Skip to content

[Security][SecurityBundle] OIDC discovery #54932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 1, 2025
Merged

[Security][SecurityBundle] OIDC discovery #54932

merged 1 commit into from
Mar 1, 2025

Conversation

vincentchalamon
Copy link
Contributor

@vincentchalamon vincentchalamon commented May 15, 2024
edited
Loading

This PR introduces OIDC discovery on oidc and oidc_user_info token handlers.

Q A
Branch? 7.2
Bug fix? no
New feature? yes
Deprecations? yes
Issues Fix #50433 Fix #50434
License MIT
Doc PR symfony/symfony-docs#20579

TODO

  • use JWSLoader in OidcTokenHandler
  • introduce OidcUserInfoDiscoveryTokenHandler
  • introduce OidcDiscoveryTokenHandler
  • update src/**/CHANGELOG.md files
  • update UPGRADE-*.md files
  • add tests on AccessTokenFactoryTest with discovery
  • create documentation PR

What is OIDC Discovery?

OIDC discovery is a generic endpoint on the OIDC server, which gives any public information such as signature public keys and endpoints URIs (userinfo, token, etc.). An example is available on the API Platform Demo:
https://demo.api-platform.com/oidc/realms/demo/.well-known/openid-configuration.

Using the OIDC discovery simplifies the oidc security configuration, allowing to just configure the discovery and let Symfony store the configuration and the keyset in cache. For instance, if the userinfo_endpoint or signature keyset change on the OIDC server, no need to update the environment variables in the Symfony application, just clear the corresponding cache and it'll retrieve the configuration and the keyset accordingly on the next request.

In the oidc_user_info security configuration, it does the same logic but only about userinfo_endpoint as this token handler doesn't need the keyset.

How Do I Use This New Feature in Symfony?

The current oidc token handler configuration requires a keyset option which may change on the OIDC server. It is configured as following:

# config/packages/security.yaml
security:
    firewalls:
        main:
            access_token:
                oidc:
                    claim: 'email'
                    audience: 'symfony'
                    issuers: ['https://example.com/']
                    algorithms: ['RS256']
                    keyset: '{"keys":[{"kty":"EC",...}]}'

Note: those parameters should be configured with environment variables.

With the discovery option, Symfony will retrieve the keyset directly from the OIDC discovery URI and store it in a cache:

# config/packages/security.yaml
security:
    firewalls:
        main:
            access_token:
                oidc:
                    # 'keyset' option is not necessary anymore as it's retrieved from OIDC discovery and stored in cache
                    claim: 'email'
                    audience: 'symfony'
                    issuers: ['https://example.com/']
                    algorithms: ['RS256']
                    discovery:
                        base_uri: 'https://example.com/oidc/realms/master/'
                        cache:
                            id: cache.app # require to create this cache in framework.yaml

Note: some other parameters might be retrieven from the OIDC discovery, maybe 'algorithm' or 'issuers'. To discuss.

The current oidc_user_info token handler required a base_uri corresponding to the userinfo_endpoint URI on the OIDC server. This URI may change if it's changed on the OIDC server. Introducing the discovery helps to configure it dynamically.

The current configuration looks like the following:

# config/packages/security.yaml
security:
    firewalls:
        main:
            access_token:
                oidc_user_info:
                    # 'base_uri' is the userinfo_endpoint URI
                    base_uri: 'https://example.com/oidc/realms/master/protocol/openid-connect/userinfo'
                    claim: 'email'

With the discovery, it will look like this:

# config/packages/security.yaml
security:
    firewalls:
        main:
            access_token:
                oidc_user_info:
                    # 'base_uri' can be the userinfo_endpoint for backward compatibility
                    # and can be the OIDC server url in addition of 'discovery' option
                    base_uri: 'https://example.com/oidc/realms/master/'
                    claim: 'email'
                    discovery:
                        cache:
                            id: cache.app # require to create this cache in framework.yaml

@vincentchalamon vincentchalamon requested a review from chalasr as a code owner May 15, 2024 10:00
@carsonbot carsonbot added this to the 7.1 milestone May 15, 2024
@carsonbot
Copy link

Hey!

Thanks for your PR. You are targeting branch "7.1" but it seems your PR description refers to branch "7.2".
Could you update the PR description or change target branch? This helps core maintainers a lot.

Cheers!

Carsonbot

@vincentchalamon
Copy link
Contributor Author

@Spomky You might be interested by this PR

@xabbuh xabbuh modified the milestones: 7.1, 7.2 May 15, 2024
@carsonbot carsonbot changed the title [Security] OIDC discovery [Security][SecurityBundle] OIDC discovery May 15, 2024
@vincentchalamon vincentchalamon force-pushed the feat/oidc-discovery branch 4 times, most recently from 00bf574 to c8c5d7a Compare July 10, 2024 07:08
@Spomky
Copy link
Contributor

Spomky commented Jul 10, 2024

Hi @vincentchalamon,

Please note that I recently released the Web Token suite 4.0 and proposed #57694.
The migration is normally simple, but it impacts the claims/header checking classes of iat, nbf, exp. And may therefore have an impact on this PR (to be confirmed).

@vincentchalamon
Copy link
Contributor Author

Hi @Spomky,

Yep I just saw that and fixed the conflicts on OidcTokenHandler and services declarations.

Do you think it's a good thing to inject a JWSLoader and check the token through it, instead of creating multiple objects (checkers, managers, etc.) and checking the token with ClaimCheckerManager?

@Spomky
Copy link
Contributor

Spomky commented Jul 13, 2024

Do you think it's a good thing to inject a JWSLoader and check the token through it, instead of creating multiple objects (checkers, managers, etc.) and checking the token with ClaimCheckerManager?

I am not sure. To me, the way the tokens are loaded and their content depends on the context of their use i.e. the algorithms, the keys and the verified headers/claims should not be centralized. The JWSLoader service will then only be used by one token handler and have no advantages.

@vincentchalamon vincentchalamon force-pushed the feat/oidc-discovery branch 2 times, most recently from fe1b665 to 8b75d09 Compare July 15, 2024 12:37
@wgorczyca
Copy link

any update about this feature?

@vincentchalamon
Copy link
Contributor Author

any update about this feature?

Still waiting for a review

@chalasr
Copy link
Member

chalasr commented Nov 4, 2024

It is too late for 7.2 but I'd like this PR to make it into the next development phase, so expect some review from me asap.

@vincentchalamon vincentchalamon force-pushed the feat/oidc-discovery branch 2 times, most recently from a5253b4 to 7762b2b Compare November 5, 2024 07:49
@fabpot fabpot removed this from the 7.2 milestone Nov 20, 2024
@fabpot fabpot added this to the 7.3 milestone Nov 20, 2024
@vincentchalamon vincentchalamon mentioned this pull request Dec 5, 2024
Closed
@valtzu valtzu mentioned this pull request Dec 28, 2024
Open
@vincentchalamon vincentchalamon force-pushed the feat/oidc-discovery branch 2 times, most recently from 1060bbe to 434cf63 Compare January 17, 2025 08:56
@vincentchalamon vincentchalamon mentioned this pull request Jan 17, 2025
Open
Spomky
Spomky requested changes Feb 26, 2025
View reviewed changes
Copy link
Contributor

@Spomky Spomky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR looks great. Many thanks.
Please refer to 7.3 instead of 7.2 and it's good to me.

@fabpot
Copy link
Member

fabpot commented Mar 1, 2025

Thank you @vincentchalamon.

@fabpot fabpot merged commit 8b9ed36 into symfony:7.3 Mar 1, 2025
8 of 11 checks passed
@vincentchalamon vincentchalamon deleted the feat/oidc-discovery branch March 1, 2025 18:16
@valtzu valtzu mentioned this pull request Mar 15, 2025
Merged
fabpot added a commit that referenced this pull request Mar 15, 2025
@fabpot
minor #59982 [Security] Fix typos in OIDC methods (valtzu)
c3c37f2 
This PR was merged into the 7.3 branch.

Discussion
----------

[Security] Fix typos in OIDC methods

| Q             | A
| ------------- | ---
| Branch?       | 7.3
| Bug fix?      | yes
| New feature?  | no
| License       | MIT

Related to recently merged [OIDC discovery](#54932), the DI is configured to call `enableDiscovery` method but it does not exist – but there is `enabledDiscovery`.

Let's drop the extra `d`, and the same for `enabledJweSupport` too.

Commits
-------

3d6cc19 Fix typos in OIDC methods
@fabpot fabpot mentioned this pull request May 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@Spomky Spomky Spomky approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Deprecation Feature Security SecurityBundle Status: Reviewed
Projects
None yet
Milestone
7.3
Development

Successfully merging this pull request may close these issues.

[Security] Import oidc.signature.key JWK from OIDC server [Security] OIDC Discovery
8 participants
@vincentchalamon @carsonbot @Spomky @wgorczyca @chalasr @fabpot @derrabus @xabbuh