Skip to content

[Security] Add OidcUserInfoTokenHandler and OidcUser #48272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 14, 2023
Merged

[Security] Add OidcUserInfoTokenHandler and OidcUser #48272

merged 1 commit into from
Apr 14, 2023

Conversation

vincentchalamon
Copy link
Contributor

@vincentchalamon vincentchalamon commented Nov 21, 2022
edited
Loading

Q A
Branch? 6.3
Bug fix? no
New feature? yes
Deprecations? no
Tickets N/A
License MIT
Doc PR symfony/symfony-docs#17463

Hi,

This PR aims to complete the previous one from @Spomky with an AccessTokenHandler ready-to-use with an OIDC server (Keycloak, Auth0).

TODO

Usage

# usage with a custom client
security:
    firewalls:
        main:
            pattern: ^/
            access_token:
                token_handler:
                    oidc_user_info:
                        client: oidc.client
# usage with generic HttpClient
security:
    firewalls:
        main:
            pattern: ^/
            access_token:
                token_handler:
                    oidc_user_info:
                        claim: email
                        client:
                            base_uri: https://www.example.com/realms/demo/protocol/openid-connect/userinfo
# usage with token decode (no call to OIDC server)
security:
    firewalls:
        main:
            pattern: ^/
            access_token:
                token_handler:
                    oidc:
                        signature:
                            # Algorithm used to sign the JWS
                            algorithm: 'HS256'
                            # A JSON-encoded JWK
                            key: '{"kty":"...","k":"..."}'
# usage with a custom UserProvider
class CustomUserProvider implements UserProviderInterface
{
    public function loadUserByIdentifier(string $identifier, array $claims = []): UserInterface
    {
        // do some magic
    }
}

@carsonbot carsonbot added this to the 6.2 milestone Nov 21, 2022
@wouterj
Copy link
Member

wouterj commented Nov 21, 2022

As the previous PR was merged in 6.2, I hope this one can be released with it. Otherwise, 6.3 will be good too 😃

Feature freeze started 1.5 months ago, so this will be part of 6.3 :)

@wouterj wouterj modified the milestones: 6.2, 6.3 Nov 21, 2022
@vincentchalamon
Copy link
Contributor Author

Hi @wouterj, is there any 6.3, master or main branch for it?

@wouterj
Copy link
Member

wouterj commented Nov 21, 2022
edited
Loading

No, for now the focus is on stabilizing Symfony 6.2 before the release. A 6.3 branch will be created once we're in RC phase for 6.2.

Spomky
Spomky reviewed Nov 21, 2022
View reviewed changes
Copy link
Contributor

@Spomky Spomky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👏 Bravo: Excellent idea!
🥜 Nitpick: It is a good start. I just have a couple of remarks.

@chalasr
Copy link
Member

chalasr commented Nov 23, 2022

#48285 should make the overall design fit best here and avoid the need for an event.
Regarding TODO Find a way to configure and inject the oidcClient in the handler I have something in mind that I'll push asap.

@vincentchalamon vincentchalamon mentioned this pull request Nov 24, 2022
Merged
4 tasks
@vincentchalamon vincentchalamon changed the title [Security] Add OidcAccessTokenHandler [Security] Add OidcUserInfoTokenHandler Nov 24, 2022
@vincentchalamon vincentchalamon force-pushed the feat/oidc-access-token-handler branch 2 times, most recently from e7644e7 to e1caab1 Compare November 24, 2022 17:36
@vincentchalamon vincentchalamon requested review from chalasr and removed request for wouterj November 24, 2022 17:36
@vincentchalamon vincentchalamon requested review from dunglas and Spomky and removed request for chalasr and dunglas November 24, 2022 17:36
@vincentchalamon vincentchalamon requested a review from fabpot April 14, 2023 07:34
@fabpot
Copy link
Member

fabpot commented Apr 14, 2023

Thank you @vincentchalamon.

@fabpot fabpot force-pushed the feat/oidc-access-token-handler branch from d34f877 to 99a35f0 Compare April 14, 2023 07:39
@fabpot fabpot merged commit 1c79c79 into symfony:6.3 Apr 14, 2023
@vincentchalamon vincentchalamon deleted the feat/oidc-access-token-handler branch April 14, 2023 07:40
@Spomky Spomky mentioned this pull request Apr 15, 2023
Merged
javiereguiluz added a commit to symfony/symfony-docs that referenced this pull request May 10, 2023
@javiereguiluz
minor #17463 [Security] Document `access_token.token_handler.oidc_use…
9193745 
…r_info` (vincentchalamon)

This PR was squashed before being merged into the 6.3 branch.

Discussion
----------

[Security] Document `access_token.token_handler.oidc_user_info`

Refs symfony/symfony#48272

- [x] document `oidc_user_info` token handler
- [x] document `oidc` token handler

Commits
-------

5b53159 [Security] Document `access_token.token_handler.oidc_user_info`
@cesurapp cesurapp mentioned this pull request May 31, 2023
Closed
Spomky added a commit to Spomky/symfony that referenced this pull request Jul 13, 2024
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
432fdf1 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Jul 14, 2024
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
2ec3b0a 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Dec 25, 2024
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
beab583 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Dec 25, 2024
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
9412313 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Dec 25, 2024
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
82a47dc 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Dec 25, 2024
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
8d0b950 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Dec 25, 2024
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
642cb37 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Dec 25, 2024
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
737ece5 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Dec 25, 2024
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
c086a13 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Dec 26, 2024
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
6545e1d 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Jan 5, 2025
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
4ee96eb 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Jan 5, 2025
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
dc56f23 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Jan 5, 2025
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
04c53b4 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Jan 18, 2025
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
ec41507 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Feb 7, 2025
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
9681e6b 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
Spomky added a commit to Spomky/symfony that referenced this pull request Feb 13, 2025
@Spomky
[Security] OAuth2 Introspection Endpoint (RFC7662)
8d3eef1 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
fabpot pushed a commit to Spomky/symfony that referenced this pull request Feb 26, 2025
@Spomky @fabpot
[Security] OAuth2 Introspection Endpoint (RFC7662)
e68726f 
In addition to the excellent work of @vincentchalamon symfony#48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.
fabpot added a commit that referenced this pull request Feb 26, 2025
@fabpot
feature #50027 [Security] OAuth2 Introspection Endpoint (RFC7662) (Sp…
1f5ff48 
…omky)

This PR was merged into the 7.3 branch.

Discussion
----------

[Security] OAuth2 Introspection Endpoint (RFC7662)

| Q             | A
| ------------- | ---
| Branch?       | 7.3
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Tickets       | none
| License       | MIT
| Doc PR        | symfony/symfony-docs#[**TODO**]

In addition to the excellent work of `@vincentchalamon` #48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.

Example of configuration:

```yaml
framework:
    http_client:
        scoped_clients:
            oauth2.client:
                base_uri: 'https://authorization-server.example.com/introspection'
                scope: 'https://authorization-server\.example\.com'
                headers:
                    Authorization: 'Basic Y2xpZW50OnBhc3N3b3Jk' # Introspection Endpoint usually requires client authentication

security:
    firewalls:
        main:
            pattern: ^/
            access_token:
                token_handler:
                    oauth2: ~
                token_extractors: 'header'
                realm: 'My API'
```

Commits
-------

e68726f [Security] OAuth2 Introspection Endpoint (RFC7662)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dunglas dunglas dunglas left review comments

@wouterj wouterj wouterj requested changes

@welcoMattic welcoMattic welcoMattic left review comments

@Spomky Spomky Spomky left review comments

@Jeroeny Jeroeny Jeroeny left review comments

@chalasr chalasr chalasr approved these changes

@fabpot fabpot Awaiting requested review from fabpot

Assignees
No one assigned
Labels
Feature Security Status: Needs Review
Projects
None yet
Milestone
6.3
Development

Successfully merging this pull request may close these issues.
9 participants
@vincentchalamon @wouterj @chalasr @Spomky @fabpot @dunglas @welcoMattic @Jeroeny @carsonbot