Skip to content

Commit e011b0f

Browse files
OskarStarknicolas-grekas
OskarStark
authored and
nicolas-grekas
committed
[SecurityBundle] Remove deprecated OIDC token handler options algorithm and key 
1 parent 5c8b972 commit e011b0f

File tree

5 files changed

+20
-123
lines changed

5 files changed

+20
-123
lines changed

UPGRADE-8.0.md

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -398,6 +398,21 @@ SecurityBundle
398398
- `'account_status'`: A new option that only exposes account status errors (e.g., account locked, disabled)
399399

400400
* Make `ExpressionCacheWarmer` class `final`
401+
* Remove the deprecated `algorithm` and `key` options from the OIDC token handler configuration, use `algorithms` and `keyset` instead
402+
403+
```diff
404+
# config/packages/security.yaml
405+
security:
406+
firewalls:
407+
main:
408+
access_token:
409+
token_handler:
410+
oidc:
411+
- algorithm: 'RS256'
412+
- key: 'https://example.com/.well-known/jwks.json'
413+
+ algorithms: ['RS256']
414+
+ keyset: 'https://example.com/.well-known/jwks.json'
415+
```
401416

402417
Serializer
403418
----------

src/Symfony/Bundle/SecurityBundle/CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ CHANGELOG
55
---
66

77
* Remove the deprecated `hide_user_not_found` configuration option, use `expose_security_errors` instead
8+
* Remove the deprecated `algorithm` and `key` options from the OIDC token handler configuration, use `algorithms` and `keyset` instead
89
* Remove `LazyFirewallContext::__invoke()`
910
* Make `ExpressionCacheWarmer` class `final`
1011

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php

Lines changed: 2 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -92,35 +92,8 @@ public function addConfiguration(NodeBuilder $node): void
9292
->arrayNode($this->getKey())
9393
->fixXmlConfig($this->getKey())
9494
->validate()
95-
->ifTrue(static fn ($v) => !isset($v['algorithm']) && !isset($v['algorithms']))
96-
->thenInvalid('You must set either "algorithm" or "algorithms".')
97-
->end()
98-
->validate()
99-
->ifTrue(static fn ($v) => !isset($v['discovery']) && !isset($v['key']) && !isset($v['keyset']))
100-
->thenInvalid('You must set either "discovery" or "key" or "keyset".')
101-
->end()
102-
->beforeNormalization()
103-
->ifTrue(static fn ($v) => isset($v['algorithm']) && \is_string($v['algorithm']))
104-
->then(static function ($v) {
105-
if (isset($v['algorithms'])) {
106-
throw new InvalidConfigurationException('You cannot use both "algorithm" and "algorithms" at the same time.');
107-
}
108-
$v['algorithms'] = [$v['algorithm']];
109-
unset($v['algorithm']);
110-
111-
return $v;
112-
})
113-
->end()
114-
->beforeNormalization()
115-
->ifTrue(static fn ($v) => isset($v['key']) && \is_string($v['key']))
116-
->then(static function ($v) {
117-
if (isset($v['keyset'])) {
118-
throw new InvalidConfigurationException('You cannot use both "key" and "keyset" at the same time.');
119-
}
120-
$v['keyset'] = \sprintf('{"keys":[%s]}', $v['key']);
121-
122-
return $v;
123-
})
95+
->ifTrue(static fn ($v) => !isset($v['discovery']) && !isset($v['keyset']))
96+
->thenInvalid('You must set either "discovery" or "keyset".')
12497
->end()
12598
->children()
12699
->arrayNode('discovery')
@@ -155,19 +128,11 @@ public function addConfiguration(NodeBuilder $node): void
155128
->isRequired()
156129
->scalarPrototype()->end()
157130
->end()
158-
->arrayNode('algorithm')
159-
->info('Algorithm used to sign the token.')
160-
->setDeprecated('symfony/security-bundle', '7.1', 'The "%node%" option is deprecated and will be removed in 8.0. Use the "algorithms" option instead.')
161-
->end()
162131
->arrayNode('algorithms')
163132
->info('Algorithms used to sign the token.')
164133
->isRequired()
165134
->scalarPrototype()->end()
166135
->end()
167-
->scalarNode('key')
168-
->info('JSON-encoded JWK used to sign the token (must contain a "kty" key).')
169-
->setDeprecated('symfony/security-bundle', '7.1', 'The "%node%" option is deprecated and will be removed in 8.0. Use the "keyset" option instead.')
170-
->end()
171136
->scalarNode('keyset')
172137
->info('JSON-encoded JWKSet used to sign the token (must contain a list of valid public keys).')
173138
->end()

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php

Lines changed: 1 addition & 85 deletions
Original file line numberDiff line numberDiff line change
@@ -104,61 +104,17 @@ public function testInvalidOidcTokenHandlerConfigurationKeyMissing()
104104
$config = [
105105
'token_handler' => [
106106
'oidc' => [
107-
'algorithm' => 'RS256',
108-
'issuers' => ['https://www.example.com'],
109-
'audience' => 'audience',
110-
],
111-
],
112-
];
113-
114-
$factory = new AccessTokenFactory($this->createTokenHandlerFactories());
115-
116-
$this->expectException(InvalidConfigurationException::class);
117-
$this->expectExceptionMessage('You must set either "discovery" or "key" or "keyset".');
118-
119-
$this->processConfig($config, $factory);
120-
}
121-
122-
public function testInvalidOidcTokenHandlerConfigurationDuplicatedKeyParameters()
123-
{
124-
$config = [
125-
'token_handler' => [
126-
'oidc' => [
127-
'algorithm' => 'RS256',
128-
'issuers' => ['https://www.example.com'],
129-
'audience' => 'audience',
130-
'key' => 'key',
131-
'keyset' => 'keyset',
132-
],
133-
],
134-
];
135-
136-
$factory = new AccessTokenFactory($this->createTokenHandlerFactories());
137-
138-
$this->expectException(InvalidConfigurationException::class);
139-
$this->expectExceptionMessage('You cannot use both "key" and "keyset" at the same time.');
140-
141-
$this->processConfig($config, $factory);
142-
}
143-
144-
public function testInvalidOidcTokenHandlerConfigurationDuplicatedAlgorithmParameters()
145-
{
146-
$config = [
147-
'token_handler' => [
148-
'oidc' => [
149-
'algorithm' => 'RS256',
150107
'algorithms' => ['RS256'],
151108
'issuers' => ['https://www.example.com'],
152109
'audience' => 'audience',
153-
'keyset' => 'keyset',
154110
],
155111
],
156112
];
157113

158114
$factory = new AccessTokenFactory($this->createTokenHandlerFactories());
159115

160116
$this->expectException(InvalidConfigurationException::class);
161-
$this->expectExceptionMessage('You cannot use both "algorithm" and "algorithms" at the same time.');
117+
$this->expectExceptionMessage('You must set either "discovery" or "keyset".');
162118

163119
$this->processConfig($config, $factory);
164120
}
@@ -183,46 +139,6 @@ public function testInvalidOidcTokenHandlerConfigurationMissingAlgorithmParamete
183139
$this->processConfig($config, $factory);
184140
}
185141

186-
/**
187-
* @group legacy
188-
*
189-
* @expectedDeprecation Since symfony/security-bundle 7.1: The "key" option is deprecated and will be removed in 8.0. Use the "keyset" option instead.
190-
*/
191-
public function testOidcTokenHandlerConfigurationWithSingleAlgorithm()
192-
{
193-
$container = new ContainerBuilder();
194-
$jwk = '{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}';
195-
$config = [
196-
'token_handler' => [
197-
'oidc' => [
198-
'algorithm' => 'RS256',
199-
'issuers' => ['https://www.example.com'],
200-
'audience' => 'audience',
201-
'key' => $jwk,
202-
],
203-
],
204-
];
205-
206-
$factory = new AccessTokenFactory($this->createTokenHandlerFactories());
207-
$finalizedConfig = $this->processConfig($config, $factory);
208-
209-
$factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider');
210-
211-
$this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1'));
212-
$this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1'));
213-
214-
$expected = [
215-
'index_0' => (new ChildDefinition('security.access_token_handler.oidc.signature'))
216-
->replaceArgument(0, ['RS256']),
217-
'index_1' => (new ChildDefinition('security.access_token_handler.oidc.jwkset'))
218-
->replaceArgument(0, \sprintf('{"keys":[%s]}', $jwk)),
219-
'index_2' => 'audience',
220-
'index_3' => ['https://www.example.com'],
221-
'index_4' => 'sub',
222-
];
223-
$this->assertEquals($expected, $container->getDefinition('security.access_token_handler.firewall1')->getArguments());
224-
}
225-
226142
public function testOidcTokenHandlerConfigurationWithMultipleAlgorithms()
227143
{
228144
$container = new ContainerBuilder();

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/AccessToken/config_oidc_jwe.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ security:
2424
claim: 'username'
2525
audience: 'Symfony OIDC'
2626
issuers: [ 'https://www.example.com' ]
27-
algorithm: 'ES256'
27+
algorithms: ['ES256']
2828
# tip: use https://mkjwk.org/ to generate a JWK
2929
keyset: '{"keys":[{"kty":"EC","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo"}]}'
3030
encryption:

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy