feat: Add jwt leeway configuration option

frankdekker · chalasr · commit c84131b9751a · 2025-03-22T16:41:21.000+01:00
diff --git a/docs/index.md b/docs/index.md
@@ -81,6 +81,9 @@ For implementation into Symfony projects, please see [bundle documentation](basi
             # How to generate a public key: https://oauth2.thephpleague.com/installation/#generating-public-and-private-keys
             public_key:           ~ # Required, Example: /var/oauth/public.key
 
+            # The leeway in seconds to allow for clock skew in JWT verification. Default PT0S (no leeway).
+            jwt_leeway: null
+
         scopes:
             # Scopes that you wish to utilize in your application.
             # This should be a simple array of strings.
diff --git a/src/DependencyInjection/Configuration.php b/src/DependencyInjection/Configuration.php
@@ -131,6 +131,11 @@ private function createResourceServerNode(): NodeDefinition
                     ->isRequired()
                     ->cannotBeEmpty()
                 ->end()
+                ->scalarNode('jwt_leeway')
+                    ->info('The leeway in seconds to allow for clock skew in JWT verification. Default PT0S (no leeway).')
+                    ->example('PT60S')
+                    ->defaultValue(null)
+                ->end()
             ->end()
         ;
 
diff --git a/src/DependencyInjection/LeagueOAuth2ServerExtension.php b/src/DependencyInjection/LeagueOAuth2ServerExtension.php
@@ -27,6 +27,7 @@
 use League\Bundle\OAuth2ServerBundle\Service\CredentialsRevokerInterface;
 use League\Bundle\OAuth2ServerBundle\ValueObject\Scope as ScopeModel;
 use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator;
 use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Grant\AuthCodeGrant;
 use League\OAuth2\Server\Grant\ClientCredentialsGrant;
@@ -331,6 +332,11 @@ private function configureResourceServer(ContainerBuilder $container, array $con
                 false,
             ]))
         ;
+        if (null !== $config['jwt_leeway']) {
+            $container
+                ->findDefinition(BearerTokenValidator::class)
+                ->replaceArgument(1, new Definition(\DateInterval::class, [$config['jwt_leeway']]));
+        }
     }
 
     private function configureScopes(ContainerBuilder $container, array $scopes): void
diff --git a/src/Resources/config/services.php b/src/Resources/config/services.php
@@ -38,6 +38,7 @@
 use League\Bundle\OAuth2ServerBundle\Security\EventListener\CheckScopeListener;
 use League\Bundle\OAuth2ServerBundle\Service\SymfonyLeagueEventListenerProvider;
 use League\OAuth2\Server\AuthorizationServer;
+use League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator;
 use League\OAuth2\Server\EventEmitting\EventEmitter;
 use League\OAuth2\Server\Grant\AuthCodeGrant;
 use League\OAuth2\Server\Grant\ClientCredentialsGrant;
@@ -153,11 +154,20 @@
             ->configurator(service(GrantConfigurator::class))
         ->alias(AuthorizationServer::class, 'league.oauth2_server.authorization_server')
 
+        // League bearer token validator
+        ->set('league.oauth2_server.bearer_token_validator', BearerTokenValidator::class)
+            ->args([
+                service(AccessTokenRepositoryInterface::class),
+                null,
+            ])
+        ->alias(BearerTokenValidator::class, 'league.oauth2_server.bearer_token_validator')
+
         // League resource server
         ->set('league.oauth2_server.resource_server', ResourceServer::class)
             ->args([
                 service(AccessTokenRepositoryInterface::class),
                 null,
+                service(BearerTokenValidator::class),
             ])
         ->alias(ResourceServer::class, 'league.oauth2_server.resource_server')
 
diff --git a/tests/Acceptance/CustomPersistenceManagerTest.php b/tests/Acceptance/CustomPersistenceManagerTest.php
@@ -159,6 +159,7 @@ protected static function createKernel(array $options = []): KernelInterface
         return new TestKernel(
             'test',
             false,
+            null,
             [
                 'custom' => [
                     'access_token_manager' => 'test.access_token_manager',
diff --git a/tests/Acceptance/JwtLeewayConfigurationTest.php b/tests/Acceptance/JwtLeewayConfigurationTest.php
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\Bundle\OAuth2ServerBundle\Tests\Acceptance;
+
+use League\Bundle\OAuth2ServerBundle\Repository\AccessTokenRepository;
+use League\Bundle\OAuth2ServerBundle\Tests\TestKernel;
+use League\OAuth2\Server\AuthorizationValidators\BearerTokenValidator;
+use Symfony\Bundle\FrameworkBundle\Console\Application;
+use Symfony\Component\HttpKernel\KernelInterface;
+
+class JwtLeewayConfigurationTest extends AbstractAcceptanceTest
+{
+    protected function setUp(): void
+    {
+        $this->client = self::createClient();
+        $this->application = new Application($this->client->getKernel());
+    }
+
+    public function testLeewayConfigurationIsSet(): void
+    {
+        /** @var AccessTokenRepository $tokenRepository */
+        $tokenRepository = $this->client->getContainer()->get(AccessTokenRepository::class);
+        $validator = $this->client->getContainer()->get(BearerTokenValidator::class);
+
+        $expected = new BearerTokenValidator($tokenRepository, new \DateInterval('PT60S'));
+        $this->assertEquals($expected, $validator);
+    }
+
+    protected static function createKernel(array $options = []): KernelInterface
+    {
+        return new TestKernel(
+            'test',
+            false,
+            [
+                'public_key' => '%env(PUBLIC_KEY_PATH)%',
+                'jwt_leeway' => 'PT60S',
+            ]
+        );
+    }
+}
diff --git a/tests/Integration/AuthorizationServerTest.php b/tests/Integration/AuthorizationServerTest.php
@@ -700,8 +700,8 @@ public function testFailedAuthorizationWithInvalidRedirectUri(): void
         $response = $this->handleTokenRequest($request);
 
         // Response assertions.
-        $this->assertSame('invalid_client', $response['error']);
-        $this->assertSame('Client authentication failed', $response['error_description']);
+        $this->assertSame('invalid_request', $response['error']);
+        $this->assertSame('The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.', $response['error_description']);
     }
 
     public function testSuccessfulImplicitRequest(): void
diff --git a/tests/TestKernel.php b/tests/TestKernel.php
@@ -28,8 +28,12 @@
 
 final class TestKernel extends Kernel implements CompilerPassInterface
 {
-    public function __construct(string $environment, bool $debug, private array $persistenceConfig = ['doctrine' => ['entity_manager' => 'default']])
-    {
+    public function __construct(
+        string $environment,
+        bool $debug,
+        private ?array $resourceServiceConfig = null,
+        private ?array $persistenceConfig = null,
+    ) {
         parent::__construct($environment, $debug);
     }
 
@@ -52,7 +56,14 @@ public function registerBundles(): iterable
 
     public function getCacheDir(): string
     {
-        return \sprintf('%s/tests/.kernel/cache', $this->getProjectDir());
+        $cacheDirectory = 'cache';
+
+        // create unique cache directory when custom config is provided
+        if (null !== $this->resourceServiceConfig || null !== $this->persistenceConfig) {
+            $cacheDirectory = '/cache/' . hash('sha256', serialize(($this->resourceServiceConfig ?? []) + ($this->persistenceConfig ?? [])));
+        }
+
+        return \sprintf('%s/tests/.kernel/' . $cacheDirectory, $this->getProjectDir());
     }
 
     public function getLogDir(): string
@@ -163,9 +174,7 @@ public function registerContainerConfiguration(LoaderInterface $loader): void
                     'private_key' => '%env(PRIVATE_KEY_PATH)%',
                     'encryption_key' => '%env(ENCRYPTION_KEY)%',
                 ],
-                'resource_server' => [
-                    'public_key' => '%env(PUBLIC_KEY_PATH)%',
-                ],
+                'resource_server' => $this->resourceServiceConfig ?? ['public_key' => '%env(PUBLIC_KEY_PATH)%'],
                 'scopes' => [
                     'available' => [
                         FixtureFactory::FIXTURE_SCOPE_FIRST,
@@ -175,7 +184,7 @@ public function registerContainerConfiguration(LoaderInterface $loader): void
                         FixtureFactory::FIXTURE_SCOPE_SECOND,
                     ],
                 ],
-                'persistence' => $this->persistenceConfig,
+                'persistence' => $this->persistenceConfig ?? ['doctrine' => ['entity_manager' => 'default']],
             ]);
 
             $this->configureControllers($container);

Original file line number	Diff line number	Diff line change
`@@ -159,6 +159,7 @@ protected static function createKernel(array $options = []): KernelInterface`
`159`	`159`	`return new TestKernel(`
`160`	`160`	`'test',`
`161`	`161`	`false,`
	`162`	`+ null,`
`162`	`163`	`[`
`163`	`164`	`'custom' => [`
`164`	`165`	`'access_token_manager' => 'test.access_token_manager',`
Original file line number	Diff line number	Diff line change
`@@ -700,8 +700,8 @@ public function testFailedAuthorizationWithInvalidRedirectUri(): void`
`700`	`700`	`$response = $this->handleTokenRequest($request);`
`701`	`701`
`702`	`702`	`// Response assertions.`
`703`		`- $this->assertSame('invalid_client', $response['error']);`
`704`		`- $this->assertSame('Client authentication failed', $response['error_description']);`
	`703`	`+ $this->assertSame('invalid_request', $response['error']);`
	`704`	`+ $this->assertSame('The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.', $response['error_description']);`
`705`	`705`	`}`
`706`	`706`
`707`	`707`	`public function testSuccessfulImplicitRequest(): void`