Merge branch '7.4' into 8.0

* 7.4:
  [Console] ensure `SHELL_VERBOSITY` is always restored properly
  [Console] Add support for `Cursor` helper in invokable commands
  [MonologBridge] Improve error when HttpClient contract is installed but not the component
  simplify LogoutListenerTest
  forbid HTTP method override of GET, HEAD, CONNECT and TRACE
  [HttpClient] Add option `auto_upgrade_http_version` to control how the request HTTP version is handled in `HttplugClient` and `Psr18Client`
  [Security] Allow multiple OIDC discovery endpoints
  [AssetMapper] Fix links to propshaft
  Document BC break in AbstractController::render

Author: xabbuh

AccessToken/Oidc/OidcTokenHandler.php

@@ -46,9 +46,12 @@ final class OidcTokenHandler implements AccessTokenHandlerInterface
     private bool $enforceEncryption = false;
 
     private ?CacheInterface $discoveryCache = null;
-    private ?HttpClientInterface $discoveryClient = null;
     private ?string $oidcConfigurationCacheKey = null;
-    private ?string $oidcJWKSetCacheKey = null;
+
+    /**
+     * @var HttpClientInterface[]
+     */
+    private array $discoveryClients = [];
 
     public function __construct(
         private AlgorithmManager $signatureAlgorithm,
@@ -68,12 +71,18 @@ public function enableJweSupport(JWKSet $decryptionKeyset, AlgorithmManager $dec
         $this->enforceEncryption = $enforceEncryption;
     }
 
-    public function enableDiscovery(CacheInterface $cache, HttpClientInterface $client, string $oidcConfigurationCacheKey, string $oidcJWKSetCacheKey): void
+    /**
+     * @param HttpClientInterface|HttpClientInterface[] $client
+     */
+    public function enableDiscovery(CacheInterface $cache, array|HttpClientInterface $client, string $oidcConfigurationCacheKey, ?string $oidcJWKSetCacheKey = null): void
     {
+        if (null !== $oidcJWKSetCacheKey) {
+            trigger_deprecation('symfony/security-http', '7.4', 'Passing $oidcJWKSetCacheKey parameter to "%s()" is deprecated.', __METHOD__);
+        }
+
         $this->discoveryCache = $cache;
-        $this->discoveryClient = $client;
+        $this->discoveryClients = \is_array($client) ? $client : [$client];
         $this->oidcConfigurationCacheKey = $oidcConfigurationCacheKey;
-        $this->oidcJWKSetCacheKey = $oidcJWKSetCacheKey;
     }
 
     public function getUserBadgeFrom(string $accessToken): UserBadge
@@ -82,45 +91,51 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
             throw new \LogicException('You cannot use the "oidc" token handler since "web-token/jwt-signature" and "web-token/jwt-checker" are not installed. Try running "composer require web-token/jwt-signature web-token/jwt-checker".');
         }
 
-        if (!$this->discoveryCache && !$this->signatureKeyset) {
+        if (!$this->discoveryClients && !$this->signatureKeyset) {
             throw new \LogicException('You cannot use the "oidc" token handler without JWKSet nor "discovery". Please configure JWKSet in the constructor, or call "enableDiscovery" method.');
         }
 
         $jwkset = $this->signatureKeyset;
-        if ($this->discoveryCache) {
-            try {
-                $oidcConfiguration = json_decode($this->discoveryCache->get($this->oidcConfigurationCacheKey, function (): string {
-                    $response = $this->discoveryClient->request('GET', '.well-known/openid-configuration');
-
-                    return $response->getContent();
-                }), true, 512, \JSON_THROW_ON_ERROR);
-            } catch (\Throwable $e) {
-                $this->logger?->error('An error occurred while requesting OIDC configuration.', [
-                    'error' => $e->getMessage(),
-                    'trace' => $e->getTraceAsString(),
-                ]);
-
-                throw new BadCredentialsException('Invalid credentials.', $e->getCode(), $e);
-            }
-
-            try {
-                $jwkset = JWKSet::createFromJson(
-                    $this->discoveryCache->get($this->oidcJWKSetCacheKey, function () use ($oidcConfiguration): string {
-                        $response = $this->discoveryClient->request('GET', $oidcConfiguration['jwks_uri']);
-                        // we only need signature key
-                        $keys = array_filter($response->toArray()['keys'], static fn (array $key) => 'sig' === $key['use']);
-
-                        return json_encode(['keys' => $keys]);
-                    })
-                );
-            } catch (\Throwable $e) {
-                $this->logger?->error('An error occurred while requesting OIDC certs.', [
-                    'error' => $e->getMessage(),
-                    'trace' => $e->getTraceAsString(),
-                ]);
-
-                throw new BadCredentialsException('Invalid credentials.', $e->getCode(), $e);
-            }
+        if ($this->discoveryClients) {
+            $clients = $this->discoveryClients;
+            $logger = $this->logger;
+            $keys = $this->discoveryCache->get($this->oidcConfigurationCacheKey, static function () use ($clients, $logger): array {
+                try {
+                    $configResponses = [];
+                    foreach ($clients as $client) {
+                        $configResponses[] = $client->request('GET', '.well-known/openid-configuration', [
+                            'user_data' => $client,
+                        ]);
+                    }
+
+                    $jwkSetResponses = [];
+                    foreach ($client->stream($configResponses) as $response => $chunk) {
+                        if ($chunk->isLast()) {
+                            $jwkSetResponses[] = $response->getInfo('user_data')->request('GET', $response->toArray()['jwks_uri']);
+                        }
+                    }
+
+                    $keys = [];
+                    foreach ($jwkSetResponses as $response) {
+                        foreach ($response->toArray()['keys'] as $key) {
+                            if ('sig' === $key['use']) {
+                                $keys[] = $key;
+                            }
+                        }
+                    }
+
+                    return $keys;
+                } catch (\Exception $e) {
+                    $logger?->error('An error occurred while requesting OIDC certs.', [
+                        'error' => $e->getMessage(),
+                        'trace' => $e->getTraceAsString(),
+                    ]);
+
+                    throw new BadCredentialsException('Invalid credentials.', $e->getCode(), $e);
+                }
+            });
+
+            $jwkset = JWKSet::createFromKeyData(['keys' => $keys]);
         }
 
         try {

CHANGELOG.md

@@ -72,6 +72,7 @@ CHANGELOG
  * Allow subclassing `#[IsGranted]`
  * Add `$tokenSource` argument to `#[IsCsrfTokenValid]` to support reading tokens from the query string or headers
  * Deprecate `RememberMeDetails::getUserFqcn()`, the user FQCN will be removed from the remember-me cookie in 8.0
+ * Allow configuring multiple OIDC discovery base URIs
 
 7.3
 ---

Tests/AccessToken/Oidc/OidcTokenHandlerTest.php

@@ -21,6 +21,9 @@
 use PHPUnit\Framework\Attributes\RequiresPhpExtension;
 use PHPUnit\Framework\TestCase;
 use Psr\Log\LoggerInterface;
+use Symfony\Component\Cache\Adapter\ArrayAdapter;
+use Symfony\Component\HttpClient\MockHttpClient;
+use Symfony\Component\HttpClient\Response\JsonMockResponse;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\User\OidcUser;
 use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenHandler;
@@ -44,15 +47,15 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp
             'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f',
             'email' => 'foo@example.com',
         ];
-        $token = $this->buildJWS(json_encode($claims));
+        $token = self::buildJWS(json_encode($claims));
         $expectedUser = new OidcUser(...$claims, userIdentifier: $claims[$claim]);
 
         $loggerMock = $this->createMock(LoggerInterface::class);
         $loggerMock->expects($this->never())->method('error');
 
         $userBadge = (new OidcTokenHandler(
             new AlgorithmManager([new ES256()]),
-            $this->getJWKSet(),
+            self::getJWKSet(),
             self::AUDIENCE,
             ['https://www.example.com'],
             $claim,
@@ -86,7 +89,7 @@ public function testThrowsAnErrorIfTokenIsInvalid(string $token)
 
         (new OidcTokenHandler(
             new AlgorithmManager([new ES256()]),
-            $this->getJWKSet(),
+            self::getJWKSet(),
             self::AUDIENCE,
             ['https://www.example.com'],
             'sub',
@@ -176,6 +179,17 @@ private static function getJWK(): JWK
         ]);
     }
 
+    private static function getSecondJWK(): JWK
+    {
+        return new JWK([
+            'kty' => 'EC',
+            'd' => '0LCBSOYvrksazPnC0pzwY0P5MWEESUhEzbc2zJEnOsc',
+            'crv' => 'P-256',
+            'x' => 'N1aUu8Pd2WdClkpCQ4QCPnGjYe_bTmDgEaSoxy5LhTw',
+            'y' => 'Yr1v-tCNxE8QgAGlartrJAi343bI8VlAaNvgCOp8Azs',
+        ]);
+    }
+
     private static function getJWKSet(): JWKSet
     {
         return new JWKSet([
@@ -189,4 +203,112 @@ private static function getJWKSet(): JWKSet
             self::getJWK(),
         ]);
     }
+
+    public function testGetsUserIdentifierWithSingleDiscoveryEndpoint()
+    {
+        $time = time();
+        $claims = [
+            'iat' => $time,
+            'nbf' => $time,
+            'exp' => $time + 3600,
+            'iss' => 'https://www.example.com',
+            'aud' => self::AUDIENCE,
+            'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f',
+            'email' => 'foo@example.com',
+        ];
+        $token = $this->buildJWS(json_encode($claims));
+
+        $httpClient = new MockHttpClient([
+            new JsonMockResponse(['jwks_uri' => 'https://www.example.com/.well-known/jwks.json']),
+            new JsonMockResponse(['keys' => [array_merge(self::getJWK()->all(), ['use' => 'sig'])]]),
+        ]);
+
+        $cache = new ArrayAdapter();
+        $handler = new OidcTokenHandler(
+            new AlgorithmManager([new ES256()]),
+            null,
+            self::AUDIENCE,
+            ['https://www.example.com']
+        );
+        $handler->enableDiscovery($cache, $httpClient, 'oidc_config');
+
+        $userBadge = $handler->getUserBadgeFrom($token);
+
+        $this->assertInstanceOf(UserBadge::class, $userBadge);
+        $this->assertSame('e21bf182-1538-406e-8ccb-e25a17aba39f', $userBadge->getUserIdentifier());
+    }
+
+    public function testGetsUserIdentifierWithMultipleDiscoveryEndpoints()
+    {
+        $time = time();
+
+        $httpClient1 = new MockHttpClient(function ($method, $url) {
+            if (str_contains($url, 'openid-configuration')) {
+                return new JsonMockResponse(['jwks_uri' => 'https://provider1.example.com/.well-known/jwks.json']);
+            }
+
+            return new JsonMockResponse(['keys' => [array_merge(self::getJWK()->all(), ['use' => 'sig'])]]);
+        });
+
+        $httpClient2 = new MockHttpClient(function ($method, $url) {
+            if (str_contains($url, 'openid-configuration')) {
+                return new JsonMockResponse(['jwks_uri' => 'https://provider2.example.com/.well-known/jwks.json']);
+            }
+
+            return new JsonMockResponse(['keys' => [array_merge(self::getSecondJWK()->all(), ['use' => 'sig'])]]);
+        });
+
+        $cache = new ArrayAdapter();
+
+        $handler = new OidcTokenHandler(
+            new AlgorithmManager([new ES256()]),
+            null,
+            self::AUDIENCE,
+            ['https://www.example.com']
+        );
+        $handler->enableDiscovery($cache, [$httpClient1, $httpClient2], 'oidc_config');
+
+        $claims1 = [
+            'iat' => $time,
+            'nbf' => $time,
+            'exp' => $time + 3600,
+            'iss' => 'https://www.example.com',
+            'aud' => self::AUDIENCE,
+            'sub' => 'user-from-provider1',
+            'email' => 'user1@example.com',
+        ];
+        $token1 = self::buildJWSWithKey(json_encode($claims1), self::getJWK());
+        $userBadge1 = $handler->getUserBadgeFrom($token1);
+
+        $this->assertInstanceOf(UserBadge::class, $userBadge1);
+        $this->assertSame('user-from-provider1', $userBadge1->getUserIdentifier());
+
+        $claims2 = [
+            'iat' => $time,
+            'nbf' => $time,
+            'exp' => $time + 3600,
+            'iss' => 'https://www.example.com',
+            'aud' => self::AUDIENCE,
+            'sub' => 'user-from-provider2',
+            'email' => 'user2@example.com',
+        ];
+        $token2 = self::buildJWSWithKey(json_encode($claims2), self::getSecondJWK());
+        $userBadge2 = $handler->getUserBadgeFrom($token2);
+
+        $this->assertInstanceOf(UserBadge::class, $userBadge2);
+        $this->assertSame('user-from-provider2', $userBadge2->getUserIdentifier());
+
+        $this->assertTrue($cache->hasItem('oidc_config'));
+    }
+
+    private static function buildJWSWithKey(string $payload, JWK $jwk): string
+    {
+        return (new CompactSerializer())->serialize((new JWSBuilder(new AlgorithmManager([
+            new ES256(),
+        ])))->create()
+            ->withPayload($payload)
+            ->addSignature($jwk, ['alg' => 'ES256'])
+            ->build()
+        );
+    }
 }