Skip to content

Commit 42c3280

Browse files
javiereguiluzjaviereguiluz
committed
minor #18354 [Security] OIDC user info token handler client (vincentchalamon)
This PR was squashed before being merged into the 6.3 branch. Discussion ---------- [Security] OIDC user info token handler client Commits ------- d922dca [Security] OIDC user info token handler client
2 parents bd9e6d2 + d922dca commit 42c3280

File tree

1 file changed

+39
-98
lines changed

1 file changed

+39
-98
lines changed

security/access_token.rst

Lines changed: 39 additions & 98 deletions
Original file line numberDiff line numberDiff line change
@@ -380,9 +380,7 @@ and retrieve the user info:
380380
main:
381381
access_token:
382382
token_handler:
383-
oidc_user_info:
384-
client:
385-
base_uri: https://www.example.com/realms/demo/protocol/openid-connect/userinfo
383+
oidc_user_info: https://www.example.com/realms/demo/protocol/openid-connect/userinfo
386384
387385
.. code-block:: xml
388386
@@ -399,11 +397,7 @@ and retrieve the user info:
399397
<config>
400398
<firewall name="main">
401399
<access-token>
402-
<token-handler>
403-
<oidc-user-info>
404-
<client base-uri="https://www.example.com/realms/demo/protocol/openid-connect/userinfo"/>
405-
</oidc-user-info>
406-
</token-handler>
400+
<token-handler oidc-user-info="https://www.example.com/realms/demo/protocol/openid-connect/userinfo"/>
407401
</access-token>
408402
</firewall>
409403
</config>
@@ -418,9 +412,7 @@ and retrieve the user info:
418412
$security->firewall('main')
419413
->accessToken()
420414
->tokenHandler()
421-
->oidcUserInfo()
422-
->client()
423-
->baseUri('https://www.example.com/realms/demo/protocol/openid-connect/userinfo')
415+
->oidcUserInfo('https://www.example.com/realms/demo/protocol/openid-connect/userinfo')
424416
;
425417
};
426418
@@ -439,8 +431,7 @@ identifier by default. To use another claim, specify it on the configuration:
439431
token_handler:
440432
oidc_user_info:
441433
claim: email
442-
client:
443-
base_uri: https://www.example.com/realms/demo/protocol/openid-connect/userinfo
434+
base_uri: https://www.example.com/realms/demo/protocol/openid-connect/userinfo
444435
445436
.. code-block:: xml
446437
@@ -458,9 +449,7 @@ identifier by default. To use another claim, specify it on the configuration:
458449
<firewall name="main">
459450
<access-token>
460451
<token-handler>
461-
<oidc-user-info claim="email">
462-
<client base-uri="https://www.example.com/realms/demo/protocol/openid-connect/userinfo"/>
463-
</oidc-user-info>
452+
<oidc-user-info claim="email" base-uri="https://www.example.com/realms/demo/protocol/openid-connect/userinfo"/>
464453
</token-handler>
465454
</access-token>
466455
</firewall>
@@ -478,13 +467,12 @@ identifier by default. To use another claim, specify it on the configuration:
478467
->tokenHandler()
479468
->oidcUserInfo()
480469
->claim('email')
481-
->client()
482-
->baseUri('https://www.example.com/realms/demo/protocol/openid-connect/userinfo')
470+
->baseUri('https://www.example.com/realms/demo/protocol/openid-connect/userinfo')
483471
;
484472
};
485473
486474
The ``oidc_user_info`` token handler automatically creates an HTTP client with
487-
the specified configuration. If you prefer using your own client, you can
475+
the specified ``base_uri``. If you prefer using your own client, you can
488476
specify the service name via the ``client`` option:
489477

490478
.. configuration-block::
@@ -583,11 +571,14 @@ it and retrieve the user info from it:
583571
access_token:
584572
token_handler:
585573
oidc:
586-
signature:
587-
# Algorithm used to sign the JWS
588-
algorithm: 'HS256'
589-
# A JSON-encoded JWK
590-
key: '{"kty":"...","k":"..."}'
574+
# Algorithm used to sign the JWS
575+
algorithm: 'ES256'
576+
# A JSON-encoded JWK
577+
key: '{"kty":"...","k":"..."}'
578+
# Audience (`aud` claim): required for validation purpose
579+
audience: 'api-example'
580+
# Issuers (`iss` claim): required for validation purpose
581+
issuers: ['https://oidc.example.com']
591582
592583
.. code-block:: xml
593584
@@ -605,8 +596,12 @@ it and retrieve the user info from it:
605596
<firewall name="main">
606597
<access-token>
607598
<token-handler>
608-
<oidc>
609-
<signature algorithm="HS256" key="{'kty':'...','k':'...'}"/>
599+
<!-- Algorithm used to sign the JWS -->
600+
<!-- A JSON-encoded JWK -->
601+
<!-- Audience (`aud` claim): required for validation purpose -->
602+
<oidc algorithm="ES256" key="{'kty':'...','k':'...'}" audience="api-example">
603+
<!-- Issuers (`iss` claim): required for validation purpose -->
604+
<issuer>https://oidc.example.com</issuer>
610605
</oidc>
611606
</token-handler>
612607
</access-token>
@@ -624,9 +619,14 @@ it and retrieve the user info from it:
624619
->accessToken()
625620
->tokenHandler()
626621
->oidc()
627-
->signature()
628-
->algorithm('HS256')
629-
->key('{"kty":"...","k":"..."}')
622+
// Algorithm used to sign the JWS
623+
->algorithm('ES256')
624+
// A JSON-encoded JWK
625+
->key('{"kty":"...","k":"..."}')
626+
// Audience (`aud` claim): required for validation purpose
627+
->audience('api-example')
628+
// Issuers (`iss` claim): required for validation purpose
629+
->issuers(['https://oidc.example.com'])
630630
;
631631
};
632632
@@ -646,9 +646,10 @@ configuration:
646646
token_handler:
647647
oidc:
648648
claim: email
649-
signature:
650-
algorithm: 'HS256'
651-
key: '{"kty":"...","k":"..."}'
649+
algorithm: 'ES256'
650+
key: '{"kty":"...","k":"..."}'
651+
audience: 'api-example'
652+
issuers: ['https://oidc.example.com']
652653
653654
.. code-block:: xml
654655
@@ -666,8 +667,8 @@ configuration:
666667
<firewall name="main">
667668
<access-token>
668669
<token-handler>
669-
<oidc claim="email">
670-
<signature algorithm="HS256" key="{'kty':'...','k':'...'}"/>
670+
<oidc claim="email" algorithm="ES256" key="{'kty':'...','k':'...'}" audience="api-example">
671+
<issuer>https://oidc.example.com</issuer>
671672
</oidc>
672673
</token-handler>
673674
</access-token>
@@ -686,70 +687,10 @@ configuration:
686687
->tokenHandler()
687688
->oidc()
688689
->claim('email')
689-
->signature()
690-
->algorithm('HS256')
691-
->key('{"kty":"...","k":"..."}')
692-
;
693-
};
694-
695-
The ``oidc`` token handler also checks for the token audience. By default, this
696-
audience is optional. To enable this check, add the ``audience`` option:
697-
698-
.. configuration-block::
699-
700-
.. code-block:: yaml
701-
702-
# config/packages/security.yaml
703-
security:
704-
firewalls:
705-
main:
706-
access_token:
707-
token_handler:
708-
oidc:
709-
audience: 'My audience'
710-
signature:
711-
algorithm: 'HS256'
712-
key: '{"kty":"...","k":"..."}'
713-
714-
.. code-block:: xml
715-
716-
<!-- config/packages/security.xml -->
717-
<?xml version="1.0" encoding="UTF-8"?>
718-
<srv:container xmlns="http://symfony.com/schema/dic/security"
719-
xmlns:srv="http://symfony.com/schema/dic/services"
720-
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
721-
xsi:schemaLocation="http://symfony.com/schema/dic/services
722-
https://symfony.com/schema/dic/services/services-1.0.xsd
723-
http://symfony.com/schema/dic/security
724-
https://symfony.com/schema/dic/security/security-1.0.xsd">
725-
726-
<config>
727-
<firewall name="main">
728-
<access-token>
729-
<token-handler>
730-
<oidc audience="My audience">
731-
<signature algorithm="HS256" key="{'kty':'...','k':'...'}"/>
732-
</oidc>
733-
</token-handler>
734-
</access-token>
735-
</firewall>
736-
</config>
737-
</srv:container>
738-
739-
.. code-block:: php
740-
741-
// config/packages/security.php
742-
use Symfony\Config\SecurityConfig;
743-
744-
return static function (SecurityConfig $security) {
745-
$security->firewall('main')
746-
->accessToken()
747-
->tokenHandler()
748-
->oidc()
749-
->audience('My audience')
750-
->signature()
751-
->algorithm('HS256')
752-
->key('{"kty":"...","k":"..."}')
690+
->algorithm('ES256')
691+
->key('{"kty":"...","k":"..."}')
692+
->audience('api-example')
693+
->issuers(['https://oidc.example.com'])
753694
;
754695
};
755696

0 commit comments

Comments
 (0)