Skip to content

[Security] Add security:oidc-token:generate command #60660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: 7.4
Choose a base branch
from
Open

[Security] Add security:oidc-token:generate command #60660

wants to merge 2 commits into from
+365 −0

Conversation

Jean-Beru
Copy link
Contributor

@Jean-Beru Jean-Beru commented Jun 3, 2025
edited
Loading

Q A
Branch? 7.4
Bug fix? no
New feature? yes (should I create the CHANGELOG-7.4.md file?)
Deprecations? no
Issues
License MIT

The OidcTokenHandlerintroduced in Symfony 6.3, allows to decode a JWT token, validate it and retrieve the user info from it.

This pull request introduces a new Symfony command, bin/console security:oidc-token:generate, designed to facilitate the generation of JWTs. It can be useful for generating a token for testing purpose.

Argument and options

Description:
  Generate an OIDC token for a given user

Usage:
  security:oidc-token:generate [options] [--] <user-identifier>

Arguments:
  user-identifier              User identifier

Options:
      --firewall=FIREWALL      Firewall
      --algorithm=ALGORITHM    Algorithm name to use to sign
      --issuer=ISSUER          Set the Issuer claim (iss)
      --ttl=TTL                Set the Expiration Time claim (exp) (time to live in seconds)
      --not-before=NOT-BEFORE  Set the Not Before claim (nbf)

Usage

php bin/console security:oidc-token:generate jane.doe@example.com \
  --firewall="api" \
  --algorithm="HS256" \
  --issuer="https://example.com" \
  --ttl=7200 \
  --not-before=3600

Tip

When there is only one value, both "firewall", "algorithm" and "issuer" are not required..

@Jean-Beru Jean-Beru requested a review from chalasr as a code owner June 3, 2025 14:35
@carsonbot carsonbot added this to the 7.4 milestone Jun 3, 2025
@Jean-Beru Jean-Beru force-pushed the security/generate-oidc-command branch from 4fba1cd to d5b0868 Compare June 3, 2025 14:56
@chalasr
Copy link
Member

chalasr commented Jun 6, 2025

Good call 👍I would make "token" or "jwt" part of the command name though as I find "oidc:generate" rather confusing (yup, no better suggestion yet 🙃).

@Jean-Beru Jean-Beru changed the title [Security] Add security:oidc:generate command [Security] Add security:oidc-token:generate command Jun 6, 2025
@Jean-Beru
Copy link
Contributor Author

Good call 👍I would make "token" or "jwt" part of the command name though as I find "oidc:generate" rather confusing (yup, no better suggestion yet 🙃).

Sure! Not more inspired than you, I renamed it to oidc-token:generate 😅

Spomky
Spomky approved these changes Jun 11, 2025
View reviewed changes
Copy link
Contributor

@Spomky Spomky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a nice idea!
No remarks for this PR and OK with the name oidc-token:generate.

@chalasr
Copy link
Member

chalasr commented Jun 11, 2025

Maybe security:oidc:generate-token would be more future-proof?

stof
stof requested changes Jun 11, 2025
View reviewed changes
...y/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
@@ -79,6 +80,24 @@ public function create(ContainerBuilder $container, string $id, array|string $co
]
);
}

// Generate command
if (!$container->hasDefinition('security.access_token_handler.oidc.command.generate')) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this needs to check whether the command exists, as SecurityBundle 7.4 could be installed with security-http version 7.3

src/Symfony/Component/Security/Http/Command/OidcTokenGenerateCommand.php
$this
->addArgument('user-identifier', InputArgument::REQUIRED, 'User identifier')
->addOption('firewall', null, InputOption::VALUE_REQUIRED, 'Firewall')
->addOption('algorithm', null, InputOption::VALUE_REQUIRED, 'Algorithm name to use to sign')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should provide completion for the list of supported algorithms

src/Symfony/Component/Security/Http/Command/OidcTokenGenerateCommand.php
{
$this
->addArgument('user-identifier', InputArgument::REQUIRED, 'User identifier')
->addOption('firewall', null, InputOption::VALUE_REQUIRED, 'Firewall')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should provide completion for the list of firewall names

src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenGenerator.php
) {
}

public function generate(string $userIdentifier, ?string $algorithmAlias = null, ?string $issuer = null, ?int $ttl = null, ?int $notBefore = null): string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

making not-before an int is not good UX. Humans will generally not provide a unix timestamp as the value of the option.
That class should take ?\DateTimeImmutable for this argument, and the command should convert the option when provided, allowing to use date strings (like the ISO format for instance, but probably supporting anything supported by the DateTimeImmutable constructor makes sense)

@stof
Copy link
Member

stof commented Jun 11, 2025

I like the security:oidc:generate-token name suggested by @chalasr as it makes it possible to add more commands related to oidc in the future even for other purposes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stof stof stof requested changes

@Spomky Spomky Spomky approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Feature Security Status: Needs Work
Projects
None yet
Milestone
7.4
Development

Successfully merging this pull request may close these issues.
5 participants
@Jean-Beru @chalasr @stof @Spomky @carsonbot