symfony · fabpot · Jan 17, 2025 · Jan 5, 2025
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/UnusedTagsPass.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/UnusedTagsPass.php
@@ -85,6 +85,7 @@ class UnusedTagsPass implements CompilerPassInterface
         'routing.route_loader',
         'scheduler.schedule_provider',
         'scheduler.task',
+        'security.access_token_handler.oidc.encryption_algorithm',
         'security.access_token_handler.oidc.signature_algorithm',
         'security.authenticator.login_linker',
         'security.expression_language_provider',

@@ -5,6 +5,7 @@ CHANGELOG
 ---
 
  * Add `Security::isGrantedForUser()` to test user authorization without relying on the session. For example, users not currently logged in, or while processing a message from a message queue
+ * Add encryption support to `OidcTokenHandler` (JWE)
 
 7.2
 ---

@@ -41,6 +41,22 @@ public function create(ContainerBuilder $container, string $id, array|string $co
         $tokenHandlerDefinition->replaceArgument(1, (new ChildDefinition('security.access_token_handler.oidc.jwkset'))
             ->replaceArgument(0, $config['keyset'])
         );
+
+        if ($config['encryption']['enabled']) {
+            $algorithmManager = (new ChildDefinition('security.access_token_handler.oidc.encryption'))
+                ->replaceArgument(0, $config['encryption']['algorithms']);
+            $keyset = (new ChildDefinition('security.access_token_handler.oidc.jwkset'))
+                ->replaceArgument(0, $config['encryption']['keyset']);
+
+            $tokenHandlerDefinition->addMethodCall(
+                'enabledJweSupport',
+                [
+                    $keyset,
+                    $algorithmManager,
+                    $config['encryption']['enforce'],
+                ]
+            );
+        }
     }
 
     public function getKey(): string
@@ -112,9 +128,28 @@ public function addConfiguration(NodeBuilder $node): void
                         ->setDeprecated('symfony/security-bundle', '7.1', 'The "%node%" option is deprecated and will be removed in 8.0. Use the "keyset" option instead.')
                     ->end()
                     ->scalarNode('keyset')
-                        ->info('JSON-encoded JWKSet used to sign the token (must contain a list of valid keys).')
+                        ->info('JSON-encoded JWKSet used to sign the token (must contain a list of valid public keys).')
                         ->isRequired()
                     ->end()
+                    ->arrayNode('encryption')
+                        ->canBeEnabled()
+                        ->children()
+                            ->booleanNode('enforce')
+                                ->info('When enabled, the token shall be encrypted.')
+                                ->defaultFalse()
+                            ->end()
+                            ->arrayNode('algorithms')
+                                ->info('Algorithms used to decrypt the token.')
+                                ->isRequired()
+                                ->requiresAtLeastOneElement()
+                                ->scalarPrototype()->end()
+                            ->end()
+                            ->scalarNode('keyset')
+                                ->info('JSON-encoded JWKSet used to decrypt the token (must contain a list of valid private keys).')
+                                ->isRequired()
+                            ->end()
+                        ->end()
+                    ->end()
                 ->end()
             ->end()
         ;

@@ -338,13 +338,29 @@
         <xsd:choice maxOccurs="unbounded">
             <xsd:element name="issuers" type="oidc_issuers" minOccurs="0" maxOccurs="1" />
             <xsd:element name="issuer" type="password_hasher" minOccurs="0" maxOccurs="unbounded" />
+            <xsd:element name="encryption" type="oidc_encryption" />
         </xsd:choice>
         <xsd:attribute name="claim" type="xsd:string" />
         <xsd:attribute name="audience" type="xsd:string" use="required" />
         <xsd:attribute name="algorithm" type="xsd:string" use="required" />
         <xsd:attribute name="key" type="xsd:string" use="required" />
     </xsd:complexType>
 
+    <xsd:complexType name="oidc_encryption">
+        <xsd:choice maxOccurs="unbounded">
+            <xsd:element name="algorithms" type="oidc_encryption_algorithms" minOccurs="1" maxOccurs="1" />
+        </xsd:choice>
+        <xsd:attribute name="enabled" type="xsd:boolean" />
+        <xsd:attribute name="enforce" type="xsd:boolean" />
+        <xsd:attribute name="keyset" type="xsd:string" use="required" />
+    </xsd:complexType>
+
+    <xsd:complexType name="oidc_encryption_algorithms">
+        <xsd:sequence>
+            <xsd:element name="algorithm" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
+        </xsd:sequence>
+    </xsd:complexType>
+
     <xsd:complexType name="oidc_issuers">
         <xsd:sequence>
             <xsd:element name="issuer" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />

@@ -15,6 +15,15 @@
 use Jose\Component\Core\AlgorithmManagerFactory;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\JWKSet;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A128CBCHS256;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A128GCM;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A192CBCHS384;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A192GCM;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A256CBCHS512;
+use Jose\Component\Encryption\Algorithm\ContentEncryption\A256GCM;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHES;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHSS;
+use Jose\Component\Encryption\Algorithm\KeyEncryption\RSAOAEP;
 use Jose\Component\Signature\Algorithm\ES256;
 use Jose\Component\Signature\Algorithm\ES384;
 use Jose\Component\Signature\Algorithm\ES512;
@@ -135,5 +144,47 @@
 
         ->set('security.access_token_handler.oidc.signature.PS512', PS512::class)
             ->tag('security.access_token_handler.oidc.signature_algorithm')
+
+        // Encryption
+        // Note that - all xxxKW algorithms are not defined as an extra dependency is required
+        //           - The RSA_1.5 is missing as deprecated
+        ->set('security.access_token_handler.oidc.encryption_algorithm_manager_factory', AlgorithmManagerFactory::class)
+            ->args([
+                tagged_iterator('security.access_token_handler.oidc.encryption_algorithm'),
+            ])
+
+        ->set('security.access_token_handler.oidc.encryption', AlgorithmManager::class)
+            ->abstract()
+            ->factory([service('security.access_token_handler.oidc.encryption_algorithm_manager_factory'), 'create'])
+            ->args([
+                abstract_arg('encryption algorithms'),
+            ])
+
+        ->set('security.access_token_handler.oidc.encryption.RSAOAEP', RSAOAEP::class)
+            ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.ECDHES', ECDHES::class)
+            ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.ECDHSS', ECDHSS::class)
+            ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A128CBCHS256', A128CBCHS256::class)
+            ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A192CBCHS384', A192CBCHS384::class)
+            ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A256CBCHS512', A256CBCHS512::class)
+            ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A128GCM', A128GCM::class)
+            ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A192GCM', A192GCM::class)
+            ->tag('security.access_token_handler.oidc.encryption_algorithm')
+
+        ->set('security.access_token_handler.oidc.encryption.A256GCM', A256GCM::class)
+            ->tag('security.access_token_handler.oidc.encryption_algorithm')
     ;
 };
@@ -113,7 +113,7 @@ public function testInvalidOidcTokenHandlerConfigurationKeyMissing()
         $factory = new AccessTokenFactory($this->createTokenHandlerFactories());
 
         $this->expectException(InvalidConfigurationException::class);
-        $this->expectExceptionMessage('The child config "keyset" under "access_token.token_handler.oidc" must be configured: JSON-encoded JWKSet used to sign the token (must contain a list of valid keys).');
+        $this->expectExceptionMessage('The child config "keyset" under "access_token.token_handler.oidc" must be configured: JSON-encoded JWKSet used to sign the token (must contain a list of valid public keys).');
 
         $this->processConfig($config, $factory);
     }
@@ -257,6 +257,88 @@ public function testOidcTokenHandlerConfigurationWithMultipleAlgorithms()
         $this->assertEquals($expected, $container->getDefinition('security.access_token_handler.firewall1')->getArguments());
     }
 
+    public function testOidcTokenHandlerConfigurationWithEncryption()
+    {
+        $container = new ContainerBuilder();
+        $jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
+        $config = [
+            'token_handler' => [
+                'oidc' => [
+                    'algorithms' => ['RS256', 'ES256'],
+                    'issuers' => ['https://www.example.com'],
+                    'audience' => 'audience',
+                    'keyset' => $jwkset,
+                    'encryption' => [
+                        'enabled' => true,
+                        'keyset' => $jwkset,
+                        'algorithms' => ['RSA-OAEP', 'RSA1_5'],
+                    ],
+                ],
+            ],
+        ];
+
+        $factory = new AccessTokenFactory($this->createTokenHandlerFactories());
+        $finalizedConfig = $this->processConfig($config, $factory);
+
+        $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider');
+
+        $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1'));
+        $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1'));
+    }
+
+    public function testInvalidOidcTokenHandlerConfigurationMissingEncryptionKeyset()
+    {
+        $jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
+        $config = [
+            'token_handler' => [
+                'oidc' => [
+                    'algorithms' => ['RS256', 'ES256'],
+                    'issuers' => ['https://www.example.com'],
+                    'audience' => 'audience',
+                    'keyset' => $jwkset,
+                    'encryption' => [
+                        'enabled' => true,
+                        'algorithms' => ['RSA-OAEP', 'RSA1_5'],
+                    ],
+                ],
+            ],
+        ];
+
+        $factory = new AccessTokenFactory($this->createTokenHandlerFactories());
+
+        $this->expectException(InvalidConfigurationException::class);
+        $this->expectExceptionMessage('The
98AB
 child config "keyset" under "access_token.token_handler.oidc.encryption" must be configured: JSON-encoded JWKSet used to decrypt the token (must contain a list of valid private keys).');
+
+        $this->processConfig($config, $factory);
+    }
+
+    public function testInvalidOidcTokenHandlerConfigurationMissingAlgorithm()
+    {
+        $jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
+        $config = [
+            'token_handler' => [
+                'oidc' => [
+                    'algorithms' => ['RS256', 'ES256'],
+                    'issuers' => ['https://www.example.com'],
+                    'audience' => 'audience',
+                    'keyset' => $jwkset,
+                    'encryption' => [
+                        'enabled' => true,
+                        'keyset' => $jwkset,
+                        'algorithms' => [],
+                    ],
+                ],
+            ],
+        ];
+
+        $factory = new AccessTokenFactory($this->createTokenHandlerFactories());
+
+        $this->expectException(InvalidConfigurationException::class);
+        $this->expectExceptionMessage('The path "access_token.token_handler.oidc.encryption.algorithms" should have at least 1 element(s) defined.');
+
+        $this->processConfig($config, $factory);
+    }
+
     public function testOidcUserInfoTokenHandlerConfigurationWithExistingClient()
     {
         $container = new ContainerBuilder();
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,6 +5,7 @@ CHANGELOG @@
     ---
      * Add `Security::isGrantedForUser()` to test user authorization without relying on the session. For example, users not currently logged in, or while processing a message from a message queue
+     * Add encryption support to `OidcTokenHandler` (JWE)
 .2
     ---
@@ Expand Down @@