[Security] Add OidcUserInfoTokenHandler and OidcUser

Author: vincentchalamon

AccessToken/Oidc/Exception/InvalidSignatureException.php

@@ -0,0 +1,27 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\AccessToken\Oidc\Exception;
+
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+
+/**
+ * This exception is thrown when the token signature is invalid.
+ *
+ * @experimental
+ */
+class InvalidSignatureException extends AuthenticationException
+{
+    public function getMessageKey(): string
+    {
+        return 'Invalid token signature.';
+    }
+}

AccessToken/Oidc/Exception/MissingClaimException.php

@@ -0,0 +1,27 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\AccessToken\Oidc\Exception;
+
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+
+/**
+ * This exception is thrown when the user is invalid on the OIDC server (e.g.: "email" property is not in the scope).
+ *
+ * @experimental
+ */
+class MissingClaimException extends AuthenticationException
+{
+    public function getMessageKey(): string
+    {
+        return 'Missing claim.';
+    }
+}

AccessToken/Oidc/OidcTokenHandler.php

@@ -0,0 +1,105 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\AccessToken\Oidc;
+
+use Jose\Component\Checker;
+use Jose\Component\Checker\ClaimCheckerManager;
+use Jose\Component\Core\Algorithm;
+use Jose\Component\Core\AlgorithmManager;
+use Jose\Component\Core\JWK;
+use Jose\Component\Signature\JWSTokenSupport;
+use Jose\Component\Signature\JWSVerifier;
+use Jose\Component\Signature\Serializer\CompactSerializer;
+use Jose\Component\Signature\Serializer\JWSSerializerManager;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\Clock\NativeClock;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
+use Symfony\Component\Security\Http\AccessToken\Oidc\Exception\InvalidSignatureException;
+use Symfony\Component\Security\Http\AccessToken\Oidc\Exception\MissingClaimException;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+
+/**
+ * The token handler decodes and validates the token, and retrieves the user identifier from it.
+ *
+ * @experimental
+ */
+final class OidcTokenHandler implements AccessTokenHandlerInterface
+{
+    use OidcTrait;
+
+    public function __construct(
+        private Algorithm $signatureAlgorithm,
+        private JWK $jwk,
+        private ?LoggerInterface $logger = null,
+        private string $claim = 'sub',
+        private ?string $audience = null
+    ) {
+    }
+
+    public function getUserBadgeFrom(string $accessToken): UserBadge
+    {
+        if (!class_exists(JWSVerifier::class) || !class_exists(Checker\HeaderCheckerManager::class)) {
+            throw new \LogicException('You cannot use the "oidc" token handler since "web-token/jwt-signature" and "web-token/jwt-checker" are not installed. Try running "composer require web-token/jwt-signature web-token/jwt-checker".');
+        }
+
+        try {
+            // Decode the token
+            $jwsVerifier = new JWSVerifier(new AlgorithmManager([$this->signatureAlgorithm]));
+            $serializerManager = new JWSSerializerManager([new CompactSerializer()]);
+            $jws = $serializerManager->unserialize($accessToken);
+            $claims = json_decode($jws->getPayload(), true);
+
+            // Verify the signature
+            if (!$jwsVerifier->verifyWithKey($jws, $this->jwk, 0)) {
+                throw new InvalidSignatureException();
+            }
+
+            // Verify the headers
+            $headerCheckerManager = new Checker\HeaderCheckerManager([
+                new Checker\AlgorithmChecker([$this->signatureAlgorithm->name()]),
+            ], [
+                new JWSTokenSupport(),
+            ]);
+            // if this check fails, an InvalidHeaderException is thrown
+            $headerCheckerManager->check($jws, 0);
+
+            // Verify the claims
+            $clock = class_exists(NativeClock::class) ? new NativeClock() : null;
+            $checkers = [
+                new Checker\IssuedAtChecker(0, false, $clock),
+                new Checker\NotBeforeChecker(0, false, $clock),
+                new Checker\ExpirationTimeChecker(0, false, $clock),
+            ];
+            if ($this->audience) {
+                $checkers[] = new Checker\AudienceChecker($this->audience);
+            }
+            $claimCheckerManager = new ClaimCheckerManager($checkers);
+            // if this check fails, an InvalidClaimException is thrown
+            $claimCheckerManager->check($claims);
+
+            if (empty($claims[$this->claim])) {
+                throw new MissingClaimException(sprintf('"%s" claim not found.', $this->claim));
+            }
+
+            // UserLoader argument can be overridden by a UserProvider on AccessTokenAuthenticator::authenticate
+            return new UserBadge($claims[$this->claim], fn () => $this->createUser($claims), $claims);
+        } catch (\Throwable $e) {
+            $this->logger?->error('An error while decoding and validating the token.', [
+                'error' => $e->getMessage(),
+                'trace' => $e->getTraceAsString(),
+            ]);
+
+            throw new BadCredentialsException('Invalid credentials.', $e->getCode(), $e);
+        }
+    }
+}

AccessToken/Oidc/OidcTrait.php

@@ -0,0 +1,53 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\AccessToken\Oidc;
+
+use Symfony\Component\Security\Core\User\OidcUser;
+
+use function Symfony\Component\String\u;
+
+/**
+ * Creates {@see OidcUser} from claims.
+ *
+ * @internal
+ */
+trait OidcTrait
+{
+    private function createUser(array $claims): OidcUser
+    {
+        if (!\function_exists(\Symfony\Component\String\u::class)) {
+            throw new \LogicException('You cannot use the "OidcUserInfoTokenHandler" since the String component is not installed. Try running "composer require symfony/string".');
+        }
+
+        foreach ($claims as $claim => $value) {
+            unset($claims[$claim]);
+            if ('' === $value || null === $value) {
+                continue;
+            }
+            $claims[u($claim)->camel()->toString()] = $value;
+        }
+
+        if (isset($claims['updatedAt']) && '' !== $claims['updatedAt']) {
+            $claims['updatedAt'] = (new \DateTimeImmutable())->setTimestamp($claims['updatedAt']);
+        }
+
+        if (\array_key_exists('emailVerified', $claims) && null !== $claims['emailVerified'] && '' !== $claims['emailVerified']) {
+            $claims['emailVerified'] = (bool) $claims['emailVerified'];
+        }
+
+        if (\array_key_exists('phoneNumberVerified', $claims) && null !== $claims['phoneNumberVerified'] && '' !== $claims['phoneNumberVerified']) {
+            $claims['phoneNumberVerified'] = (bool) $claims['phoneNumberVerified'];
+        }
+
+        return new OidcUser(...$claims);
+    }
+}

AccessToken/Oidc/OidcUserInfoTokenHandler.php

@@ -0,0 +1,61 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\AccessToken\Oidc;
+
+use Psr\Log\LoggerInterface;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
+use Symfony\Component\Security\Http\AccessToken\Oidc\Exception\MissingClaimException;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Contracts\HttpClient\HttpClientInterface;
+
+/**
+ * The token handler validates the token on the OIDC server and retrieves the user identifier.
+ *
+ * @experimental
+ */
+final class OidcUserInfoTokenHandler implements AccessTokenHandlerInterface
+{
+    use OidcTrait;
+
+    public function __construct(
+        private HttpClientInterface $client,
+        private ?LoggerInterface $logger = null,
+        private string $claim = 'sub'
+    ) {
+    }
+
+    public function getUserBadgeFrom(string $accessToken): UserBadge
+    {
+        try {
+            // Call the OIDC server to retrieve the user info
+            // If the token is invalid or expired, the OIDC server will return an error
+            $claims = $this->client->request('GET', '', [
+                'auth_bearer' => $accessToken,
+            ])->toArray();
+
+            if (empty($claims[$this->claim])) {
+                throw new MissingClaimException(sprintf('"%s" claim not found on OIDC server response.', $this->claim));
+            }
+
+            // UserLoader argument can be overridden by a UserProvider on AccessTokenAuthenticator::authenticate
+            return new UserBadge($claims[$this->claim], fn () => $this->createUser($claims), $claims);
+        } catch (\Throwable $e) {
+            $this->logger?->error('An error occurred on OIDC server.', [
+                'error' => $e->getMessage(),
+                'trace' => $e->getTraceAsString(),
+            ]);
+
+            throw new BadCredentialsException('Invalid credentials.', $e->getCode(), $e);
+        }
+    }
+}

Authenticator/AccessTokenAuthenticator.php

@@ -59,7 +59,7 @@ public function authenticate(Request $request): Passport
         }
 
         $userBadge = $this->accessTokenHandler->getUserBadgeFrom($accessToken);
-        if (null === $userBadge->getUserLoader() && $this->userProvider) {
+        if ($this->userProvider) {
             $userBadge->setUserLoader($this->userProvider->loadUserByIdentifier(...));
         }
 

Authenticator/Passport/Badge/UserBadge.php

@@ -34,6 +34,7 @@ class UserBadge implements BadgeInterface
     /** @var callable|null */
     private $userLoader;
     private UserInterface $user;
+    private ?array $attributes;
 
     /**
      * Initializes the user badge.
@@ -48,21 +49,27 @@ class UserBadge implements BadgeInterface
      * is thrown). If this is not set, the default user provider will be used with
      * $userIdentifier as username.
      */
-    public function __construct(string $userIdentifier, callable $userLoader = null)
+    public function __construct(string $userIdentifier, callable $userLoader = null, array $attributes = null)
     {
         if (\strlen($userIdentifier) > self::MAX_USERNAME_LENGTH) {
             throw new BadCredentialsException('Username too long.');
         }
 
         $this->userIdentifier = $userIdentifier;
         $this->userLoader = $userLoader;
+        $this->attributes = $attributes;
     }
 
     public function getUserIdentifier(): string
     {
         return $this->userIdentifier;
     }
 
+    public function getAttributes(): ?array
+    {
+        return $this->attributes;
+    }
+
     /**
      * @throws AuthenticationException when the user cannot be found
      */
@@ -76,7 +83,11 @@ public function getUser(): UserInterface
             throw new \LogicException(sprintf('No user loader is configured, did you forget to register the "%s" listener?', UserProviderListener::class));
         }
 
-        $user = ($this->userLoader)($this->userIdentifier);
+        if (null === $this->getAttributes()) {
+            $user = ($this->userLoader)($this->userIdentifier);
+        } else {
+            $user = ($this->userLoader)($this->userIdentifier, $this->getAttributes());
+        }
 
         // No user has been found via the $this->userLoader callback
         if (null === $user) {

Authenticator/Passport/Passport.php

@@ -66,11 +66,23 @@ public function getUser(): UserInterface
      * This method replaces the current badge if it is already set on this
      * passport.
      *
+     * @param string|null $badgeFqcn A FQCN to which the badge should be mapped to. 
+     *                                                        This allows replacing a built-in badge by a custom one using
+     *.                                                        e.g. addBadge(new MyCustomUserBadge(), UserBadge::class)
+     *
      * @return $this
      */
-    public function addBadge(BadgeInterface $badge): static
+    public function addBadge(BadgeInterface $badge/* , string $badgeFqcn = null */): static
     {
-        $this->badges[$badge::class] = $badge;
+        $badgeFqcn = $badge::class;
+        if (2 === \func_num_args()) {
+            $badgeFqcn = func_get_arg(1);
+            if (!\is_string($badgeFqcn)) {
+                throw new \LogicException(sprintf('Second argument of "%s" must be a string.', __METHOD__));
+            }
+        }
+
+        $this->badges[$badgeFqcn] = $badge;
 
         return $this;
     }

CHANGELOG.md

@@ -7,6 +7,10 @@ CHANGELOG
  * Add `RememberMeBadge` to `JsonLoginAuthenticator` and enable reading parameter in JSON request body
  * Add argument `$exceptionCode` to `#[IsGranted]`
  * Deprecate passing a secret as the 2nd argument to the constructor of `Symfony\Component\Security\Http\RememberMe\PersistentRememberMeHandler`
+ * Add `OidcUserInfoTokenHandler` and `OidcTokenHandler` with OIDC support for `AccessTokenAuthenticator`
+ * Add `attributes` optional array argument in `UserBadge`
+ * Call `UserBadge::userLoader` with attributes if the argument is set
+ * Allow to override badge fqcn on `Passport::addBadge`
 
 6.2
 ---