Skip to content

Commit 1386a8f

Browse files
javiereguiluzjaviereguiluz
committed
minor #20637 [Security] Add support for encrypted access tokens (JWE) in OIDC (Spomky)
This PR was merged into the 7.3 branch. Discussion ---------- [Security] Add support for encrypted access tokens (JWE) in OIDC Fixes #20577 This update introduces support for decrypting encrypted access tokens (JWE) in Symfony 7.3. It includes configuration options for enabling encryption, enforcing it, specifying decryption algorithms, and providing decryption keysets. The feature extends flexibility in handling secure tokens alongside existing signing mechanisms. **⚠ Warning**: I am not sure the XML and PHP examples are correct. Commits ------- 8b403f7 Add support for encrypted access tokens (JWE) in OIDC
2 parents 15728d3 + 8b403f7 commit 1386a8f

File tree

1 file changed

+24
-3
lines changed

1 file changed

+24
-3
lines changed

security/access_token.rst

Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -615,8 +615,8 @@ If you haven't installed it yet, run this command:
615615
616616
$ composer require web-token/jwt-library
617617
618-
Symfony provides a generic ``OidcTokenHandler`` to decode your token, validate
619-
it and retrieve the user info from it:
618+
Symfony provides a generic ``OidcTokenHandler`` that decodes the token, validates
619+
it, and retrieves the user information from it. Optionally, the token can be encrypted (JWE):
620620

621621
.. configuration-block::
622622

@@ -637,6 +637,11 @@ it and retrieve the user info from it:
637637
audience: 'api-example'
638638
# Issuers (`iss` claim): required for validation purpose
639639
issuers: ['https://oidc.example.com']
640+
encryption:
641+
enabled: true # Default to false
642+
enforce: false # Default to false, requires an encrypted token when true
643+
algorithms: ['ECDH-ES', 'A128GCM']
644+
keyset: '{"keys": [...]}' # Encryption private keyset
640645
641646
.. code-block:: xml
642647
@@ -662,6 +667,10 @@ it and retrieve the user info from it:
662667
<algorithm>ES256</algorithm>
663668
<algorithm>RS256</algorithm>
664669
<issuer>https://oidc.example.com</issuer>
670+
<encryption enabled="true" enforce="true" keyset="{'keys': [...]}">
671+
<algorithm>ECDH-ES</algorithm>
672+
<algorithm>A128GCM</algorithm>
673+
</encryption>
665674
</oidc>
666675
</token-handler>
667676
</access-token>
@@ -681,12 +690,20 @@ it and retrieve the user info from it:
681690
->oidc()
682691
// Algorithm used to sign the JWS
683692
->algorithms(['ES256', 'RS256'])
684-
// A JSON-encoded JWK
693+
// A JSON-encoded JWKSet (public keys)
685694
->keyset('{"keys":[{"kty":"...","k":"..."}]}')
686695
// Audience (`aud` claim): required for validation purpose
687696
->audience('api-example')
688697
// Issuers (`iss` claim): required for validation purpose
689698
->issuers(['https://oidc.example.com'])
699+
->encryption()
700+
->enabled(true) //Default to false
701+
->enforce(false) //Default to false, requires an encrypted token when true
702+
// Algorithm used to decrypt the JWE
703+
->algorithms(['ECDH-ES', 'A128GCM'])
704+
// A JSON-encoded JWKSet (private keys)
705+
->keyset('{"keys":[...]}')
706+
690707
;
691708
};
692709
@@ -695,6 +712,10 @@ it and retrieve the user info from it:
695712
The support of multiple algorithms to sign the JWS was introduced in Symfony 7.1.
696713
In previous versions, only the ``ES256`` algorithm was supported.
697714

715+
.. versionadded:: 7.3
716+
717+
Support for encryption algorithms to decrypt JWEs was introduced in Symfony 7.3.
718+
698719
To enable `OpenID Connect Discovery`_, the ``OidcTokenHandler`` requires the
699720
``symfony/cache`` package to store the OIDC configuration in the cache. If you
700721
haven't installed it yet, run the following command:

0 commit comments

Comments
 (0)