symfony
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
Lines changed: 35 additions & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
Lines changed: 35 additions & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
Lines changed: 53 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
Lines changed: 53 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/AccessTokenTest.php
Lines changed: 108 additions & 27 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/AccessTokenTest.php
Lines changed: 108 additions & 27 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/AccessToken/config_oidc.yml
Lines changed: 4 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/AccessToken/config_oidc.yml
Lines changed: 4 additions & 0 deletions
@@ -41,6 +41,22 @@ public function create(ContainerBuilder $container, string $id, array|string $co
         $tokenHandlerDefinition->replaceArgument(1, (new ChildDefinition('security.access_token_handler.oidc.jwkset'))
             ->replaceArgument(0, $config['keyset'])
         );
+
+        if ($config['encryption']['enabled'] === true) {
+            $algorithmManager = (new ChildDefinition('security.access_token_handler.oidc.encryption'))
+            ->replaceArgument(0, $config['encryption']['algorithms']);
+            $keyset = (new ChildDefinition('security.access_token_handler.oidc.jwkset'))
+            ->replaceArgument(0, $config['encryption']['keyset']);
+
+            $tokenHandlerDefinition->addMethodCall(
+                'enabledJweSupport',
+                [
+                    $keyset,
+                    $algorithmManager,
+                    $config['encryption']['enforce']
+                ]
+            );
+        }
     }
 
     public function getKey(): string
@@ -112,9 +128,27 @@ public function addConfiguration(NodeBuilder $node): void
                         ->setDeprecated('symfony/security-bundle', '7.1', 'The "%node%" option is deprecated and will be removed in 8.0. Use the "keyset" option instead.')
                     ->end()
                     ->scalarNode('keyset')
-                        ->info('JSON-encoded JWKSet used to sign the token (must contain a list of valid keys).')
+                        ->info('JSON-encoded JWKSet used to sign the token (must contain a list of valid public keys).')
                         ->isRequired()
                     ->end()
+                    ->arrayNode('encryption')
+                        ->canBeEnabled()
+                        ->children()
+                            ->booleanNode('enforce')
+                                ->info('When enabled, the token shall be encrypted.')
+                                ->defaultFalse()
+                            ->end()
+                            ->arrayNode('algorithms')
+                                ->info('Algorithms used to decrypt the token.')
+                                ->isRequired()
+                                ->scalarPrototype()->end()
+                            ->end()
+                            ->scalarNode('keyset')
+                                ->info('JSON-encoded JWKSet used to decrypt the token (must contain a list of valid private keys).')
+                                ->isRequired()
+                            ->end()
+                        ->end()
+                    ->end()
                 ->end()
             ->end()
         ;
 
@@ -15,6 +15,15 @@
 use Jose\Component\Core\AlgorithmManagerFactory;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\JWKSet;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A128CBCHS256;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A128GCM;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A192CBCHS384;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A192GCM;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A256CBCHS512;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A256GCM;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHES;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHSS;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\RSAOAEP;
 use Jose\Component\Signature\Algorithm\ES256;
 use Jose\Component\Signature\Algorithm\ES384;
 use Jose\Component\Signature\Algorithm\ES512;
@@ -135,5 +144,49 @@
 
         ->set('security.access_token_handler.oidc.signature.PS512', PS512::class)
             ->tag('security.access_token_handler.oidc.signature_algorithm')
+
+
+
+        // Encryption
+        // Note that - all xxxKW algorithms are not defined as an extra dependency is required
+        //           - The RSA_1.5 is missing as deprecated
+        ->set('security.access_token_handler.oidc.encryption_algorithm_manager_factory', AlgorithmManagerFactory::class)
+            ->args([
+                tagged_iterator('security.access_token_handler.oidc.encryption_algorithm'),
+            ])
+
+        ->set('security.access_token_handler.oidc.encryption', AlgorithmManager::class)
+            ->abstract()
+            ->factory([service('security.access_token_handler.oidc.encryption_algorithm_manager_factory'), 'create'])
+            ->args([
+                abstract_arg('encryption algorithms'),
+            ])
+
+        ->set('security.access_token_handler.oidc.encryption.RSAOAEP', RSAOAEP::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.ECDHES', ECDHES::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.ECDHSS', ECDHSS::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A128CBCHS256', A128CBCHS256::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A192CBCHS384', A192CBCHS384::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A256CBCHS512', A256CBCHS512::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A128GCM', A128GCM::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A192GCM', A192GCM::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A256GCM', A256GCM::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
     ;
 };
@@ -13,9 +13,13 @@
 
 use Jose\Component\Core\AlgorithmManager;
 use Jose\Component\Core\JWK;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A128GCM;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHES;
+use Jose\Component\Encryption\JWEBuilder;
 use Jose\Component\Signature\Algorithm\ES256;
 use Jose\Component\Signature\JWSBuilder;
-use Jose\Component\Signature\Serializer\CompactSerializer;
+use Jose\Component\Signature\Serializer\CompactSerializer as JwsCompactSerializer;
+use Jose\Component\Encryption\Serializer\CompactSerializer as JweCompactSerializer;
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
 use Symfony\Component\HttpClient\MockHttpClient;
 use Symfony\Component\HttpClient\Response\MockResponse;
@@ -349,34 +353,10 @@ public function testCustomUserLoader()
 
     /**
      * @requires extension openssl
+     * @dataProvider validAccessTokens
      */
-    public function testOidcSuccess()
+    public function testOidcSuccess(string $token)
     {
-        $time = time();
-        $claims = [
-            'iat' => $time,
-            'nbf' => $time,
-            'exp' => $time + 3600,
-            'iss' => 'https://www.example.com',
-            'aud' => 'Symfony OIDC',
-            'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f',
-            'username' => 'dunglas',
-        ];
-        $token = (new CompactSerializer())->serialize((new JWSBuilder(new AlgorithmManager([
-            new ES256(),
-        ])))->create()
-            ->withPayload(json_encode($claims))
-            // tip: use https://mkjwk.org/ to generate a JWK
-            ->addSignature(new JWK([
-                'kty' => 'EC',
-                'crv' => 'P-256',
-                '
F987
x' => '0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4',
-                'y' => 'KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo',
-                'd' => 'iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220',
-            ]), ['alg' => 'ES256'])
-            ->build()
-        );
-
         $client = $this->createClient(['test_case' => 'AccessToken', 'root_config' => 'config_oidc.yml']);
         $client->request('GET', '/foo', [], [], ['HTTP_AUTHORIZATION' => \sprintf('Bearer %s', $token)]);
         $response = $client->getResponse();
@@ -386,6 +366,21 @@ public function testOidcSuccess()
         $this->assertSame(['message' => 'Welcome @dunglas!'], json_decode($response->getContent(), true));
     }
 
+    /**
+     * @requires extension openssl
+     * @dataProvider invalidAccessTokens
+     */
+    public function testOidcFailure(string $token)
+    {
+        $client = $this->createClient(['test_case' => 'AccessToken', 'root_config' => 'config_oidc.yml']);
+        $client->request('GET', '/foo', [], [], ['HTTP_AUTHORIZATION' => \sprintf('Bearer %s', $token)]);
+        $response = $client->getResponse();
+
+        $this->assertInstanceOf(Response::class, $response);
+        $this->assertSame(401, $response->getStatusCode());
+        $this->assertSame('Bearer realm="My API",error="invalid_token",error_description="Invalid credentials."', $response->headers->get('WWW-Authenticate'));
+    }
+
     public function testCasSuccess()
     {
         $casResponse = new MockResponse(<<<BODY
@@ -408,4 +403,90 @@ public function testCasSuccess()
         $this->assertSame(200, $response->getStatusCode());
         $this->assertSame(['message' => 'Welcome @dunglas!'], json_decode($response->getContent(), true));
     }
+
+    public function validAccessTokens(): array
+    {
+        $time = time();
+        $claims = [
+            'iat' => $time,
+            'nbf' => $time,
+            'exp' => $time + 3600,
+            'iss' => 'https://www.example.com',
+            'aud' => 'Symfony OIDC',
+            'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f',
+            'username' => 'dunglas',
+        ];
+        $jws = $this->createJws($claims);
+        $jwe = $this->createJwe($jws);
+
+        return [
+            [$jws],
+            [$jwe],
+        ];
+    }
+
+    public function invalidAccessTokens(): array
+    {
+        $time = time();
+        $claims = [
+            'iat' => $time,
+            'nbf' => $time,
+            'exp' => $time + 3600,
+            'iss' => 'https://www.example.com',
+            'aud' => 'Symfony OIDC',
+            'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f',
+            'username' => 'dunglas',
+        ];
+
+        return [
+            [$this->createJws([...$claims, 'aud' => 'Invalid Audience'])],
+            [$this->createJws([...$claims, 'iss' => 'Invalid Issuer'])],
+            [$this->createJws([...$claims, 'exp' => $time - 3600])],
+            [$this->createJws([...$claims, 'nbf' => $time + 3600])],
+            [$this->createJws([...$claims, 'iat' => $time + 3600])],
+            [$this->createJws([...$claims, 'username' => 'Invalid Username'])],
+            [$this->createJwe($this->createJws($claims), ['exp' => $time - 3600])],
+            [$this->createJwe($this->createJws($claims), ['cty' => 'x-specific'])],
+        ];
+    }
+
+    private function createJws(array $claims, array $header = []): string
+    {
+        return (new JwsCompactSerializer())->serialize((new JWSBuilder(new AlgorithmManager([
+            new ES256(),
+        ])))->create()
+            ->withPayload(json_encode($claims))
+            // tip: use https://mkjwk.org/ to generate a JWK
+            ->addSignature(new JWK([
+                'kty' => 'EC',
+                'crv' => 'P-256',
+                'x' => '0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4',
+                'y' => 'KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo',
+                'd' => 'iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220',
+            ]), [...$header, 'alg' => 'ES256'])
+            ->build()
+        );
+    }
+
+    private function createJwe(string $input, array $header = []): string
+    {
+        $jwk = new JWK([
+            'kty' => 'EC',
+            'use' => 'enc',
+            'crv' => 'P-256',
+            'kid' => 'enc-1720876375',
+            'x' => '4P27-OB2s5ZP3Zt5ExxQ9uFrgnGaMK6wT1oqd5bJozQ',
+            'y' => 'CNh-ZbKJBvz6hJ8JOulXclACP2OuoO2PtqT6WC8tLcU',
+        ]);
+        return (new JweCompactSerializer())->serialize(
+            (new JWEBuilder(new AlgorithmManager([
+                new ECDHES(), new A128GCM(),
+            ])))->create()
+                ->withPayload($input)
+                ->withSharedProtectedHeader(['alg' => 'ECDH-ES', 'enc' => 'A128GCM', ...$header])
+                // tip: use https://mkjwk.org/ to generate a JWK
+                ->addRecipient($jwk)
+                ->build()
+        );
+    }
 }
@@ -27,6 +27,10 @@ security:
                         algorithm: 'ES256'
                         # tip: use https://mkjwk.org/ to generate a JWK
                         keyset: '{"keys":[{"kty":"EC","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo"}]}'
+                        encryption:
+                            enabled: true
+                            algorithms: ['ECDH-ES', 'A128GCM']
+                            keyset: '{"keys": [{"kty": "EC","d": "YG0HnRsaYv2cUj7TpgHcRX1poL9l4cskIuOi1gXv0Dg","use": "enc","crv": "P-256","kid": "enc-1720876375","x": "4P27-OB2s5ZP3Zt5ExxQ9uFrgnGaMK6wT1oqd5bJozQ","y": "CNh-ZbKJBvz6hJ8JOulXclACP2OuoO2PtqT6WC8tLcU","alg": "ECDH-ES"}]}'
                 token_extractors: 'header'
                 realm: 'My API'