8000 feat(security): Add header and claim checks by petski · Pull Request #486 · api-platform/demo · GitHub
[go: up one dir, main page]

Skip to content

feat(security): Add header and claim checks #486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from

Conversation

petski
Copy link
@petski petski commented Dec 5, 2024

Add header and claim checks in OidcDiscoveryTokenHandler

Currently, api/src/Security/Http/AccessToken/Oidc/OidcDiscoveryTokenHandler.php doesn't use a HeaderCheckerManager and/or a ClaimCheckerManager to check claims like alg or exp.

As a result, you can query the demo-API with an expired token. (I doublechecked this).

Don't be fooled by the call to loadAndVerifyWithKeySet(), as it verifies the keys, not the claims.

(The demo never claims it has this extra layer of security, so I think it's safe to consider this PR as a feature enhancement).

@vincentchalamon
Copy link
Contributor

Hi @petski,

Thanks for this security fix!

Actually, this TokenHandler was a POC. A PR has been opened on Symfony to implement it without the loadAndVerifyWithKeySet method call: symfony/symfony#54932. Once this PR is merged and tagged, the TokenHandler in the Demo will be replaced by the Symfony one.

Until then, your fix is welcome in this project :-)

@vincentchalamon vincentchalamon added bug deploy Deploys Pull Request and removed deploy Deploys Pull Request labels Dec 5, 2024
@vincentchalamon
Copy link
Contributor

Hi @petski,
Nice catch!
I've worked on it using Jose bundle configuration. See #486

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants
0