The changes add encryption support to OpenID Connect (OIDC) tokens in the Symfony Security Bundle. This is useful in making the application more secure. They also ensure the tokens are correctly decrypted and validated before use. Additionally, tests have been expanded to cover these new scenarios.

security:firewalls:main:pattern:^/access_token:token_handler:oidc:...encryption:enabled:truealgorithms:[...]keyset:'{"keys": [{...}]}'

Spomky requested a review fromchalasr as acode owner

July 13, 2024 13:45

carsonbot added Status: Needs Review Feature Security SecurityBundle labels

Jul 13, 2024

carsonbot added this to the7.2 milestone

Jul 13, 2024

Copy link

ContributorAuthor

Spomky commentedJul 13, 2024

Ping@vincentchalamon

Spomky force-pushed thefeatures/jwe-support branch 2 times, most recently from90932a8 toeee5392Compare

July 14, 2024 07:35

vincentchalamon reviewed

Jul 15, 2024

View reviewed changes

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/AccessToken/config_oidc.yml OutdatedShow resolvedHide resolved

src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.phpShow resolvedHide resolved

Spomky force-pushed thefeatures/jwe-support branch fromeee5392 to7e47bfcCompare

July 31, 2024 06:46

nicolas-grekas reviewed

Aug 16, 2024

View reviewed changes

...y/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php OutdatedShow resolvedHide resolved

nicolas-grekas reviewed

Aug 16, 2024

View reviewed changes

...y/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php OutdatedShow resolvedHide resolved

nicolas-grekas reviewed

Aug 16, 2024

View reviewed changes

src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php OutdatedShow resolvedHide resolved

nicolas-grekas reviewed

Aug 16, 2024

View reviewed changes

src/Symfony/Bundle/SecurityBundle/Tests/Functional/AccessTokenTest.php OutdatedShow resolvedHide resolved

nicolas-grekas reviewed

Aug 16, 2024

View reviewed changes

src/Symfony/Component/Security/Http/CHANGELOG.md OutdatedShow resolvedHide resolved

nicolas-grekas reviewed

Aug 16, 2024

View reviewed changes

Copy link

Member

nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Is there no XSD to update?

OskarStark reviewed

Aug 16, 2024

View reviewed changes

src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php OutdatedShow resolvedHide resolved

Spomky force-pushed thefeatures/jwe-support branch from7e47bfc to870844dCompare

September 1, 2024 08:02

Copy link

ContributorAuthor

Spomky commentedSep 1, 2024

Is there no XSD to update?

@nicolas-grekas I'm not sure what to change.

Spomky force-pushed thefeatures/jwe-support branch from870844d toc4eb497Compare

September 1, 2024 08:06

fabpot modified the milestones:7.2,7.3

Nov 20, 2024

Spomky force-pushed thefeatures/jwe-support branch fromc4eb497 tocd1c431Compare

December 25, 2024 17:13

Copy link

Member

chalasr commentedDec 26, 2024

@Spomky The new options need to be added to SecurityBundle/Resources/config/schema/security-1.0.xsd

Spomky force-pushed thefeatures/jwe-support branch fromcd1c431 to6545e1dCompare

December 26, 2024 17:01

Copy link

ContributorAuthor

Spomky commentedDec 26, 2024

@Spomky The new options need to be added to SecurityBundle/Resources/config/schema/security-1.0.xsd

Hello@chalasr,
I modified the schema. Note that I am not sure it is fine of not (I was not aware of it before your comment).
Regards.

Spomky force-pushed thefeatures/jwe-support branch from6545e1d to9fab3e4Compare

December 26, 2024 17:35

Spomky force-pushed thefeatures/jwe-support branch 2 times, most recently fromeed73ba toa4ee3abCompare

January 5, 2025 14:27

Spomky force-pushed thefeatures/jwe-support branch froma586a53 to2461696Compare

January 5, 2025 16:57

chalasr previously approved these changes

Jan 5, 2025

View reviewed changes

carsonbot added Status: Reviewed and removed Status: Needs Review labels

Jan 5, 2025

chalasr dismissed theirstale review

January 5, 2025 17:02

Some low-deps test is failing

Spomky force-pushed thefeatures/jwe-support branch from2461696 tocb70da3Compare

January 5, 2025 17:07

Copy link

ContributorAuthor

Spomky commentedJan 5, 2025

Hi,

I am not sure how to fix the failing tests.
The annotation@requires extension openssl is present, but it looks like the dataProvider is called.
Should I refactor these tests?

Spomky force-pushed thefeatures/jwe-support branch 3 times, most recently from7697f15 to6312567Compare

January 5, 2025 17:35

Copy link

Member

chalasr commentedJan 5, 2025

You may need to bump the security-http dependency to ^7.3 in security-bundle

Spomky force-pushed thefeatures/jwe-support branch 5 times, most recently fromc69f934 to9434658Compare

January 5, 2025 18:12

chalasr approved these changes

Jan 5, 2025

View reviewed changes

Spomky force-pushed thefeatures/jwe-support branch 4 times, most recently from41e0030 to78f9a88Compare

January 5, 2025 19:37

[Security] OAuth2 Introspection Endpoint (RFC7662)

04c53b4

In addition to the excellent work of@vincentchalamonsymfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:* If the access token is active* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.