WIP

Author: cicnavi

config/module_oidc.php.dist

@@ -47,7 +47,6 @@ $config = [
      */
     // (optional) The private key passphrase.
     /** @deprecated  */
-//    ModuleConfig::OPTION_PKI_PRIVATE_KEY_PASSPHRASE => 'secret',
     // The certificate and private key filenames, with given defaults.
     /** @deprecated  */
     ModuleConfig::OPTION_PKI_PRIVATE_KEY_FILENAME => ModuleConfig::DEFAULT_PKI_PRIVATE_KEY_FILENAME,

docs/6-oidc-upgrade.md

@@ -7,6 +7,9 @@ apply those relevant to your deployment.
 
 New features:
 
+- Instance can now be configured to support multiple protocol (Connect) and
+Federation signing algorithms and key pairs. This was introduced in order to
+support signature algorithm negotiation with the clients. 
 - Clients can now be configured with new properties:
   - ID Token Signing Algorithm (id_token_signed_response_alg)
 - Initial support for OpenID for Verifiable Credential Issuance
@@ -15,11 +18,16 @@ it in production.
 
 New configuration options:
 
-- Several new options are available in module config file regarding support for
-OpenID4VCI.
+- ModuleConfig::OPTION_PROTOCOL_SIGNATURE_KEY_PAIRS - enables defining multiple
+protocol (Connect) related signing algorithms and key pairs.
+- ModuleConfig::OPTION_FEDERATION_SIGNATURE_KEY_PAIRS - enables defining
+multiple Federation related signing algorithms and key pairs.
+- Several new options regarding experimental support for OpenID4VCI.
 
 Major impact changes:
 
+- The following configuration options are removed:
+  - 
 - In v6 of the module, when defining custom scopes, there was a possibility to
 use standard claims with the 'are_multiple_claim_values_allowed' option.
 This would allow multiple values (array of values) for standard claims which

src/Controllers/EndSessionController.php

@@ -15,6 +15,7 @@
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Services\SessionService;
 use SimpleSAML\Module\oidc\Stores\Session\LogoutTicketStoreBuilder;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\Session;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -60,9 +61,9 @@ public function __invoke(ServerRequestInterface $request): Response
         // If id_token_hint was provided, resolve session ID
         $idTokenHint = $logoutRequest->getIdTokenHint();
         if ($idTokenHint !== null) {
-            $sidClaim = empty($idTokenHint->claims()->get('sid')) ?
-            null :
-            (string)$idTokenHint->claims()->get('sid');
+            /** @psalm-suppress MixedAssignment */
+            $sidClaim = $idTokenHint->getPayloadClaim(ClaimsEnum::Sid->value);
+            $sidClaim = is_string($sidClaim) && $sidClaim !== '' ? $sidClaim : null;
         }
 
         $this->loggerService->debug(

src/Factories/RequestRulesManagerFactory.php

@@ -44,7 +44,9 @@
 use SimpleSAML\Module\oidc\Utils\JwksResolver;
 use SimpleSAML\Module\oidc\Utils\ProtocolCache;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
+use SimpleSAML\OpenID\Core;
 use SimpleSAML\OpenID\Federation;
+use SimpleSAML\OpenID\Jwks;
 
 class RequestRulesManagerFactory
 {
@@ -57,14 +59,15 @@ public function __construct(
         private readonly ScopeRepository $scopeRepository,
         private readonly CodeChallengeVerifiersRepository $codeChallengeVerifiersRepository,
         private readonly ClaimTranslatorExtractor $claimTranslatorExtractor,
-        private readonly CryptKeyFactory $cryptKeyFactory,
         private readonly RequestParamsResolver $requestParamsResolver,
         private readonly ClientEntityFactory $clientEntityFactory,
         private readonly Federation $federation,
         private readonly Helpers $helpers,
         private readonly JwksResolver $jwksResolver,
         private readonly FederationParticipationValidator $federationParticipationValidator,
         private readonly SspBridge $sspBridge,
+        private readonly Jwks $jwks,
+        private readonly Core $core,
         private readonly ?FederationCache $federationCache = null,
         private readonly ?ProtocolCache $protocolCache = null,
     ) {
@@ -132,7 +135,8 @@ private function getDefaultRules(): array
                 $this->requestParamsResolver,
                 $this->helpers,
                 $this->moduleConfig,
-                $this->cryptKeyFactory,
+                $this->jwks,
+                $this->core,
             ),
             new PostLogoutRedirectUriRule($this->requestParamsResolver, $this->helpers, $this->clientRepository),
             new UiLocalesRule($this->requestParamsResolver, $this->helpers),

src/Server/AuthorizationServer.php

@@ -185,7 +185,7 @@ public function validateLogoutRequest(ServerRequestInterface $request): LogoutRe
             throw new BadRequest($reason);
         }
 
-        /** @var \Lcobucci\JWT\UnencryptedToken|null $idTokenHint */
+        /** @var \SimpleSAML\OpenID\Core\IdToken|null $idTokenHint */
         $idTokenHint = $resultBag->getOrFail(IdTokenHintRule::class)->getValue();
         /** @var string|null $postLogoutRedirectUri */
         $postLogoutRedirectUri = $resultBag->getOrFail(PostLogoutRedirectUriRule::class)->getValue();

src/Server/RequestRules/Rules/IdTokenHintRule.php

@@ -4,12 +4,7 @@
 
 namespace SimpleSAML\Module\oidc\Server\RequestRules\Rules;
 
-use Lcobucci\JWT\Configuration;
-use Lcobucci\JWT\Signer\Key\InMemory;
-use Lcobucci\JWT\Validation\Constraint\IssuedBy;
-use Lcobucci\JWT\Validation\Constraint\SignedWith;
 use Psr\Http\Message\ServerRequestInterface;
-use SimpleSAML\Module\oidc\Factories\CryptKeyFactory;
 use SimpleSAML\Module\oidc\Helpers;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
@@ -20,15 +15,17 @@
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
 use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum;
 use SimpleSAML\OpenID\Codebooks\ParamsEnum;
-use Throwable;
+use SimpleSAML\OpenID\Core;
+use SimpleSAML\OpenID\Jwks;
 
 class IdTokenHintRule extends AbstractRule
 {
     public function __construct(
         RequestParamsResolver $requestParamsResolver,
         Helpers $helpers,
-        protected ModuleConfig $moduleConfig,
-        protected CryptKeyFactory $cryptKeyFactory,
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly Jwks $jwks,
+        protected readonly Core $core,
     ) {
         parent::__construct($requestParamsResolver, $helpers);
     }
@@ -58,16 +55,6 @@ public function checkRule(
             return new Result($this->getKey(), $idTokenHintParam);
         }
 
-        // TODO v7 mivanci Fix: unmockable services... inject instead.
-        $privateKey = $this->cryptKeyFactory->buildPrivateKey();
-        $publicKey = $this->cryptKeyFactory->buildPublicKey();
-        /** @psalm-suppress ArgumentTypeCoercion */
-        $jwtConfig = Configuration::forAsymmetricSigner(
-            $this->moduleConfig->getProtocolSigner(),
-            InMemory::plainText($privateKey->getKeyContents(), $privateKey->getPassPhrase() ?? ''),
-            InMemory::plainText($publicKey->getKeyContents()),
-        );
-
         if (empty($idTokenHintParam)) {
             throw OidcServerException::invalidRequest(
                 ParamsEnum::IdTokenHint->value,
@@ -78,23 +65,25 @@ public function checkRule(
             );
         }
 
-        try {
-            /** @var \Lcobucci\JWT\UnencryptedToken $idTokenHint */
-            $idTokenHint = $jwtConfig->parser()->parse($idTokenHintParam);
+        $jwks = $this->jwks->jwksDecoratorFactory()->fromJwkDecorators(
+            ...$this->moduleConfig->getProtocolSignatureKeyPairBag()->getAllPublicKeys(),
+        )->jsonSerialize();
+
+        $idTokenHint = $this->core->idTokenFactory()->fromToken($idTokenHintParam);
 
-            /** @psalm-suppress ArgumentTypeCoercion */
-            $jwtConfig->validator()->assert(
-                $idTokenHint,
-                new IssuedBy($this->moduleConfig->getIssuer()),
-                // Note: although logout spec does not mention it, validating signature seems like an important check
-                // to make. However, checking the signature in a key roll-over scenario will fail for ID tokens
-                // signed with previous key...
-                new SignedWith(
-                    $this->moduleConfig->getProtocolSigner(),
-                    InMemory::plainText($publicKey->getKeyContents()),
-                ),
+        if ($idTokenHint->getIssuer() !== $this->moduleConfig->getIssuer()) {
+            throw OidcServerException::invalidRequest(
+                ParamsEnum::IdTokenHint->value,
+                'Invalid ID Token Hint Issuer',
+                null,
+                null,
+                $state,
             );
-        } catch (Throwable $exception) {
+        }
+
+        try {
+            $idTokenHint->verifyWithKeySet($jwks);
+        } catch (\Throwable $exception) {
             throw OidcServerException::invalidRequest(
                 ParamsEnum::IdTokenHint->value,
                 $exception->getMessage(),
@@ -104,6 +93,7 @@ public function checkRule(
             );
         }
 
+
         return new Result($this->getKey(), $idTokenHint);
     }
 }

src/Server/RequestRules/Rules/PostLogoutRedirectUriRule.php

@@ -41,7 +41,7 @@ public function checkRule(
         /** @var string|null $state */
         $state = $currentResultBag->getOrFail(StateRule::class)->getValue();
 
-        /** @var \Lcobucci\JWT\UnencryptedToken|null $idTokenHint */
+        /** @var \SimpleSAML\OpenID\Core\IdToken|null $idTokenHint */
         $idTokenHint = $currentResultBag->getOrFail(IdTokenHintRule::class)->getValue();
 
         $postLogoutRedirectUri = $this->requestParamsResolver->getAsStringBasedOnAllowedMethods(
@@ -61,19 +61,7 @@ public function checkRule(
             throw OidcServerException::invalidRequest('id_token_hint', $hint);
         }
 
-        $claims = $idTokenHint->claims()->all();
-
-        if (empty($claims['aud'])) {
-            throw OidcServerException::invalidRequest(
-                ParamsEnum::IdTokenHint->value,
-                'aud claim not present',
-                null,
-                null,
-                $state,
-            );
-        }
-        /** @var string[] $auds */
-        $auds = is_array($claims['aud']) ? $claims['aud'] : [$claims['aud']];
+        $auds = $idTokenHint->getAudience();
 
         $isPostLogoutRedirectUriRegistered = false;
         foreach ($auds as $aud) {

src/Server/RequestTypes/LogoutRequest.php

@@ -4,7 +4,7 @@
 
 namespace SimpleSAML\Module\oidc\Server\RequestTypes;
 
-use Lcobucci\JWT\UnencryptedToken;
+use SimpleSAML\OpenID\Core\IdToken;
 
 class LogoutRequest
 {
@@ -14,7 +14,7 @@ public function __construct(
          * current authenticated session with the Client. This is used as an indication of the identity of the
          * End-User that the RP is requesting be logged out by the OP.
          */
-        protected ?UnencryptedToken $idTokenHint = null,
+        protected ?IdToken $idTokenHint = null,
         /**
          * URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been
          * performed. The value MUST have been previously registered with the OP.An id_token_hint is also
@@ -35,12 +35,12 @@ public function __construct(
     ) {
     }
 
-    public function getIdTokenHint(): ?UnencryptedToken
+    public function getIdTokenHint(): ?IdToken
     {
         return $this->idTokenHint;
     }
 
-    public function setIdTokenHint(?UnencryptedToken $idTokenHint): LogoutRequest
+    public function setIdTokenHint(?IdToken $idTokenHint): LogoutRequest
     {
         $this->idTokenHint = $idTokenHint;
         return $this;

src/Services/Container.php

@@ -406,7 +406,13 @@ public function __construct()
             new AddClaimsToIdTokenRule($requestParamsResolver, $helpers),
             new RequiredNonceRule($requestParamsResolver, $helpers),
             new ResponseTypeRule($requestParamsResolver, $helpers),
-            new IdTokenHintRule($requestParamsResolver, $helpers, $moduleConfig, $cryptKeyFactory),
+            new IdTokenHintRule(
+                $requestParamsResolver,
+                $helpers,
+                $moduleConfig,
+                $jwks,
+                $core,
+            ),
             new PostLogoutRedirectUriRule($requestParamsResolver, $helpers, $clientRepository),
             new UiLocalesRule($requestParamsResolver, $helpers),
             new AcrValuesRule($requestParamsResolver, $helpers),

src/Services/LogoutTokenBuilder.php

@@ -52,7 +52,7 @@ public function forRelyingPartyAssociation(RelyingPartyAssociationInterface $rel
             ClaimsEnum::Iss->value => $this->moduleConfig->getIssuer(),
             ClaimsEnum::Iat->value => $currentTimestamp,
             ClaimsEnum::Exp->value => $this->core->helpers()->dateTime()->getUtc()->add(
-                $this->moduleConfig->getAccessTokenDuration(),
+                $this->moduleConfig->getAuthCodeDuration(),
             )->getTimestamp(),
             ClaimsEnum::Jti->value => $this->core->helpers()->random()->string(),
             ClaimsEnum::Aud->value => $relyingPartyAssociation->getClientId(),