-
-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security][SecurityBundle] OIDC discovery #54932
Open
vincentchalamon
wants to merge
8
commits into
symfony:7.2
Choose a base branch
from
vincentchalamon:feat/oidc-discovery
base: 7.2
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hey! Thanks for your PR. You are targeting branch "7.1" but it seems your PR description refers to branch "7.2". Cheers! Carsonbot |
@Spomky You might be interested by this PR |
carsonbot
changed the title
[Security] OIDC discovery
[Security][SecurityBundle] OIDC discovery
May 15, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces OIDC discovery on
oidc
andoidc_user_info
token handlers.TODO
What is OIDC Discovery?
OIDC discovery is a generic endpoint on the OIDC server, which gives any public information such as signature public keys and endpoints URIs (userinfo, token, etc.). An example is available on the API Platform Demo:
https://demo.api-platform.com/oidc/realms/demo/.well-known/openid-configuration.
Using the OIDC discovery simplifies the
oidc
security configuration, allowing to just configure the discovery and let Symfony store the configuration and the keyset in cache. For instance, if the userinfo_endpoint or signature keyset change on the OIDC server, no need to update the environment variables in the Symfony application, just clear the corresponding cache and it'll retrieve the configuration and the keyset accordingly on the next request.In the
oidc_user_info
security configuration, it does the same logic but only about userinfo_endpoint as this token handler doesn't need the keyset.Note About Introducing OIDC Discovery in OIDC Token Handlers
How Do I Use This New Feature in Symfony?
The current
oidc
token handler configuration requires akeyset
option which may change on the OIDC server. It is configured as following:With the
discovery
option, Symfony will retrieve thekeyset
directly from the OIDC discovery URI and store it in a cache:The current
oidc_user_info
token handler required abase_uri
corresponding to the userinfo_endpoint URI on the OIDC server. This URI may change if it's changed on the OIDC server. Introducing the discovery helps to configure it dynamically.The current configuration looks like the following:
With the
discovery
, it will look like this:Why using JWSLoader in OidcTokenHandler?
Currently, the OidcTokenHandler creates its own dependencies such as JWSVerifier, JWSSerializerManager, Checkers, etc. The web-token/jwt-library has a JWSLoader which does the same job: unserialize the token, verify its signature, check its headers and claims.
Using JWSLoader instead of doing the job manually introduces the possibility to the developer to use custom checkers or custom configuration in the OidcTokenHandler (when using the component), simplifies the code and improve its maintenance.