8000 fix(security): OIDC audience MUST be validated according to specifica… · symfony/symfony@6bb6813 · GitHub
[go: up one dir, main page]
Skip to content 8000

Commit 6bb6813

Browse files
vincentchalamonvincentchalamon
committed
fix(security): OIDC audience MUST be validated according to specification
1 parent 2654e7b commit 6bb6813

File tree

4 files changed

+13
-15
lines changed

4 files changed

+13
-15
lines changed

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,8 +28,8 @@ class OidcTokenHandlerFactory implements TokenHandlerFactoryInterface
2828
public function create(ContainerBuilder $container, string $id, array|string $config): void
2929
{
3030
$tokenHandlerDefinition = $container->setDefinition($id, (new ChildDefinition('security.access_token_handler.oidc'))
31-
->replaceArgument(4, $config['claim'])
32-
->replaceArgument(5, $config['audience'])
31+
->replaceArgument(2, $config['audience'])
32+
->replaceArgument(5, $config['claim'])
3333
);
3434

3535
if (!ContainerBuilder::willBeAvailable('web-token/jwt-core', Algorithm::class, ['symfony/security-bundle'])) {
@@ -68,7 +68,7 @@ public function addConfiguration(NodeBuilder $node): void
6868
->end()
6969
->scalarNode('audience')
7070
->info('Audience set in the token, for validation purpose.')
71-
->defaultNull()
71+
->isRequired()
7272
->end()
7373
->scalarNode('algorithm')
7474
->info('Algorithm used to sign the token.')

src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,10 +69,10 @@
6969
->args([
7070
abstract_arg('signature algorithm'),
7171
abstract_arg('signature key'),
72+
abstract_arg('audience'),
7273
service('logger')->nullOnInvalid(),
7374
service('clock'),
7475
'sub',
75-
null,
7676
])
7777

7878
->set('security.access_token_handler.oidc.jwk', JWK::class)

src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -41,10 +41,10 @@ final class OidcTokenHandler implements AccessTokenHandlerInterface
4141
public function __construct(
4242
private Algorithm $signatureAlgorithm,
4343
private JWK $jwk,
44+
private string $audience,
4445
private ?LoggerInterface $logger = null,
4546
private ClockInterface $clock = new Clock(),
46-
private string $claim = 'sub',
47-
private ?string $audience = null
47+
private string $claim = 'sub'
4848
) {
4949
}
5050

@@ -80,10 +80,8 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
8080
new Checker\IssuedAtChecker(0, false, $this->clock),
8181
new Checker\NotBeforeChecker(0, false, $this->clock),
8282
new Checker\ExpirationTimeChecker(0, false, $this->clock),
83+
new Checker\AudienceChecker($this->audience),
8384
];
84-
if ($this->audience) {
85-
$checkers[] = new Checker\AudienceChecker($this->audience);
86-
}
8785
$claimCheckerManager = new ClaimCheckerManager($checkers);
8886
// if this check fails, an InvalidClaimException is thrown
8987
$claimCheckerManager->check($claims);

src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -55,10 +55,10 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp
5555
$userBadge = (new OidcTokenHandler(
5656
new ES256(),
5757
$this->getJWK(),
58+
self::AUDIENCE,
5859
$loggerMock,
5960
new Clock(),
60-
$claim,
61-
self::AUDIENCE
61+
$claim
6262
))->getUserBadgeFrom($token);
6363
$actualUser = $userBadge->getUserLoader()();
6464

@@ -89,10 +89,10 @@ public function testThrowsAnErrorIfTokenIsInvalid(string $token)
8989
(new OidcTokenHandler(
9090
new ES256(),
9191
$this->getJWK(),
92+
self::AUDIENCE,
9293
$loggerMock,
9394
new Clock(),
94-
'sub',
95-
self::AUDIENCE
95+
'sub'
9696
))->getUserBadgeFrom($token);
9797
}
9898

@@ -148,10 +148,10 @@ public function testThrowsAnErrorIfUserPropertyIsMissing()
148148
(new OidcTokenHandler(
149149
new ES256(),
150150
self::getJWK(),
151+
self::AUDIENCE,
151152
$loggerMock,
152153
new Clock(),
153-
'email',
154-
self::AUDIENCE
154+
'email'
155155
))->getUserBadgeFrom($token);
156156
}
157157

0 commit comments

Comments
 (0)
0