Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Add support for encrypted access tokens (JWE) in OIDC #20637

Open
wants to merge 1 commit into
base: 7.3
Choose a base branch
from
Open

[Security] Add support for encrypted access tokens (JWE) in OIDC #20637

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 24 additions & 2 deletions security/access_token.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -546,7 +546,8 @@
$ composer require web-token/jwt-library

Symfony provides a generic ``OidcTokenHandler`` to decode your token, validate
it and retrieve the user info from it:
it and retrieve the user info from it.
Optionally, the token may be encrypted (JWE):

.. configuration-block::

Expand All @@ -567,6 +568,11 @@
audience: 'api-example'
# Issuers (`iss` claim): required for validation purpose
issuers: ['https://oidc.example.com']
encryption:
enabled: true # Default to false
enforce: false # Default to false, requires an encrypted token when true
algorithms: ['ECDH-ES', 'A128GCM']
keyset: '{"keys": [...]}' # Encryption private keyset

Check failure on line 575 in security/access_token.rst

View workflow job for this annotation

GitHub Actions / Code Blocks 

[Cache Warmup] In OidcTokenHandlerFactory.php line 35:
                                                                               
  You cannot use the "oidc" token handler since "web-token/jwt-library" is no  
  t installed. Try running "composer require web-token/jwt-library".

.. code-block:: xml

Expand All @@ -592,6 +598,10 @@
<algorithm>ES256</algorithm>
<algorithm>RS256</algorithm>
<issuer>https://oidc.example.com</issuer>
<encryption enabled="true" enforce="true" keyset="{'keys': [...]}">
<algorithm>ECDH-ES</algorithm>
<algorithm>A128GCM</algorithm>
</encryption>
</oidc>
</token-handler>
</access-token>
Expand All @@ -611,12 +621,20 @@
->oidc()
// Algorithm used to sign the JWS
->algorithms(['ES256', 'RS256'])
// A JSON-encoded JWK
// A JSON-encoded JWKSet (public keys)
->keyset('{"keys":[{"kty":"...","k":"..."}]}')
// Audience (`aud` claim): required for validation purpose
->audience('api-example')
// Issuers (`iss` claim): required for validation purpose
->issuers(['https://oidc.example.com'])
->encryption()
->enabled(true) //Default to false
->enforce(false) //Default to false, requires an encrypted token when true
// Algorithm used to decrypt the JWE
->algorithms(['ECDH-ES', 'A128GCM'])
// A JSON-encoded JWKSet (private keys)
->keyset('{"keys":[...]}')

;
};

Expand All @@ -625,6 +643,10 @@
The support of multiple algorithms to sign the JWS was introduced in Symfony 7.1.
In previous versions, only the ``ES256`` algorithm was supported.

.. versionadded:: 7.3

The support of the encryption algorithms to decrypt the JWE was introduced in Symfony 7.3.

Following the `OpenID Connect Specification`_, the ``sub`` claim is used by
default as user identifier. To use another claim, specify it on the
configuration:
Expand Down
Loading