Skip to content

[Security] Update OidcTokenHandler dependencies and configuration #19779

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 26, 2024
Merged

[Security] Update OidcTokenHandler dependencies and configuration #19779

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 18 additions & 17 deletions security/access_token.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -537,15 +537,12 @@ claims. To create your own user object from the claims, you must
2) Configure the OidcTokenHandler
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The ``OidcTokenHandler`` requires ``web-token/jwt-signature``,
``web-token/jwt-checker`` and ``web-token/jwt-signature-algorithm-ecdsa``
packages. If you haven't installed them yet, run these commands:
The ``OidcTokenHandler`` requires the package ``web-token/jwt-library``.
Copy link
Contributor

@OskarStark OskarStark Apr 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The ``OidcTokenHandler`` requires the package ``web-token/jwt-library``.
The ``OidcTokenHandler`` requires the ``web-token/jwt-library`` package::

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did this change while merging.

If you haven't installed it yet, run this command:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If you haven't installed it yet, run this command:

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't do this change because in other parts of this document we use the same expression. I think that being so explicit makes things very clear.


.. code-block:: terminal

$ composer require web-token/jwt-signature
$ composer require web-token/jwt-checker
$ composer require web-token/jwt-signature-algorithm-ecdsa
$ composer require web-token/jwt-library

Symfony provides a generic ``OidcTokenHandler`` to decode your token, validate
it and retrieve the user info from it:
Expand All @@ -561,10 +558,10 @@ it and retrieve the user info from it:
access_token:
token_handler:
oidc:
# Algorithm used to sign the JWS
algorithm: 'ES256'
# Algorithms used to sign the JWS
algorithms: ['ES256', 'RS256']
# A JSON-encoded JWK
key: '{"kty":"...","k":"..."}'
keyset: '{"keys":[{"kty":"...","k":"..."}]}'
# Audience (`aud` claim): required for validation purpose
audience: 'api-example'
# Issuers (`iss` claim): required for validation purpose
Expand All @@ -589,8 +586,10 @@ it and retrieve the user info from it:
<!-- Algorithm used to sign the JWS -->
<!-- A JSON-encoded JWK -->
<!-- Audience (`aud` claim): required for validation purpose -->
<oidc algorithm="ES256" key="{'kty':'...','k':'...'}" audience="api-example">
<oidc keyset="{'keys':[{'kty':'...','k':'...'}]}" audience="api-example">
<!-- Issuers (`iss` claim): required for validation purpose -->
<algorithm>ES256</algorithm>
<algorithm>RS256</algorithm>
<issuer>https://oidc.example.com</issuer>
</oidc>
</token-handler>
Expand All @@ -610,9 +609,9 @@ it and retrieve the user info from it:
->tokenHandler()
->oidc()
// Algorithm used to sign the JWS
->algorithm('ES256')
->algorithms(['ES256', 'RS256'])
// A JSON-encoded JWK
->key('{"kty":"...","k":"..."}')
->keyset('{"keys":[{"kty":"...","k":"..."}]}')
// Audience (`aud` claim): required for validation purpose
->audience('api-example')
// Issuers (`iss` claim): required for validation purpose
Expand All @@ -636,8 +635,8 @@ configuration:
token_handler:
oidc:
claim: email
algorithm: 'ES256'
key: '{"kty":"...","k":"..."}'
algorithms: ['ES256', 'RS256']
keyset: '{"keys":[{"kty":"...","k":"..."}]}'
audience: 'api-example'
issuers: ['https://oidc.example.com']

Expand All @@ -657,7 +656,9 @@ configuration:
<firewall name="main">
<access-token>
<token-handler>
<oidc claim="email" algorithm="ES256" key="{'kty':'...','k':'...'}" audience="api-example">
<oidc claim="email" keyset="{'keys':[{'kty':'...','k':'...'}]}" audience="api-example">
<algorithm>ES256</algorithm>
<algorithm>RS256</algorithm>
<issuer>https://oidc.example.com</issuer>
</oidc>
</token-handler>
Expand All @@ -677,8 +678,8 @@ configuration:
->tokenHandler()
->oidc()
->claim('email')
->algorithm('ES256')
->key('{"kty":"...","k":"..."}')
->algorithms(['ES256', 'RS256'])
->keyset('{"keys":[{"kty":"...","k":"..."}]}')
->audience('api-example')
->issuers(['https://oidc.example.com'])
;
Expand Down