symfony
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/UnusedTagsPass.php
+1 b/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/UnusedTagsPass.php
+1
diff --git a/‎src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
+1 b/‎src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
+1
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
+36-1 b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
+36-1
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
+53 b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_access_token.php
+53
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php
+83-1 b/‎src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php
+83-1
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/AccessTokenTest.php
+108-27 b/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/AccessTokenTest.php
+108-27
@@ -82,6 +82,7 @@ class UnusedTagsPass implements CompilerPassInterface
         'routing.route_loader',
         'scheduler.schedule_provider',
         'scheduler.task',
+        'security.access_token_handler.oidc.encryption_algorithm',
         'security.access_token_handler.oidc.signature_algorithm',
         'security.authenticator.login_linker',
         'security.expression_language_provider',
 
@@ -5,6 +5,7 @@ CHANGELOG
 ---
 
  * Allow configuring the secret used to sign login links
+ * Add encryption support to `OidcTokenHandler` (JWE)
 
 7.1
 ---
 
@@ -41,6 +41,22 @@ public function create(ContainerBuilder $container, string $id, array|string $co
         $tokenHandlerDefinition->replaceArgument(1, (new ChildDefinition('security.access_token_handler.oidc.jwkset'))
             ->replaceArgument(0, $config['keyset'])
         );
+
+        if ($config['encryption']['enabled'] === true) {
+            $algorithmManager = (new ChildDefinition('security.access_token_handler.oidc.encryption'))
+            ->replaceArgument(0, $config['encryption']['algorithms']);
+            $keyset = (new ChildDefinition('security.access_token_handler.oidc.jwkset'))
+            ->replaceArgument(0, $config['encryption']['keyset']);
+
+            $tokenHandlerDefinition->addMethodCall(
+                'enabledJweSupport',
+                [
+                    $keyset,
+                    $algorithmManager,
+                    $config['encryption']['enforce']
+                ]
+            );
+        }
     }
 
     public function getKey(): string
@@ -112,9 +128,28 @@ public function addConfiguration(NodeBuilder $node): void
                         ->setDeprecated('symfony/security-bundle', '7.1', 'The "%node%" option is deprecated and will be removed in 8.0. Use the "keyset" option instead.')
                     ->end()
                     ->scalarNode('keyset')
-                        ->info('JSON-encoded JWKSet used to sign the token (must contain a list of valid keys).')
+                        ->info('JSON-encoded JWKSet used to sign the token (must contain a list of valid public keys).')
                         ->isRequired()
                     ->end()
+                    ->arrayNode('encryption')
+                        ->canBeEnabled()
+                        ->children()
+                            ->booleanNode('enforce')
+                                ->info('When enabled, the token shall be encrypted.')
+                                ->defaultFalse()
+                            ->end()
+                            ->arrayNode('algorithms')
+                                ->info('Algorithms used to decrypt the token.')
+                                ->isRequired()
+                                ->requiresAtLeastOneElement()
+                                ->scalarPrototype()->end()
+                            ->end()
+                            ->scalarNode('keyset')
+                                ->info('JSON-encoded JWKSet used to decrypt the token (must contain a list of valid private keys).')
+                                ->isRequired()
+                            ->end()
+                        ->end()
+                    ->end()
                 ->end()
             ->end()
         ;
 
@@ -15,6 +15,15 @@
 use Jose\Component\Core\AlgorithmManagerFactory;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\JWKSet;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A128CBCHS256;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A128GCM;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A192CBCHS384;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A192GCM;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A256CBCHS512;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A256GCM;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHES;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHSS;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\RSAOAEP;
 use Jose\Component\Signature\Algorithm\ES256;
 use Jose\Component\Signature\Algorithm\ES384;
 use Jose\Component\Signature\Algorithm\ES512;
@@ -135,5 +144,49 @@
 
         ->set('security.access_token_handler.oidc.signature.PS512', PS512::class)
             ->tag('security.access_token_handler.oidc.signature_algorithm')
+
+
+
+        // Encryption
+        // Note that - all xxxKW algorithms are not defined as an extra dependency is required
+        //           - The RSA_1.5 is missing as deprecated
+        ->set('security.access_token_handler.oidc.encryption_algorithm_manager_factory', AlgorithmManagerFactory::class)
+            ->args([
+                tagged_iterator('security.access_token_handler.oidc.encryption_algorithm'),
+            ])
+
+        ->set('security.access_token_handler.oidc.encryption', AlgorithmManager::class)
+            ->abstract()
+            ->factory([service('security.access_token_handler.oidc.encryption_algorithm_manager_factory'), 'create'])
+            ->args([
+                abstract_arg('encryption algorithms'),
+            ])
+
+        ->set('security.access_token_handler.oidc.encryption.RSAOAEP', RSAOAEP::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.ECDHES', ECDHES::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.ECDHSS', ECDHSS::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A128CBCHS256', A128CBCHS256::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A192CBCHS384', A192CBCHS384::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A256CBCHS512', A256CBCHS512::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A128GCM', A128GCM::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A192GCM', A192GCM::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A256GCM', A256GCM::class)
+        ->tag('security.access_token_handler.oidc.encryption_algorithm')
     ;
 };
@@ -113,7 +113,7 @@ public function testInvalidOidcTokenHandlerConfigurationKeyMissing()
         $factory = new AccessTokenFactory($this->createTokenHandlerFactories());
 
         $this->expectException(InvalidConfigurationException::class);
-        $this->expectExceptionMessage('The child config "keyset" under "access_token.token_handler.oidc" must be configured: JSON-encoded JWKSet used to sign the token (must contain a list of valid keys).');
+        $this->expectExceptionMessage('The child config "keyset" under "access_token.token_handler.oidc" must be configured: JSON-encoded JWKSet used to sign the token (must contain a list of valid public keys).');
 
         $this->processConfig($config, $factory);
     }
@@ -257,6 +257,88 @@ public function testOidcTokenHandlerConfigurationWithMultipleAlgorithms()
         $this->assertEquals($expected, $container->getDefinition('security.access_token_handler.firewall1')->getArguments());
     }
 
+    public function testOidcTokenHandlerConfigurationWithEncryption()
+    {
+        $container = new ContainerBuilder();
+        $jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
+        $config = [
+            'token_handler' => [
+                'oidc' => [
+                    'algorithms' => ['RS256', 'ES256'],
+                    'issuers' => ['https://www.example.com'],
+                    'audience' => 'audience',
+                    'keyset' => $jwkset,
+                    'encryption' => [
+                        'enabled' => true,
+                        'keyset' => $jwkset,
+                        'algorithms' => ['RSA-OAEP', 'RSA1_5'],
+                    ],
+                ],
+            ],
+        ];
+
+        $factory = new AccessTokenFactory($this->createTokenHandlerFactories());
+        $finalizedConfig = $this->processConfig($config, $factory);
+
+        $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider');
+
+        $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1'));
+        $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1'));
+    }
+
+    public function testInvalidOidcTokenHandlerConfigurationMissingEncryptionKeyset()
+    {
+        $jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
+        $config = [
+            'token_handler' => [
+                'oidc' => [
+                    'algorithms' => ['RS256', 'ES256'],
+                    'issuers' => ['https://www.example.com'],
+                    'audience' => 'audience',
+                    'keyset' => $jwkset,
+                    'encryption' => [
+                        'enabled' => true,
+                        'algorithms' => ['RSA-OAEP', 'RSA1_5'],
+                    ],
+                ],
+            ],
+        ];
+
+        $factory = new AccessTokenFactory($this->createTokenHandlerFactories());
+
+        $this->expectException(InvalidConfigurationException::class);
+        $this->expectExceptionMessage('The child config "keyset" under "access_token.token_handler.oidc.encryption" must be configured: JSON-encoded JWKSet used to decrypt the token (must contain a list of valid private keys).');
+
+        $this->processConfig($config, $factory);
+    }
+
+    public function testInvalidOidcTokenHandlerConfigurationMissingAlgorithm()
+    {
+        $jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
+        $config = [
+            'token_handler' => [
+                'oidc' => [
+                    'algorithms' => ['RS256', 'ES256'],
+                    'issuers' => ['https://www.example.com'],
+                    'audience' => 'audience',
+                    'keyset' => $jwkset,
+                    'encryption' => [
+                        'enabled' => true,
+                        'keyset' => $jwkset,
+                        'algorithms' => [],
+                    ],
+                ],
+            ],
+        ];
+
+        $factory = new AccessTokenFactory($this->createTokenHandlerFactories());
+
+        $this->expectException(InvalidConfigurationException::class);
+        $this->expectExceptionMessage('The path "access_token.token_handler.oidc.encryption.algorithms" should have at least 1 element(s) defined.');
+
+        $this->processConfig($config, $factory);
+    }
+
     public function testOidcUserInfoTokenHandlerConfigurationWithExistingClient()
     {
         $container = new ContainerBuilder();
 
@@ -13,9 +13,13 @@
 
 use Jose\Component\Core\AlgorithmManager;
 use Jose\Component\Core\JWK;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A128GCM;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHES;
+use Jose\Component\Encryption\JWEBuilder;
 use Jose\Component\Signature\Algorithm\ES256;
 use Jose\Component\Signature\JWSBuilder;
-use Jose\Component\Signature\Serializer\CompactSerializer;
+use Jose\Component\Signature\Serializer\CompactSerializer as JwsCompactSerializer;
+use Jose\Component\Encryption\Serializer\CompactSerializer as JweCompactSerializer;
 use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
 use Symfony\Component\HttpClient\MockHttpClient;
 use Symfony\Component\HttpClient\Response\MockResponse;
@@ -349,34 +353,10 @@ public function testCustomUserLoader()
 
     /**
      * @requires extension openssl
+     * @dataProvider validAccessTokens
      */
-    public function testOidcSuccess()
+    public function testOidcSuccess(string $token)
     {
-        $time = time();
-        $claims = [
-            'iat' => $time,
-            'nbf' => $time,
-            'exp' => $time + 3600,
-            'iss' => 'https://www.example.com',
-            'aud' => 'Symfony OIDC',
-            'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f',
-            'username' => 'dunglas',
-        ];
-        $token = (new CompactSerializer())->serialize((new JWSBuilder(new AlgorithmManager([
-            new ES256(),
-        ])))->create()
-            ->withPayload(json_encode($claims))
-            // tip: use https://mkjwk.org/ to generate a JWK
-            ->addSignature(new JWK([
-                'kty' => 'EC',
-                'crv' => 'P-256',
-                'x' => '0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4',
-                'y' => 'KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo',
-                'd' => 'iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220',
-            ]), ['alg' => 'ES256'])
-            ->build()
-        );
-
         $client = $this->createClient(['test_case' => 'AccessToken', 'root_config' => 'config_oidc.yml']);
         $client->request('GET', '/foo', [], [], ['HTTP_AUTHORIZATION' => \sprintf('Bearer %s', $token)]);
         $response = $client->getResponse();
@@ -386,6 +366,21 @@ public function testOidcSuccess()
         $this->assertSame(['message' => 'Welcome @dunglas!'], json_decode($response->getContent(), true));
     }
 
+    /**
+     * @requires extension openssl
+     * @dataProvider invalidAccessTokens
+     */
+    public function testOidcFailure(string $token)
+    {
+        $client = $this->createClient(['test_case' => 'AccessToken', 'root_config' => 'config_oidc.yml']);
+        $client->request('GET', '/foo', [], [], ['HTTP_AUTHORIZATION' => \sprintf('Bearer %s', $token)]);
+        $response = $client->getResponse();
+
+        $this->assertInstanceOf(Response::class, $response);
+        $this->assertSame(401, $response->getStatusCode());
+        $this->assertSame('Bearer realm="My API",error="invalid_token",error_description="Invalid credentials."', $response->headers->get('WWW-Authenticate'));
+    }
+
     public function testCasSuccess()
     {
         $casResponse = new MockResponse(<<<BODY
@@ -408,4 +403,90 @@ public function testCasSuccess()
         $this->assertSame(200, $response->getStatusCode());
         $this->assertSame(['message' => 'Welcome @dunglas!'], json_decode($response->getContent(), true));
     }
+
+    public function validAccessTokens(): array
+    {
+        $time = time();
+        $claims = [
+            'iat' => $time,
+            'nbf' => $time,
+            'exp' => $time + 3600,
+            'iss' => 'https://www.example.com',
+            'aud' => 'Symfony OIDC',
+            'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f',
+            'username' => 'dunglas',
+        ];
+        $jws = $this->createJws($claims);
+        $jwe = $this->createJwe($jws);
+
+        return [
+            [$jws],
+            [$jwe],
+        ];
+    }
+
+    public function invalidAccessTokens(): array
+    {
+        $time = time();
+        $claims = [
+            'iat' => $time,
+            'nbf' => $time,
+            'exp' => $time + 3600,
+            'iss' => 'https://www.example.com',
+            'aud' => 'Symfony OIDC',
+            'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f',
+            'username' => 'dunglas',
+        ];
+
+        return [
+            [$this->createJws([...$claims, 'aud' => 'Invalid Audience'])],
+            [$this->createJws([...$claims, 'iss' => 'Invalid Issuer'])],
+            [$this->createJws([...$claims, 'exp' => $time - 3600])],
+            [$this->createJws([...$claims, 'nbf' => $time + 3600])],
+            [$this->createJws([...$claims, 'iat' => $time + 3600])],
+            [$this->createJws([...$claims, 'username' => 'Invalid Username'])],
+            [$this->createJwe($this->createJws($claims), ['exp' => $time - 3600])],
+            [$this->createJwe($this->createJws($claims), ['cty' => 'x-specific'])],
+        ];
+    }
+
+    private function createJws(array $claims, array $header = []): string
+    {
+        return (new JwsCompactSerializer())->serialize((new JWSBuilder(new AlgorithmManager([
+            new ES256(),
+        ])))->create()
+            ->withPayload(json_encode($claims))
+            // tip: use https://mkjwk.org/ to generate a JWK
+            ->addSignature(new JWK([
+                'kty' => 'EC',
+                'crv' => 'P-256',
+                'x' => '0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4',
+                'y' => 'KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo',
+                'd' => 'iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220',
+            ]), [...$header, 'alg' => 'ES256'])
+            ->build()
+        );
+    }
+
+    private function createJwe(string $input, array $header = []): string
+    {
+        $jwk = new JWK([
+            'kty' => 'EC',
+            'use' => 'enc',
+            'crv' => 'P-256',
+            'kid' => 'enc-1720876375',
+            'x' => '4P27-OB2s5ZP3Zt5ExxQ9uFrgnGaMK6wT1oqd5bJozQ',
+            'y' => 'CNh-ZbKJBvz6hJ8JOulXclACP2OuoO2PtqT6WC8tLcU',
+        ]);
+        return (new JweCompactSerializer())->serialize(
+            (new JWEBuilder(new AlgorithmManager([
+                new ECDHES(), new A128GCM(),
+            ])))->create()
+                ->withPayload($input)
+                ->withSharedProtectedHeader(['alg' => 'ECDH-ES', 'enc' => 'A128GCM', ...$header])
+                // tip: use https://mkjwk.org/ to generate a JWK
+                ->addRecipient($jwk)
+                ->build()
+        );
+    }
 }