Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] OidcTokenHandler support JWKSet#51665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Closed

Conversation

@louismariegaborit
Copy link
Contributor

@louismariegaboritlouismariegaborit commentedSep 15, 2023
edited
Loading

QA
Branch?7.1
Bug fix?no
New feature?yes
Deprecations?no
TicketsFix#53491
LicenseMIT
Doc PRToDo

This PR can supports now :

The need comes from the validation of an AWS Cognito Token.
Amazon gived a url to get JWKSet and signature is RS256.

P.S.: It's my first feature PR on Symfony. The description may be missing information or the changes may be clumsy. 😊

Copy link
Member

@stofstof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This misses updating the changelog to mention the addition of support for the RS256 algorithm and thejwks_url option

@louismariegaborit
Copy link
ContributorAuthor

This misses updating the changelog to mention the addition of support for the RS256 algorithm and thejwks_url option

Changelog added.
Thanks for your review. I do the last change in few days.

@Spomky
Copy link
Contributor

Or maybe@Spomky has a better idea?

Indeed, the JWKSet may change from time to time. It completely depends on the distant service policy and keys may rotate on a periodic manner or be revoked.
Having a HTTP Client with caching features is a solution I used in the past. Another solution I prefer if to share the keysets to the application using a read-only file. The keys are changed by cron task that periodically. In other words: the application is not responsible of managing the keys. This way, there is no client injection or latency waiting for the keysets to be updated.
It requires a bit more work, but does not impact the application performance and reduces its complexity.

Or we could extend JKWSet to make a variant of it that does it instead.

In the past, such featurewas implemented, but removed because of caching/performance issues.

@louismariegaborit
Copy link
ContributorAuthor

Thanks@nicolas-grekas and@Spomky for review.

You're right. Let's start by supporting JWKSet from a file.
And in review my first draft of this work, I realize that it's not complete. Support JWKSet means that many algorithm signatures could be verify.

The OidcTokenHandler class is final. Can I change the construct signature to replace the type of the first argument with AlgorithmManager or I must keep the type Algorithm and add a deprecate notice to accept only AlgorithManager in 8.0 ?
Which means that we must also update the SecurityBundle to accept an array in thealgorithm config key.

WDYT ?

@stof
Copy link
Member

@louismariegaborit you must change the type to a union type of the old and new one, and trigger a deprecation when the old one is passed.

louismariegaborit reacted with thumbs up emoji

@louismariegaboritlouismariegaboritforce-pushed thesecurity_jwkset branch 5 times, most recently from8ed8001 toe124d0aCompareJanuary 31, 2024 19:39
@louismariegaboritlouismariegaborit changed the title[Security] Support JWKSet json encoded from url[Security] OidcTokenHandler support JWKSetJan 31, 2024
@louismariegaboritlouismariegaboritforce-pushed thesecurity_jwkset branch 2 times, most recently fromb69e465 to5d9a3acCompareJanuary 31, 2024 19:44
@louismariegaborit
Copy link
ContributorAuthor

@louismariegaborit you must change the type to a union type of the old and new one, and trigger a deprecation when the old one is passed.

@stof Can I rename the argument ?

@louismariegaborit
Copy link
ContributorAuthor

louismariegaborit commentedFeb 2, 2024
edited
Loading

As we discuss with@Spomky and@vincentchalamon in the#53682 (comment) PR/comment, we propose an update of the oidc_token_handler in the SecurityBundle to authorize JWKSet and multiple algorithms.

One proposal would be to replace the algorithm and key properties with algorithms and keys to process arrays.

WDYT ? (cc@nicolas-grekas)

@louismariegaborit
Copy link
ContributorAuthor

@Spomky We are agree that this PR can be closed as the PR#53682 was merged ?

@Spomky
Copy link
Contributor

Agreed!

@louismariegaborit
Copy link
ContributorAuthor

Duplicate#53682

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@nicolas-grekasnicolas-grekasnicolas-grekas left review comments

@SpomkySpomkySpomky left review comments

@chalasrchalasrAwaiting requested review from chalasrchalasr is a code owner

@stofstofAwaiting requested review from stof

+1 more reviewer

@stloydstloydstloyd left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Projects

None yet

Milestone

7.1

Development

Successfully merging this pull request may close these issues.

JWKSet support forOIDCTokenHandler

7 participants

@louismariegaborit@nicolas-grekas@Spomky@stof@stloyd@fabpot@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp