[Security] Support multiple signature algorithms and JWK/JWKSet for OIDC tokens

Author: Spomky

AccessToken/Oidc/OidcTokenHandler.php

@@ -16,6 +16,7 @@
 use Jose\Component\Core\Algorithm;
 use Jose\Component\Core\AlgorithmManager;
 use Jose\Component\Core\JWK;
+use Jose\Component\Core\JWKSet;
 use Jose\Component\Signature\JWSTokenSupport;
 use Jose\Component\Signature\JWSVerifier;
 use Jose\Component\Signature\Serializer\CompactSerializer;
@@ -38,14 +39,22 @@ final class OidcTokenHandler implements AccessTokenHandlerInterface
     use OidcTrait;
 
     public function __construct(
-        private Algorithm $signatureAlgorithm,
-        private JWK $jwk,
+        private Algorithm|AlgorithmManager $signatureAlgorithm,
+        private JWK|JWKSet $jwkset,
         private string $audience,
         private array $issuers,
         private string $claim = 'sub',
         private ?LoggerInterface $logger = null,
         private ClockInterface $clock = new Clock(),
     ) {
+        if ($signatureAlgorithm instanceof Algorithm) {
+            trigger_deprecation('symfony/security-http', '7.1', 'First argument must be instance of %s, %s given.', AlgorithmManager::class, Algorithm::class);
+            $this->signatureAlgorithm = new AlgorithmManager([$signatureAlgorithm]);
+        }
+        if ($jwkset instanceof JWK) {
+            trigger_deprecation('symfony/security-http', '7.1', 'Second argument must be instance of %s, %s given.', JWKSet::class, JWK::class);
+            $this->jwkset = new JWKSet([$jwkset]);
+        }
     }
 
     public function getUserBadgeFrom(string $accessToken): UserBadge
@@ -56,19 +65,19 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
 
         try {
             // Decode the token
-            $jwsVerifier = new JWSVerifier(new AlgorithmManager([$this->signatureAlgorithm]));
+            $jwsVerifier = new JWSVerifier($this->signatureAlgorithm);
             $serializerManager = new JWSSerializerManager([new CompactSerializer()]);
             $jws = $serializerManager->unserialize($accessToken);
             $claims = json_decode($jws->getPayload(), true);
 
             // Verify the signature
-            if (!$jwsVerifier->verifyWithKey($jws, $this->jwk, 0)) {
+            if (!$jwsVerifier->verifyWithKeySet($jws, $this->jwkset, 0)) {
                 throw new InvalidSignatureException();
             }
 
             // Verify the headers
             $headerCheckerManager = new Checker\HeaderCheckerManager([
-                new Checker\AlgorithmChecker([$this->signatureAlgorithm->name()]),
+                new Checker\AlgorithmChecker($this->signatureAlgorithm->list()),
             ], [
                 new JWSTokenSupport(),
             ]);

Tests/AccessToken/Oidc/OidcTokenHandlerTest.php

@@ -13,6 +13,7 @@
 
 use Jose\Component\Core\AlgorithmManager;
 use Jose\Component\Core\JWK;
+use Jose\Component\Core\JWKSet;
 use Jose\Component\Signature\Algorithm\ES256;
 use Jose\Component\Signature\JWSBuilder;
 use Jose\Component\Signature\Serializer\CompactSerializer;
@@ -53,8 +54,8 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp
         $loggerMock->expects($this->never())->method('error');
 
         $userBadge = (new OidcTokenHandler(
-            new ES256(),
-            $this->getJWK(),
+            new AlgorithmManager([new ES256()]),
+            $this->getJWKSet(),
             self::AUDIENCE,
             ['https://www.example.com'],
             $claim,
@@ -87,8 +88,8 @@ public function testThrowsAnErrorIfTokenIsInvalid(string $token)
         $this->expectExceptionMessage('Invalid credentials.');
 
         (new OidcTokenHandler(
-            new ES256(),
-            $this->getJWK(),
+            new AlgorithmManager([new ES256()]),
+            $this->getJWKSet(),
             self::AUDIENCE,
             ['https://www.example.com'],
             'sub',
@@ -146,8 +147,8 @@ public function testThrowsAnErrorIfUserPropertyIsMissing()
         $this->expectExceptionMessage('Invalid credentials.');
 
         (new OidcTokenHandler(
-            new ES256(),
-            self::getJWK(),
+            new AlgorithmManager([new ES256()]),
+            self::getJWKSet(),
             self::AUDIENCE,
             ['https://www.example.com'],
             'email',
@@ -177,4 +178,18 @@ private static function getJWK(): JWK
             'd' => 'iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220',
         ]);
     }
+
+    private static function getJWKSet(): JWKSet
+    {
+        return new JWKSet([
+            new JWK([
+                'kty' => 'EC',
+                'crv' => 'P-256',
+                'x' => 'FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars',
+                'y' => 'rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY',
+                'd' => '4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0',
+            ]),
+            self::getJWK(),
+        ]);
+    }
 }

composer.json

@@ -17,6 +17,7 @@
     ],
     "require": {
         "php": ">=8.2",
+        "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/http-foundation": "^6.4|^7.0",
         "symfony/http-kernel": "^6.4|^7.0",
         "symfony/polyfill-mbstring": "~1.0",
@@ -35,8 +36,7 @@
         "symfony/security-csrf": "^6.4|^7.0",
         "symfony/translation": "^6.4|^7.0",
         "psr/log": "^1|^2|^3",
-        "web-token/jwt-checker": "^3.1",
-        "web-token/jwt-signature-algorithm-ecdsa": "^3.1"
+        "web-token/jwt-library": "^3.3.2"
     },
     "conflict": {
         "symfony/clock": "<6.4",