Skip to content

Commit

Permalink
fix: improve OidcDiscoveryTokenHandler with claims and headers check (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
vincentchalamon authored Dec 18, 2024
1 parent 3ca671d commit ce9c8f1
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 6 deletions.
9 changes: 9 additions & 0 deletions api/config/packages/jose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,15 @@ jose:
signature_algorithms: ['HS256', 'RS256', 'ES256']
header_checkers: ['alg', 'iat', 'nbf', 'exp', 'aud', 'iss']
is_public: true
checkers:
claims:
oidc:
is_public: true
claims: ['iat', 'nbf', 'exp']
headers:
oidc:
is_public: true
headers: ['alg', 'iss', 'aud']

services:
_defaults:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,14 @@

namespace App\Security\Http\AccessToken\Oidc;

use Jose\Component\Checker\ClaimCheckerManager;
use Jose\Component\Checker\HeaderCheckerManager;
use Jose\Component\Core\JWKSet;
use Jose\Component\Signature\JWSLoader;
use Psr\Log\LoggerInterface;
use Symfony\Component\DependencyInjection\Attribute\Autowire;
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
use Symfony\Component\Security\Http\AccessToken\Oidc\Exception\MissingClaimException;
use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenHandler;
use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTrait;
use Symfony\Component\Security\Http\Authenticator\FallbackUserLoader;
Expand All @@ -21,8 +22,11 @@

/**
* Completes {@see OidcTokenHandler} with OIDC Discovery and configuration stored in cache.
* It verifies access tokens, extracts user information, and creates user badges for Symfony's security system.
*
* @see https://github.com/symfony/symfony/pull/54932
*/
final class OidcDiscoveryTokenHandler implements AccessTokenHandlerInterface
final readonly class OidcDiscoveryTokenHandler implements AccessTokenHandlerInterface
{
use OidcTrait;

Expand All @@ -31,7 +35,11 @@ public function __construct(
private CacheInterface $cache,
#[Autowire('@jose.jws_loader.oidc')]
private JWSLoader $jwsLoader,
private readonly HttpClientInterface $securityAuthorizationClient,
#[Autowire('@jose.claim_checker.oidc')]
private ClaimCheckerManager $claimCheckerManager,
#[Autowire('@jose.header_checker.oidc')]
private HeaderCheckerManager $headerCheckerManager,
private HttpClientInterface $securityAuthorizationClient,
private string $claim = 'email',
private int $ttl = 600,
private ?LoggerInterface $logger = null,
Expand Down Expand Up @@ -86,9 +94,8 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
);

$claims = json_decode($jws->getPayload(), true);
if (empty($claims[$this->claim])) {
throw new MissingClaimException(\sprintf('"%s" claim not found.', $this->claim));
}
$this->claimCheckerManager->check(claims: $claims, mandatoryClaims: [$this->claim]);
$this->headerCheckerManager->check(jwt: $jws, index: 0);

// UserLoader argument can be overridden by a UserProvider on AccessTokenAuthenticator::authenticate
return new UserBadge($claims[$this->claim], new FallbackUserLoader(fn () => $this->createUser($claims)), $claims);
Expand Down

0 comments on commit ce9c8f1

Please sign in to comment.