[Security] OAuth2 Introspection Endpoint (RFC7662)

In addition to the excellent work of @vincentchalamon #48272, this PR allows getting the data from the OAuth2 Introspection Endpoint. This endpoint is defined in the [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). It returns the following information that is used to retrieve the user:

* If the access token is active
* A set of claims that are similar to the OIDC one, including the `sub` or the `username`.

Author: Spomky

AccessToken/Oidc/OidcTokenHandler.php

@@ -17,9 +17,13 @@
 use Jose\Component\Core\AlgorithmManager;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\JWKSet;
+use Jose\Component\Encryption\JWEDecrypter;
+use Jose\Component\Encryption\JWETokenSupport;
+use Jose\Component\Encryption\Serializer\CompactSerializer as JweCompactSerializer;
+use Jose\Component\Encryption\Serializer\JWESerializerManager;
 use Jose\Component\Signature\JWSTokenSupport;
 use Jose\Component\Signature\JWSVerifier;
-use Jose\Component\Signature\Serializer\CompactSerializer;
+use Jose\Component\Signature\Serializer\CompactSerializer as JwsCompactSerializer;
 use Jose\Component\Signature\Serializer\JWSSerializerManager;
 use Psr\Clock\ClockInterface;
 use Psr\Log\LoggerInterface;
@@ -37,10 +41,13 @@
 final class OidcTokenHandler implements AccessTokenHandlerInterface
 {
     use OidcTrait;
+    private ?JWKSet $decryptionKeyset = null;
+    private ?AlgorithmManager $decryptionAlgorithms = null;
+    private bool $enforceEncryption = false;
 
     public function __construct(
         private Algorithm|AlgorithmManager $signatureAlgorithm,
-        private JWK|JWKSet $jwkset,
+        private JWK|JWKSet $signatureKeyset,
         private string $audience,
         private array $issuers,
         private string $claim = 'sub',
@@ -51,50 +58,29 @@ public function __construct(
             trigger_deprecation('symfony/security-http', '7.1', 'First argument must be instance of %s, %s given.', AlgorithmManager::class, Algorithm::class);
             $this->signatureAlgorithm = new AlgorithmManager([$signatureAlgorithm]);
         }
-        if ($jwkset instanceof JWK) {
+        if ($signatureKeyset instanceof JWK) {
             trigger_deprecation('symfony/security-http', '7.1', 'Second argument must be instance of %s, %s given.', JWKSet::class, JWK::class);
-            $this->jwkset = new JWKSet([$jwkset]);
+            $this->signatureKeyset = new JWKSet([$signatureKeyset]);
         }
     }
 
+    public function enabledJweSupport(JWKSet $decryptionKeyset, AlgorithmManager $decryptionAlgorithms, bool $enforceEncryption): void
+    {
+        $this->decryptionKeyset = $decryptionKeyset;
+        $this->decryptionAlgorithms = $decryptionAlgorithms;
+        $this->enforceEncryption = $enforceEncryption;
+    }
+
     public function getUserBadgeFrom(string $accessToken): UserBadge
     {
         if (!class_exists(JWSVerifier::class) || !class_exists(Checker\HeaderCheckerManager::class)) {
             throw new \LogicException('You cannot use the "oidc" token handler since "web-token/jwt-signature" and "web-token/jwt-checker" are not installed. Try running "composer require web-token/jwt-signature web-token/jwt-checker".');
         }
 
         try {
-            // Decode the token
-            $jwsVerifier = new JWSVerifier($this->signatureAlgorithm);
-            $serializerManager = new JWSSerializerManager([new CompactSerializer()]);
-            $jws = $serializerManager->unserialize($accessToken);
-            $claims = json_decode($jws->getPayload(), true);
-
-            // Verify the signature
-            if (!$jwsVerifier->verifyWithKeySet($jws, $this->jwkset, 0)) {
-                throw new InvalidSignatureException();
-            }
-
-            // Verify the headers
-            $headerCheckerManager = new Checker\HeaderCheckerManager([
-                new Checker\AlgorithmChecker($this->signatureAlgorithm->list()),
-            ], [
-                new JWSTokenSupport(),
-            ]);
-            // if this check fails, an InvalidHeaderException is thrown
-            $headerCheckerManager->check($jws, 0);
-
-            // Verify the claims
-            $checkers = [
-                new Checker\IssuedAtChecker(clock: $this->clock, allowedTimeDrift: 0, protectedHeaderOnly: false),
-                new Checker\NotBeforeChecker(clock: $this->clock, allowedTimeDrift: 0, protectedHeaderOnly: false),
-                new Checker\ExpirationTimeChecker(clock: $this->clock, allowedTimeDrift: 0, protectedHeaderOnly: false),
-                new Checker\AudienceChecker($this->audience),
-                new Checker\IssuerChecker($this->issuers),
-            ];
-            $claimCheckerManager = new ClaimCheckerManager($checkers);
-            // if this check fails, an InvalidClaimException is thrown
-            $claimCheckerManager->check($claims);
+            $accessToken = $this->decryptIfNeeded($accessToken);
+            $claims = $this->loadAndVerifyJws($accessToken);
+            $this->verifyClaims($claims);
 
             if (empty($claims[$this->claim])) {
                 throw new MissingClaimException(\sprintf('"%s" claim not found.', $this->claim));
@@ -111,4 +97,92 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
             throw new BadCredentialsException('Invalid credentials.', $e->getCode(), $e);
         }
     }
+
+    private function loadAndVerifyJws(string $accessToken): array
+    {
+        // Decode the token
+        $jwsVerifier = new JWSVerifier($this->signatureAlgorithm);
+        $serializerManager = new JWSSerializerManager([new JwsCompactSerializer()]);
+        $jws = $serializerManager->unserialize($accessToken);
+
+        // Verify the signature
+        if (!$jwsVerifier->verifyWithKeySet($jws, $this->signatureKeyset, 0)) {
+            throw new InvalidSignatureException();
+        }
+
+        $headerCheckerManager = new Checker\HeaderCheckerManager([
+            new Checker\AlgorithmChecker($this->signatureAlgorithm->list()),
+        ], [
+            new JWSTokenSupport(),
+        ]);
+        // if this check fails, an InvalidHeaderException is thrown
+        $headerCheckerManager->check($jws, 0);
+
+        return json_decode($jws->getPayload(), true);
+    }
+
+    private function verifyClaims(array $claims): array
+    {
+        // Verify the claims
+        $checkers = [
+            new Checker\IssuedAtChecker(clock: $this->clock, allowedTimeDrift: 0, protectedHeaderOnly: true),
+            new Checker\NotBeforeChecker(clock: $this->clock, allowedTimeDrift: 0, protectedHeaderOnly: true),
+            new Checker\ExpirationTimeChecker(clock: $this->clock, allowedTimeDrift: 0, protectedHeaderOnly: true),
+            new Checker\AudienceChecker($this->audience),
+            new Checker\IssuerChecker($this->issuers),
+        ];
+        $claimCheckerManager = new ClaimCheckerManager($checkers);
+
+        // if this check fails, an InvalidClaimException is thrown
+        return $claimCheckerManager->check($claims);
+    }
+
+    private function decryptIfNeeded(string $accessToken): string
+    {
+        if (null === $this->decryptionKeyset || null === $this->decryptionAlgorithms) {
+            $this->logger?->debug('The encrypted tokens (JWE) are not supported. Skipping.');
+
+            return $accessToken;
+        }
+
+        $jweHeaderChecker = new Checker\HeaderCheckerManager(
+            [
+                new Checker\AlgorithmChecker($this->decryptionAlgorithms->list()),
+                new Checker\CallableChecker('enc', fn ($value) => \in_array($value, $this->decryptionAlgorithms->list())),
+                new Checker\CallableChecker('cty', fn ($value) => 'JWT' === $value),
+                new Checker\IssuedAtChecker(clock: $this->clock, allowedTimeDrift: 0, protectedHeaderOnly: true),
+                new Checker\NotBeforeChecker(clock: $this->clock, allowedTimeDrift: 0, protectedHeaderOnly: true),
+                new Checker\ExpirationTimeChecker(clock: $this->clock, allowedTimeDrift: 0, protectedHeaderOnly: true),
+            ],
+            [new JWETokenSupport()]
+        );
+        $jweDecrypter = new JWEDecrypter($this->decryptionAlgorithms, null);
+        $serializerManager = new JWESerializerManager([new JweCompactSerializer()]);
+        try {
+            $jwe = $serializerManager->unserialize($accessToken);
+            $jweHeaderChecker->check($jwe, 0);
+            $result = $jweDecrypter->decryptUsingKeySet($jwe, $this->decryptionKeyset, 0);
+            if (false === $result) {
+                throw new \RuntimeException('The JWE could not be decrypted.');
+            }
+
+            $payload = $jwe->getPayload();
+            if (null === $payload) {
+                throw new \RuntimeException('The JWE payload is empty.');
+            }
+
+            return $payload;
+        } catch (\InvalidArgumentException|\RuntimeException $e) {
+            if ($this->enforceEncryption) {
+                $this->logger?->error('An error occurred while decrypting the token.', [
+                    'error' => $e->getMessage(),
+                    'trace' => $e->getTraceAsString(),
+                ]);
+                throw new BadCredentialsException('Encrypted token is required.', 0, $e);
+            }
+            $this->logger?->debug('The token decryption failed. Skipping as not mandatory.');
+
+            return $accessToken;
+        }
+    }
 }

CHANGELOG.md

@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+7.3
+---
+
+ * Add encryption support to `OidcTokenHandler` (JWE)
+
 7.2
 ---