Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit1386a8f

Browse files
committed
minor#20637 [Security] Add support for encrypted access tokens (JWE) in OIDC (Spomky)
This PR was merged into the 7.3 branch.Discussion----------[Security] Add support for encrypted access tokens (JWE) in OIDCFixes#20577This update introduces support for decrypting encrypted access tokens (JWE) in Symfony 7.3. It includes configuration options for enabling encryption, enforcing it, specifying decryption algorithms, and providing decryption keysets. The feature extends flexibility in handling secure tokens alongside existing signing mechanisms.**⚠ Warning**: I am not sure the XML and PHP examples are correct.Commits-------8b403f7 Add support for encrypted access tokens (JWE) in OIDC
2 parents15728d3 +8b403f7 commit1386a8f

File tree

1 file changed

+24
-3
lines changed

1 file changed

+24
-3
lines changed

‎security/access_token.rst

Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -615,8 +615,8 @@ If you haven't installed it yet, run this command:
615615
616616
$ composer require web-token/jwt-library
617617
618-
Symfony provides a generic ``OidcTokenHandler``to decode your token,validate
619-
it andretrieve the userinfo from it:
618+
Symfony provides a generic ``OidcTokenHandler``that decodes the token,validates
619+
it, andretrieves the userinformation from it. Optionally, the token can be encrypted (JWE):
620620

621621
..configuration-block::
622622

@@ -637,6 +637,11 @@ it and retrieve the user info from it:
637637
audience:'api-example'
638638
# Issuers (`iss` claim): required for validation purpose
639639
issuers:['https://oidc.example.com']
640+
encryption:
641+
enabled:true# Default to false
642+
enforce:false# Default to false, requires an encrypted token when true
643+
algorithms:['ECDH-ES', 'A128GCM']
644+
keyset:'{"keys": [...]}'# Encryption private keyset
640645
641646
..code-block::xml
642647
@@ -662,6 +667,10 @@ it and retrieve the user info from it:
662667
<algorithm>ES256</algorithm>
663668
<algorithm>RS256</algorithm>
664669
<issuer>https://oidc.example.com</issuer>
670+
<encryptionenabled="true"enforce="true"keyset="{'keys': [...]}">
671+
<algorithm>ECDH-ES</algorithm>
672+
<algorithm>A128GCM</algorithm>
673+
</encryption>
665674
</oidc>
666675
</token-handler>
667676
</access-token>
@@ -681,12 +690,20 @@ it and retrieve the user info from it:
681690
->oidc()
682691
// Algorithm used to sign the JWS
683692
->algorithms(['ES256', 'RS256'])
684-
// A JSON-encodedJWK
693+
// A JSON-encodedJWKSet (public keys)
685694
->keyset('{"keys":[{"kty":"...","k":"..."}]}')
686695
// Audience (`aud` claim): required for validation purpose
687696
->audience('api-example')
688697
// Issuers (`iss` claim): required for validation purpose
689698
->issuers(['https://oidc.example.com'])
699+
->encryption()
700+
->enabled(true) //Default to false
701+
->enforce(false) //Default to false, requires an encrypted token when true
702+
// Algorithm used to decrypt the JWE
703+
->algorithms(['ECDH-ES', 'A128GCM'])
704+
// A JSON-encoded JWKSet (private keys)
705+
->keyset('{"keys":[...]}')
706+
690707
;
691708
};
692709
@@ -695,6 +712,10 @@ it and retrieve the user info from it:
695712
The support of multiple algorithms to sign the JWS was introduced in Symfony 7.1.
696713
In previous versions, only the ``ES256`` algorithm was supported.
697714

715+
..versionadded::7.3
716+
717+
Support for encryption algorithms to decrypt JWEs was introduced in Symfony 7.3.
718+
698719
To enable `OpenID Connect Discovery`_, the ``OidcTokenHandler`` requires the
699720
``symfony/cache`` package to store the OIDC configuration in the cache. If you
700721
haven't installed it yet, run the following command:

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp