8000 Add OIDC encryption algorithm and improve exceptions · symfony/symfony@90932a8 · GitHub
[go: up one dir, main page]
Skip to content

Commit 90932a8

Browse files
SpomkySpomky
committed
Add OIDC encryption algorithm and improve exceptions
The OIDC encryption algorithm tag has been added, increasing functionality. Modification was also made to require at least one element in algorithms arrays for token decryption. Test exception messages were updated as well to reflect changes and improve information provided during test runs. New tests relating to OIDC Token Handler configuration have been implemented.
1 parent 9093bbc commit 90932a8

File tree

3 files changed

+85
-1
lines changed

3 files changed

+85
-1
lines changed

src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/UnusedTagsPass.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,7 @@ class UnusedTagsPass implements CompilerPassInterface
8282
'routing.route_loader',
8383
'scheduler.schedule_provider',
8484
'scheduler.task',
85+
'security.access_token_handler.oidc.encryption_algorithm',
8586
'security.access_token_handler.oidc.signature_algorithm',
8687
'security.authenticator.login_linker',
8788
'security.expression_language_provider',

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -141,6 +141,7 @@ public function addConfiguration(NodeBuilder $node): void
141141
->arrayNode('algorithms')
142142
->info('Algorithms used to decrypt the token.')
143143
->isRequired()
144+
->requiresAtLeastOneElement()
144145
->scalarPrototype()->end()
145146
->end()
146147
->scalarNode('keyset')

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php

Lines changed: 83 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,7 @@ public function testInvalidOidcTokenHandlerConfigurationKeyMissing()
113113
$factory = new AccessTokenFactory($this->createTokenHandlerFactories());
114114

115115
$this->expectException(InvalidConfigurationException::class);
116-
$this->expectExceptionMessage('The child config "keyset" under "access_token.token_handler.oidc" must be configured: JSON-encoded JWKSet used to sign the token (must contain a list of valid keys).');
116+
$this->expectExceptionMessage('The child config "keyset" under "access_token.token_handler.oidc" must be configured: JSON-encoded JWKSet used to sign the token (must contain a list of valid public keys).');
117117

118118
$this->processConfig($config, $factory);
119119
}
@@ -257,6 +257,88 @@ public function testOidcTokenHandlerConfigurationWithMultipleAlgorithms()
257257
$this->assertEquals($expected, $container->getDefinition('security.access_token_handler.firewall1')->getArguments());
258258
}
259259

260+
public function testOidcTokenHandlerConfigurationWithEncryption()
261+
{
262+
$container = new ContainerBuilder();
263+
$jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
264+
$config = [
265+
'token_handler' => [
266+
'oidc' => [
267+
'algorithms' => ['RS256', 'ES256'],
268+
'issuers' => ['https://www.example.com'],
269+
'audience' => 'audience',
270+
'keyset' => $jwkset,
271+
'encryption' => [
272+
'enabled' => true,
273+
'keyset' => $jwkset,
274+
'algorithms' => ['RSA-OAEP', 'RSA1_5'],
275+
],
276+
],
277+
],
278+
];
279+
280+
$factory = new AccessTokenFactory($this->createTokenHandlerFactories());
281+
$finalizedConfig = $this->processConfig($config, $factory);
282+
283+
$factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider');
284+
285+
$this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1'));
286+
$this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1'));
287+
}
288+
289+
public function testInvalidOidcTokenHandlerConfigurationMissingEncryptionKeyset()
290+
{
291+
$jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
292+
$config = [
293+
'token_handler' => [
294+
'oidc' => [
295+
'algorithms' => ['RS256', 'ES256'],
296+
'issuers' => ['https://www.example.com'],
297+
'audience' => 'audience',
298+
'keyset' => $jwkset,
299+
'encryption' => [
300+
'enabled' => true,
301+
'algorithms' => ['RSA-OAEP', 'RSA1_5'],
302+
],
303+
],
304+
],
305+
];
306+
307+
$factory = new AccessTokenFactory($this->createTokenHandlerFactories());
308+
309+
$this->expectException(InvalidConfigurationException::class);
310+
$this->expectExceptionMessage('The child config "keyset" under "access_token.token_handler.oidc.encryption" must be configured: JSON-encoded JWKSet used to decrypt the token (must contain a list of valid private keys).');
311+
312+
$this->processConfig($config, $factory);
313+
}
314+
315+
public function testInvalidOidcTokenHandlerConfigurationMissingAlgorithm()
316+
{
317+
$jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
318+
$config = [
319+
'token_handler' => [
320+
'oidc' => [
321+
'algorithms' => ['RS256', 'ES256'],
322+
'issuers' => ['https://www.example.com'],
323+
'audience' => 'audience',
324+
'keyset' => $jwkset,
325+
'encryption' => [
326+
'enabled' => true,
327+
'keyset' => $jwkset,
328+
'algorithms' => [],
329+
],
330+
],
331+
],
332+
];
333+
334+
$factory = new AccessTokenFactory($this->createTokenHandlerFactories());
335+
336+
$this->expectException(InvalidConfigurationException::class);
337+
$this->expectExceptionMessage('The path "access_token.token_handler.oidc.encryption.algorithms" should have at least 1 element(s) defined.');
338+
339+
$this->processConfig($config, $factory);
340+
}
341+
260342
public function testOidcUserInfoTokenHandlerConfigurationWithExistingClient()
261343
{
262344
$container = new ContainerBuilder();

0 commit comments

Comments
 (0)
0