🌐 AI搜索 & 代理 主页
Skip to content

[Security][SecurityBundle] Add encryption support to OIDC tokens #57721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fabpot merged 1 commit into from
Jan 17, 2025
Merged

[Security][SecurityBundle] Add encryption support to OIDC tokens #57721

fabpot merged 1 commit into from
Jan 17, 2025

Conversation

@Spomky
Copy link
Contributor

@Spomky Spomky commented Jul 13, 2024
edited
Loading

Q A
Branch? 7.3
Bug fix? no
New feature? yes
Deprecations? no
Issues Fix #50441
License MIT

The changes add encryption support to OpenID Connect (OIDC) tokens in the Symfony Security Bundle. This is useful in making the application more secure. They also ensure the tokens are correctly decrypted and validated before use. Additionally, tests have been expanded to cover these new scenarios.

security:
    firewalls:
        main:
            pattern: ^/
            access_token:
                token_handler:
                    oidc:
                        ...
                        encryption:
                            enabled: true
                            algorithms: [...]
                            keyset: '{"keys": [{...}]}'

@Spomky Spomky requested a review from chalasr as a code owner July 13, 2024 13:45
@carsonbot carsonbot added this to the 7.2 milestone Jul 13, 2024
@Spomky
Copy link
Contributor Author

Spomky commented Jul 13, 2024

Ping @vincentchalamon

@Spomky Spomky force-pushed the features/jwe-support branch 2 times, most recently from 90932a8 to eee5392 Compare July 14, 2024 07:35
@Spomky Spomky force-pushed the features/jwe-support branch from eee5392 to 7e47bfc Compare July 31, 2024 06:46
nicolas-grekas
nicolas-grekas reviewed Aug 16, 2024
View reviewed changes
nicolas-grekas
nicolas-grekas reviewed Aug 16, 2024
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there no XSD to update?

@Spomky Spomky force-pushed the features/jwe-support branch from 7e47bfc to 870844d Compare September 1, 2024 08:02
@Spomky
Copy link
Contributor Author

Spomky commented Sep 1, 2024

Is there no XSD to update?

@nicolas-grekas I'm not sure what to change.

@Spomky Spomky force-pushed the features/jwe-support branch from 870844d to c4eb497 Compare September 1, 2024 08:06
@fabpot fabpot modified the milestones: 7.2, 7.3 Nov 20, 2024
@Spomky Spomky force-pushed the features/jwe-support branch from c4eb497 to cd1c431 Compare December 25, 2024 17:13
@chalasr
Copy link
Member

chalasr commented Dec 26, 2024

@Spomky The new options need to be added to SecurityBundle/Resources/config/schema/security-1.0.xsd

@Spomky Spomky force-pushed the features/jwe-support branch from cd1c431 to 6545e1d Compare December 26, 2024 17:01
@Spomky
Copy link
Contributor Author

Spomky commented Dec 26, 2024

@Spomky The new options need to be added to SecurityBundle/Resources/config/schema/security-1.0.xsd

Hello @chalasr,
I modified the schema. Note that I am not sure it is fine of not (I was not aware of it before your comment).
Regards.

@Spomky Spomky force-pushed the features/jwe-support branch from 6545e1d to 9fab3e4 Compare December 26, 2024 17:35
@Spomky Spomky force-pushed the features/jwe-support branch 2 times, most recently from eed73ba to a4ee3ab Compare January 5, 2025 14:27
@Spomky Spomky force-pushed the features/jwe-support branch from a586a53 to 2461696 Compare January 5, 2025 16:57
chalasr
chalasr previously approved these changes Jan 5, 2025
View reviewed changes
@chalasr chalasr dismissed their stale review January 5, 2025 17:02

Some low-deps test is failing

@Spomky Spomky force-pushed the features/jwe-support branch from 2461696 to cb70da3 Compare January 5, 2025 17:07
@Spomky
Copy link
Contributor Author

Spomky commented Jan 5, 2025

Hi,

I am not sure how to fix the failing tests.
The annotation @requires extension openssl is present, but it looks like the dataProvider is called.
Should I refactor these tests?

@Spomky Spomky force-pushed the features/jwe-support branch 3 times, most recently from 7697f15 to 6312567 Compare January 5, 2025 17:35
@chalasr
Copy link
Member

chalasr commented Jan 5, 2025

You may need to bump the security-http dependency to ^7.3 in security-bundle

@Spomky Spomky force-pushed the features/jwe-support branch 5 times, most recently from c69f934 to 9434658 Compare January 5, 2025 18:12
@Spomky Spomky force-pushed the features/jwe-support branch 4 times, most recently from 41e0030 to 78f9a88 Compare January 5, 2025 19:37
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
04c53b4 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
@Spomky Spomky force-pushed the features/jwe-support branch from 78f9a88 to 04c53b4 Compare January 5, 2025 19:49
@Spomky
Copy link
Contributor Author

Spomky commented Jan 5, 2025

Many thaks.
Took me a while to understand the problem with the remaining failing tests.😅
Sorry for the noise. All green now.

@fabpot
Copy link
Member

fabpot commented Jan 17, 2025

Thank you @Spomky.

@fabpot fabpot merged commit 0051b15 into symfony:7.3 Jan 17, 2025
11 checks passed
@fabpot fabpot mentioned this pull request Jan 17, 2025
Closed
@Spomky Spomky deleted the features/jwe-support branch February 7, 2025 20:18
@fabpot fabpot mentioned this pull request May 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas left review comments

@OskarStark OskarStark OskarStark left review comments

@fabpot fabpot fabpot approved these changes

@chalasr chalasr chalasr approved these changes

+1 more reviewer

@vincentchalamon vincentchalamon vincentchalamon left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Feature Security SecurityBundle Status: Reviewed

Projects

None yet

Milestone

7.3

Development

Successfully merging this pull request may close these issues.

[Security] Support JWE on OidcTokenHandler

7 participants

@Spomky @chalasr @fabpot @nicolas-grekas @vincentchalamon @OskarStark @carsonbot