'
- signature:
- algorithm: 'HS256'
- key: '{"kty":"...","k":"..."}'
-
- .. code-block:: xml
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- .. code-block:: php
-
- // config/packages/security.php
- use Symfony\Config\SecurityConfig;
-
- return static function (SecurityConfig $security) {
- $security->firewall('main')
- ->accessToken()
- ->tokenHandler()
- ->oidc()
- ->audience('My audience')
- ->signature()
- ->algorithm('HS256')
- ->key('{"kty":"...","k":"..."}')
+ ->algorithm('ES256')
+ ->key('{"kty":"...","k":"..."}')
+ ->audience('api-example')
+ ->issuers(['https://oidc.example.com'])
;
};