[Security] Add clock dependency to OidcTokenHandler

nicolas-grekas · nicolas-grekas · commit 4419c6de9e44 · 2023-05-30T19:02:48.000+02:00
From "web-token/jwt-checker":
The parameter "$clock" will become mandatory in 4.0.0. Please set a valid PSR Clock implementation instead of "null".
diff --git a/AccessToken/Oidc/OidcTokenHandler.php b/AccessToken/Oidc/OidcTokenHandler.php
@@ -20,8 +20,9 @@
 use Jose\Component\Signature\JWSVerifier;
 use Jose\Component\Signature\Serializer\CompactSerializer;
 use Jose\Component\Signature\Serializer\JWSSerializerManager;
+use Psr\Clock\ClockInterface;
 use Psr\Log\LoggerInterface;
-use Symfony\Component\Clock\NativeClock;
+use Symfony\Component\Clock\Clock;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
 use Symfony\Component\Security\Http\AccessToken\Oidc\Exception\InvalidSignatureException;
@@ -41,6 +42,7 @@ public function __construct(
         private Algorithm $signatureAlgorithm,
         private JWK $jwk,
         private ?LoggerInterface $logger = null,
+        private ClockInterface $clock = new Clock(),
         private string $claim = 'sub',
         private ?string $audience = null
     ) {
@@ -74,11 +76,10 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
             $headerCheckerManager->check($jws, 0);
 
             // Verify the claims
-            $clock = class_exists(NativeClock::class) ? new NativeClock() : null;
             $checkers = [
-                new Checker\IssuedAtChecker(0, false, $clock),
-                new Checker\NotBeforeChecker(0, false, $clock),
-                new Checker\ExpirationTimeChecker(0, false, $clock),
+                new Checker\IssuedAtChecker(0, false, $this->clock),
+                new Checker\NotBeforeChecker(0, false, $this->clock),
+                new Checker\ExpirationTimeChecker(0, false, $this->clock),
             ];
             if ($this->audience) {
                 $checkers[] = new Checker\AudienceChecker($this->audience);
@@ -93,7 +94,7 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
 
             // UserLoader argument can be overridden by a UserProvider on AccessTokenAuthenticator::authenticate
             return new UserBadge($claims[$this->claim], fn () => $this->createUser($claims), $claims);
-        } catch (\Throwable $e) {
+        } catch (\Exception $e) {
             $this->logger?->error('An error while decoding and validating the token.', [
                 'error' => $e->getMessage(),
                 'trace' => $e->getTraceAsString(),
diff --git a/AccessToken/Oidc/OidcUserInfoTokenHandler.php b/AccessToken/Oidc/OidcUserInfoTokenHandler.php
@@ -49,7 +49,7 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
 
             // UserLoader argument can be overridden by a UserProvider on AccessTokenAuthenticator::authenticate
             return new UserBadge($claims[$this->claim], fn () => $this->createUser($claims), $claims);
-        } catch (\Throwable $e) {
+        } catch (\Exception $e) {
             $this->logger?->error('An error occurred on OIDC server.', [
                 'error' => $e->getMessage(),
                 'trace' => $e->getTraceAsString(),
diff --git a/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php b/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php
@@ -18,6 +18,7 @@
 use Jose\Component\Signature\Serializer\CompactSerializer;
 use PHPUnit\Framework\TestCase;
 use Psr\Log\LoggerInterface;
+use Symfony\Component\Clock\Clock;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\User\OidcUser;
 use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenHandler;
@@ -55,6 +56,7 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp
             new ES256(),
             $this->getJWK(),
             $loggerMock,
+            new Clock(),
             $claim,
             self::AUDIENCE
         ))->getUserBadgeFrom($token);
@@ -88,6 +90,7 @@ public function testThrowsAnErrorIfTokenIsInvalid(string $token)
             new ES256(),
             $this->getJWK(),
             $loggerMock,
+            new Clock(),
             'sub',
             self::AUDIENCE
         ))->getUserBadgeFrom($token);
@@ -146,6 +149,7 @@ public function testThrowsAnErrorIfUserPropertyIsMissing()
             new ES256(),
             self::getJWK(),
             $loggerMock,
+            new Clock(),
             'email',
             self::AUDIENCE
         ))->getUserBadgeFrom($token);
diff --git a/composer.json b/composer.json
@@ -26,6 +26,7 @@
     },
     "require-dev": {
         "symfony/cache": "^5.4|^6.0",
+        "symfony/clock": "^6.3",
         "symfony/expression-language": "^5.4|^6.0",
         "symfony/http-client-contracts": "^3.0",
         "symfony/rate-limiter": "^5.4|^6.0",
@@ -37,6 +38,7 @@
         "web-token/jwt-signature-algorithm-ecdsa": "^3.1"
     },
     "conflict": {
+        "symfony/clock": "<6.3",
         "symfony/event-dispatcher": "<5.4.9|>=6,<6.0.9",
         "symfony/http-client-contracts": "<3.0",
         "symfony/security-bundle": "<5.4",
