[Security] Validate aud and iss claims on OidcTokenHandler

Author: vincentchalamon

DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php

@@ -28,8 +28,9 @@ class OidcTokenHandlerFactory implements TokenHandlerFactoryInterface
     public function create(ContainerBuilder $container, string $id, array|string $config): void
     {
         $tokenHandlerDefinition = $container->setDefinition($id, (new ChildDefinition('security.access_token_handler.oidc'))
+            ->replaceArgument(2, $config['audience'])
+            ->replaceArgument(3, $config['issuers'])
             ->replaceArgument(4, $config['claim'])
-            ->replaceArgument(5, $config['audience'])
         );
 
         if (!ContainerBuilder::willBeAvailable('web-token/jwt-core', Algorithm::class, ['symfony/security-bundle'])) {
@@ -39,11 +40,14 @@ public function create(ContainerBuilder $container, string $id, array|string $co
                 ->addError('You cannot use the "oidc" token handler since "web-token/jwt-core" is not installed. Try running "web-token/jwt-core".');
         }
 
+        // @see Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SignatureAlgorithmFactory
+        // for supported algorithms
         if (\in_array($config['algorithm'], ['ES256', 'ES384', 'ES512'], true)) {
             $tokenHandlerDefinition->replaceArgument(0, new Reference('security.access_token_handler.oidc.signature.'.$config['algorithm']));
         } else {
-            $tokenHandlerDefinition->replaceArgument(0, (new ChildDefinition('security.access_token_handler.oidc.signature')))
-                ->replaceArgument(0, $config['algorithm']);
+            $tokenHandlerDefinition->replaceArgument(0, (new ChildDefinition('security.access_token_handler.oidc.signature'))
+                ->replaceArgument(0, $config['algorithm'])
+            );
         }
 
         $tokenHandlerDefinition->replaceArgument(1, (new ChildDefinition('security.access_token_handler.oidc.jwk'))
@@ -68,7 +72,12 @@ public function addConfiguration(NodeBuilder $node): void
                     ->end()
                     ->scalarNode('audience')
                         ->info('Audience set in the token, for validation purpose.')
-                        ->defaultNull()
+                        ->isRequired()
+                    ->end()
+                    ->arrayNode('issuers')
+                        ->info('Issuers allowed to generate the token, for validation purpose.')
+                        ->isRequired()
+                        ->prototype('scalar')->end()
                     ->end()
                     ->scalarNode('algorithm')
                         ->info('Algorithm used to sign the token.')

Resources/config/schema/security-1.0.xsd

@@ -335,12 +335,22 @@
     </xsd:complexType>
 
     <xsd:complexType name="oidc">
+        <xsd:choice maxOccurs="unbounded">
+            <xsd:element name="issuers" type="oidc_issuers" minOccurs="0" maxOccurs="1" />
+            <xsd:element name="issuer" type="password_hasher" minOccurs="0" maxOccurs="unbounded" />
+        </xsd:choice>
         <xsd:attribute name="claim" type="xsd:string" />
-        <xsd:attribute name="audience" type="xsd:string" />
+        <xsd:attribute name="audience" type="xsd:string" use="required" />
         <xsd:attribute name="algorithm" type="xsd:string" use="required" />
         <xsd:attribute name="key" type="xsd:string" use="required" />
     </xsd:complexType>
 
+    <xsd:complexType name="oidc_issuers">
+        <xsd:sequence>
+            <xsd:element name="issuer" type="xsd:string" minOccurs="1" maxOccurs="unbounded" />
+        </xsd:sequence>
+    </xsd:complexType>
+
     <xsd:complexType name="login_throttling">
         <xsd:attribute name="limiter" type="xsd:string" />
         <xsd:attribute name="max-attempts" type="xsd:integer" />

Resources/config/security_authenticator_access_token.php

@@ -69,10 +69,11 @@
             ->args([
                 abstract_arg('signature algorithm'),
                 abstract_arg('signature key'),
+                abstract_arg('audience'),
+                abstract_arg('issuers'),
+                'sub',
                 service('logger')->nullOnInvalid(),
                 service('clock'),
-                'sub',
-                null,
             ])
 
         ->set('security.access_token_handler.oidc.jwk', JWK::class)

Tests/Functional/AccessTokenTest.php

@@ -343,7 +343,7 @@ public function testOidcSuccess()
             'iat' => $time,
             'nbf' => $time,
             'exp' => $time + 3600,
-            'iss' => 'https://www.example.com/',
+            'iss' => 'https://www.example.com',
             'aud' => 'Symfony OIDC',
             'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f',
             'username' => 'dunglas',

Tests/Functional/app/AccessToken/config_oidc.yml

@@ -23,6 +23,7 @@ security:
                     oidc:
                         claim: 'username'
                         audience: 'Symfony OIDC'
+                        issuers: [ 'https://www.example.com' ]
                         algorithm: 'ES256'
                         # tip: use https://mkjwk.org/ to generate a JWK
                         key: '{"kty":"EC","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo"}'