Merge with master

Author: cicnavi

.github/workflows/documentation.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: [ubuntu-latest]
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Lint markdown files
         uses: nosborn/github-action-markdown-cli@v3

.github/workflows/sonar.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     continue-on-error: true
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: SonarQube Scan
         uses: SonarSource/sonarqube-scan-action@v2
         env:
@@ -17,4 +17,4 @@ jobs:
         with:
           args: >
             -Dsonar.projectKey=${{ github.event.repository.name }}
-            -Dsonar.projectName=${{ github.event.repository.name }}
+            -Dsonar.projectName=${{ github.event.repository.name }}

.github/workflows/test.yaml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php-versions: ["8.2", "8.3"]
+        php-versions: ["8.3", "8.4", "8.5"]
 
     steps:
       - name: Setup PHP, with composer and extensions
@@ -35,14 +35,14 @@ jobs:
           git config --global core.autocrlf false
           git config --global core.eol lf
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Get composer cache directory
         id: composer-cache
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV"
 
       - name: Cache composer dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: $COMPOSER_CACHE
           key: "${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}"
@@ -55,7 +55,7 @@ jobs:
         run: composer install --no-progress --prefer-dist --optimize-autoloader
 
       - name: Decide whether to run code coverage or not
-        if: ${{ matrix.php-versions != '8.2' }}
+        if: ${{ matrix.php-versions != '8.5' }}
         run: |
           echo "NO_COVERAGE=--no-coverage" >> $GITHUB_ENV
 
@@ -70,13 +70,13 @@ jobs:
           ./vendor/bin/phpunit $NO_COVERAGE --no-configuration -c phpunit.integration.xml
 
       - name: Merge coverage data
-        if: ${{ matrix.php-versions == '8.2' }}
+        if: ${{ matrix.php-versions == '8.5' }}
         run: |
           ./vendor/bin/phpunit-merger log build/logs/partial_junit/ build/logs/junit.xml
           ./vendor/bin/phpunit-merger coverage build/logs/partial_clover/ build/logs/clover.xml
 
       - name: Save coverage data
-        if: ${{ matrix.php-versions == '8.2' }}
+        if: ${{ matrix.php-versions == '8.5' }}
         uses: actions/upload-artifact@v4
         with:
           name: build-data
@@ -89,22 +89,22 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2 #https://github.com/shivammathur/setup-php
         with:
-          php-version: "8.2"
+          php-version: "8.3"
           extensions: mbstring, xml
           tools: composer:v2
           coverage: none
 
       - name: Setup problem matchers for PHP
         run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Get composer cache directory
         id: composer-cache
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV"
 
       - name: Cache composer dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: $COMPOSER_CACHE
           key: "${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}"
@@ -130,22 +130,22 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2 #https://github.com/shivammathur/setup-php
         with:
-          php-version: "8.2"
+          php-version: "8.3"
           extensions: mbstring, xml
           tools: composer:v2
           coverage: none
 
       - name: Setup problem matchers for PHP
         run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Get composer cache directory
         id: composer-cache
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV"
 
       - name: Cache composer dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: $COMPOSER_CACHE
           key: "${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}"
@@ -163,21 +163,21 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2 #https://github.com/shivammathur/setup-php
         with:
-          php-version: "8.2"
+          php-version: "8.5"
           tools: composer:v2
           extensions: mbstring, xml
 
       - name: Setup problem matchers for PHP
         run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Get composer cache directory
         id: composer-cache
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV"
 
       - name: Cache composer dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: $COMPOSER_CACHE
           key: "${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}"
@@ -211,12 +211,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ssp-version: ["v2.3.7", "v2.4.4"]
+        ssp-version: ["v2.5.0"]
     env:
       SUITE_BASE_URL: https://localhost.emobix.co.uk:8443
-      VERSION: release-v5.1.35
+      VERSION: release-v5.1.39
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           path: main
       - name: Setup Python Dependencies

composer.json

@@ -17,7 +17,7 @@
         }
     ],
     "require": {
-        "php": "^8.2",
+        "php": "^8.3",
         "ext-curl": "*",
         "ext-json": "*",
         "ext-openssl": "*",
@@ -33,20 +33,18 @@
         "simplesamlphp/composer-module-installer": "^1.3",
         "simplesamlphp/openid": "~v0.1.1",
         "spomky-labs/base64url": "^2.0",
-        "symfony/expression-language": "^6.3",
-        "symfony/psr-http-message-bridge": "^7.1",
+        "symfony/expression-language": "^7.4",
+        "symfony/psr-http-message-bridge": "^7.4",
         "web-token/jwt-framework": "^3",
-        "symfony/cache": "^6.4",
+        "symfony/cache": "^7.4",
         "psr/simple-cache": "^3"
     },
     "require-dev": {
         "friendsofphp/php-cs-fixer": "^3",
-        "phpunit/phpunit": "^10",
-        "rector/rector": "^0.18.3",
-        "simplesamlphp/simplesamlphp": "2.3.*",
-        "simplesamlphp/simplesamlphp-test-framework": "^1.5",
-        "squizlabs/php_codesniffer": "^3",
-        "vimeo/psalm": "^5",
+        "rector/rector": "^1.2.10",
+        "simplesamlphp/simplesamlphp": "2.5.*",
+        "simplesamlphp/simplesamlphp-test-framework": "^1.9.3",
+        "vimeo/psalm": "^6.15.1",
         "testcontainers/testcontainers": "^0.2",
         "nimut/phpunit-merger": "^2.0"
     },
@@ -60,6 +58,7 @@
         "sort-packages": true,
         "allow-plugins": {
             "dealerdirect/phpcodesniffer-composer-installer": true,
+            "php-http/discovery": true,
             "phpstan/extension-installer": true,
             "simplesamlphp/composer-module-installer": true,
             "simplesamlphp/composer-xmlprovider-installer": true
@@ -83,7 +82,7 @@
     },
     "scripts": {
         "pre-commit": [
-            "vendor/bin/phpcbf",
+            "vendor/bin/phpcbf -pn",
             "vendor/bin/phpcs -p",
             "vendor/bin/psalm",
             "vendor/bin/phpunit"

docker/Dockerfile

@@ -1,4 +1,4 @@
-ARG SSP_VERSION="v2.4.4"
+ARG SSP_VERSION="v2.5.0"
 FROM cirrusid/simplesamlphp:${SSP_VERSION}
 #FROM cicnavi/simplesamlphp:${SSP_VERSION}
 

docs/1-oidc.md

@@ -53,16 +53,16 @@ OpenID4VCI is also implemented using the
 
 Minor versions listed show which SimpleSAMLphp versions were used during
 module development. SimpleSAMLphp follows semantic versioning for its
-API since v2.0. For example, v5.\* of the OIDC module should work with
-any v2.\* of SimpleSAMLphp. PHP version requirements may differ.
-
-| OIDC module | Tested SimpleSAMLphp |  PHP   | Note        |
-|:------------|:---------------------|:------:|-------------|
-| v6.\*       | v2.3.\*, v2.4.\*     | \>=8.2 | Recommended |
-| v5.\*       | v2.1.\*              | \>=8.1 |             |
-| v4.\*       | v2.0.\*              | \>=8.0 |             |
-| v3.\*       | v2.0.\*              | \>=7.4 |             |
-| v2.\*       | v1.19.\*             | \>=7.4 |             |
+API since v2.0. PHP version requirements may differ.
+
+| OIDC module | Tested SimpleSAMLphp |  PHP   |
+|:------------|:---------------------|:------:|
+| v6.4.\*     | v2.5.\*              | \>=8.3 |
+| v6.3.\*     | v2.3.\*, v2.4.\*     | \>=8.2 |
+| v5.\*       | v2.1.\*              | \>=8.1 |
+| v4.\*       | v2.0.\*              | \>=8.0 |
+| v3.\*       | v2.0.\*              | \>=7.4 |
+| v2.\*       | v1.19.\*             | \>=7.4 |
 
 Upgrading? See the [upgrade guide](6-oidc-upgrade.md).
 

docs/5-oidc-conformance.md

@@ -17,7 +17,7 @@ Clone, build, and run the conformance test suite:
 ```bash
 git clone https://gitlab.com/openid/conformance-suite.git
 cd conformance-suite
-git checkout release-v5.1.35
+git checkout release-v5.1.39
 MAVEN_CACHE=./m2 docker-compose -f builder-compose.yml run builder
 docker-compose up
 ```

docs/6-oidc-upgrade.md

@@ -3,9 +3,9 @@
 This is an upgrade guide from versions 1 → 7. Review the changes and
 apply those relevant to your deployment.
 
-In general, when upgrading any of the SimpleSAMLphp modules or the 
+In general, when upgrading any of the SimpleSAMLphp modules or the
 SimpleSAMLphp instance itself, you should clear the SimpleSAMLphp
-cache after the upgrade. In newer versions of SimpleSAMLphp, the 
+cache after the upgrade. In newer versions of SimpleSAMLphp, the
 following command is available to do that:
 
 ```shell
@@ -21,7 +21,7 @@ New features:
 
 - Instance can now be configured to support multiple algorithms and signature
 keys for protocol (Connect), Federation, and VCI purposes. This was introduced
-to support signature algorithm negotiation with the clients. 
+to support signature algorithm negotiation with the clients.
 - Clients can now be configured with new properties:
   - ID Token Signing Algorithm (`id_token_signed_response_alg`)
 - Optional OAuth2 Token Introspection endpoint, as per RFC7662. Check the API
@@ -33,9 +33,9 @@ it in production.
 New configuration options:
 
 - `ModuleConfig::OPTION_PROTOCOL_SIGNATURE_KEY_PAIRS` - (required) enables
-defining multiple protocol (Connect) related signing algorithms and key pairs. 
+defining multiple protocol (Connect) related signing algorithms and key pairs.
 - `ModuleConfig::OPTION_FEDERATION_SIGNATURE_KEY_PAIRS` - (required if
-federation capabilities are enabled) enables defining multiple key pairs for 
+federation capabilities are enabled) enables defining multiple key pairs for
 Federation purposes like signing Entity Statements, publishing new key for
 key roll-ower scenarios, etc.
 - `ModuleConfig::OPTION_VCI_SIGNATURE_KEY_PAIRS` - (required if VCI
@@ -51,7 +51,7 @@ optional, enables the OAuth2 token introspection endpoint as per RFC7662.
 
 Major impact changes:
 
-- The following configuration options related to the protocol (Connect) 
+- The following configuration options related to the protocol (Connect)
 signature algorithm and key pair are removed:
   - `ModuleConfig::OPTION_PKI_PRIVATE_KEY_PASSPHRASE`
   - `ModuleConfig::OPTION_PKI_PRIVATE_KEY_FILENAME`
@@ -73,11 +73,11 @@ and key pair are removed:
   - `ModuleConfig::OPTION_PKI_FEDERATION_NEW_PRIVATE_KEY_PASSPHRASE`
   - `ModuleConfig::OPTION_PKI_FEDERATION_NEW_PRIVATE_KEY_FILENAME`
   - `ModuleConfig::OPTION_PKI_FEDERATION_NEW_CERTIFICATE_FILENAME`
-  
+
   Instead of those options, now you must use option
   `ModuleConfig::OPTION_FEDERATION_SIGNATURE_KEY_PAIRS` in which you can define
   all the supported signature keys for Federation purposes.
-- Config option `ModuleConfig::OPTION_HOMEPAGE_URI` is removed. Use 
+- Config option `ModuleConfig::OPTION_HOMEPAGE_URI` is removed. Use
 `ModuleConfig::OPTION_ORGANIZATION_URI` instead.
 - New algorithm for generating Key ID claim value (`kid`) for signature keys
 is used. Previously, key ID was based on public key file hash. In v7, key ID
@@ -87,7 +87,7 @@ current signature keys, you will probably want to keep the old `kid` values,
 so that the clients know the keys did not change. You can set the old
 `kid` value manually for signature keys in
 `ModuleConfig::OPTION_PROTOCOL_SIGNATURE_KEY_PAIRS` and
-`ModuleConfig::OPTION_FEDERATION_SIGNATURE_KEY_PAIRS`. Once you do a key 
+`ModuleConfig::OPTION_FEDERATION_SIGNATURE_KEY_PAIRS`. Once you do a key
 roll-over, you can omit setting the `kid` manually, so you start using the
 automatically generated thumbprint.
 - In v6 of the module, when defining custom scopes, there was a possibility to
@@ -97,7 +97,7 @@ have a single value by specification. All [standard claims](https://openid.net/s
 are now hardcoded to have a single value, even when the
 'are_multiple_claim_values_allowed' option is enabled.
 - OpenID Federation specific endpoints for subordinate listing and fetching
-statements about subordinates are removed, as the final specification 
+statements about subordinates are removed, as the final specification
 explicitly states that leaf entities must not have those endpoints.
 This effectively means that this OP implementation can only be a leaf entity
 in the federation context, and not a federation operator or intermediary entity.
@@ -113,6 +113,12 @@ needed since the OP implementation can only be a leaf entity
 - Admin menu item "OIDC" has been renamed to "OIDC OP" to better reflect
 the main purpose of the module.
 
+## Version 6.3 to 6.4
+
+This is a minor release in order to enable installation of the module with
+SimpleSAMLphp v2.5.*, which now requires at least PHP v8.3 and bumps a bunch
+of dependent Symfony packages to v7.4.
+
 ## Version 5 to 6
 
 New features:

psalm.xml

@@ -23,25 +23,33 @@
   </projectFiles>
 
   <issueHandlers>
-    <!-- Ignore UnresolvableInclude on CLI-scripts -->
-    <UnresolvableInclude>
-        <errorLevel type="suppress">
-          <file name="tests/bootstrap.php" />
-        </errorLevel>
-    </UnresolvableInclude>
+    <!-- Ignore InvalidClassConstantType -->
     <InvalidClassConstantType>
       <errorLevel type="suppress">
         <file name="src/Forms/Controls/CsrfProtection.php" />
       </errorLevel>
     </InvalidClassConstantType>
 
+    <!-- Ignore PossiblyFalseArgument -->
+    <PossiblyFalseArgument>
+      <errorLevel type="suppress">
+        <file name="src/Server/Validators/BearerTokenValidator.php" />
+      </errorLevel>
+    </PossiblyFalseArgument>
+
     <!-- Ignore errors related to unused classes, methods... -->
     <UnusedClass errorLevel="suppress" />
     <PossiblyUnusedMethod errorLevel="suppress" />
     <PossiblyUnusedReturnValue errorLevel="suppress" />
 
     <!-- Ignore RiskyTruthyFalsyComparison -->
     <RiskyTruthyFalsyComparison errorLevel="suppress" />
+
+    <!-- Ignore ClassMustBeFinal -->
+    <ClassMustBeFinal errorLevel="suppress" />
+
+    <!-- Ignore MissingOverrideAttribute -->
+    <MissingOverrideAttribute errorLevel="suppress" />
   </issueHandlers>
 </psalm>