This PR introducesOIDC discovery onoidc andoidc_user_info token handlers.

TODO

• use JWSLoader in OidcTokenHandler
• introduce OidcUserInfoDiscoveryTokenHandler
• introduce OidcDiscoveryTokenHandler
• update src/**/CHANGELOG.md files
• update UPGRADE-*.md files
• add tests on AccessTokenFactoryTest with discovery
• create documentation PR

What is OIDC Discovery?

OIDC discovery is a generic endpoint on the OIDC server, which gives any public information such as signature public keys and endpoints URIs (userinfo, token, etc.). An example is available on the API Platform Demo:
https://demo.api-platform.com/oidc/realms/demo/.well-known/openid-configuration.

Using the OIDC discovery simplifies theoidc security configuration, allowing to just configure the discovery and let Symfony store the configuration and the keyset in cache. For instance, if theuserinfo_endpoint orsignature keyset change on the OIDC server, no need to update the environment variables in the Symfony application, just clear the corresponding cache and it'll retrieve the configuration and the keyset accordingly on the next request.

In theoidc_user_info security configuration, it does the same logic but only aboutuserinfo_endpoint as this token handler doesn't need thekeyset.

How Do I Use This New Feature in Symfony?

The currentoidc token handler configuration requires akeyset option which may change on the OIDC server. It is configured as following:

# config/packages/security.yamlsecurity:firewalls:main:access_token:oidc:claim:'email'audience:'symfony'issuers:['https://example.com/']algorithms:['RS256']keyset:'{"keys":[{"kty":"EC",...}]}'

Note: those parameters should be configured with environment variables.

With thediscovery option, Symfony will retrieve thekeyset directly from the OIDC discovery URI and store it in a cache:

# config/packages/security.yamlsecurity:firewalls:main:access_token:oidc:# 'keyset' option is not necessary anymore as it's retrieved from OIDC discovery and stored in cacheclaim:'email'audience:'symfony'issuers:['https://example.com/']algorithms:['RS256']discovery:base_uri:'https://example.com/oidc/realms/master/'cache:id:cache.app# require to create this cache in framework.yaml

Note: some other parameters might be retrieven from the OIDC discovery, maybe 'algorithm' or 'issuers'. To discuss.

The currentoidc_user_info token handler required abase_uri corresponding to theuserinfo_endpoint URI on the OIDC server. This URI may change if it's changed on the OIDC server. Introducing the discovery helps to configure it dynamically.

The current configuration looks like the following:

# config/packages/security.yamlsecurity:firewalls:main:access_token:oidc_user_info:# 'base_uri' is the userinfo_endpoint URIbase_uri:'https://example.com/oidc/realms/master/protocol/openid-connect/userinfo'claim:'email'

With thediscovery, it will look like this:

# config/packages/security.yamlsecurity:firewalls:main:access_token:oidc_user_info:# 'base_uri' can be the userinfo_endpoint for backward compatibility# and can be the OIDC server url in addition of 'discovery' optionbase_uri:'https://example.com/oidc/realms/master/'claim:'email'discovery:cache:id:cache.app# require to create this cache in framework.yaml