Get rid of old JWKS service

Author: cicnavi

config/module_oidc.php.dist

@@ -46,13 +46,17 @@ $config = [
      * sign ID Token JWT.
      */
     // (optional) The private key passphrase.
+    /** @deprecated  */
 //    ModuleConfig::OPTION_PKI_PRIVATE_KEY_PASSPHRASE => 'secret',
     // The certificate and private key filenames, with given defaults.
+    /** @deprecated  */
     ModuleConfig::OPTION_PKI_PRIVATE_KEY_FILENAME => ModuleConfig::DEFAULT_PKI_PRIVATE_KEY_FILENAME,
     ModuleConfig::OPTION_PKI_CERTIFICATE_FILENAME => ModuleConfig::DEFAULT_PKI_CERTIFICATE_FILENAME,
 
+
     // Token signer, with given default.
     // See Lcobucci\JWT\Signer algorithms in https://github.com/lcobucci/jwt/tree/master/src/Signer
+    /** @deprecated  */
     ModuleConfig::OPTION_TOKEN_SIGNER => \Lcobucci\JWT\Signer\Rsa\Sha256::class,
 //    ModuleConfig::OPTION_TOKEN_SIGNER => \Lcobucci\JWT\Signer\Hmac\Sha256::class,
 //    ModuleConfig::OPTION_TOKEN_SIGNER => \Lcobucci\JWT\Signer\Ecdsa\Sha256::class,
@@ -65,6 +69,7 @@ $config = [
      * PKI options.
      */
 //    // (optional) The (new) private key passphrase.
+    /** @deprecated  */
 //    ModuleConfig::OPTION_PKI_NEW_PRIVATE_KEY_PASSPHRASE => 'new-secret',
 //    ModuleConfig::OPTION_PKI_NEW_PRIVATE_KEY_FILENAME => 'new_oidc_module.key',
 //    ModuleConfig::OPTION_PKI_NEW_CERTIFICATE_FILENAME => 'new_oidc_module.crt',
@@ -83,7 +88,7 @@ $config = [
      * to set other default (first) algorithm as needed.
      * You can also use this config option to advertise any (new) keys, for
      * example, for key-rollover scenarios. Just add those entries later in
-     * the list, so they can be published on the OP discovery endpoint.
+     * the list, so they can be published on the OP JWKS discovery endpoint.
      *
      * The format is array of associative arrays, where each array value
      * consists of the following properties (keys):
@@ -516,6 +521,7 @@ $config = [
     // The federation private key passphrase (optional).
 //    ModuleConfig::OPTION_PKI_FEDERATION_PRIVATE_KEY_PASSPHRASE => 'secret',
     // The federation certificate and private key filenames, with given defaults.
+    /** @deprecated  */
     ModuleConfig::OPTION_PKI_FEDERATION_PRIVATE_KEY_FILENAME =>
         ModuleConfig::DEFAULT_PKI_FEDERATION_PRIVATE_KEY_FILENAME,
     ModuleConfig::OPTION_PKI_FEDERATION_CERTIFICATE_FILENAME =>
@@ -526,11 +532,38 @@ $config = [
      * on how this works.
      */
     // The federation (new) private key passphrase (optional).
+    /** @deprecated  */
 //    ModuleConfig::OPTION_PKI_FEDERATION_NEW_PRIVATE_KEY_PASSPHRASE => 'new-secret',
 //    ModuleConfig::OPTION_PKI_FEDERATION_NEW_PRIVATE_KEY_FILENAME => 'new_oidc_module_federation.key',
 //    ModuleConfig::OPTION_PKI_FEDERATION_NEW_CERTIFICATE_FILENAME => 'new_oidc_module_federation.crt',
 
+    /**
+     * Federation signature algorithm and key-pair definitions, representing
+     * supported algorithms for signing, for example, Entity Statements.
+     * The first algorithm in the list will be used for signing (the
+     * first entry represents default algorithm and signing key).
+     * You can also use this config option to advertise any (new) keys, for
+     * example, for key-rollover scenarios. Just add those entries later in
+     * the list, so they can be published in Federation JWKS.
+     *
+     * Note that these keys SHOULD NOT be the same as the ones used in the
+     * protocol (Connect) itself.
+     *
+     * The format is the same as for the protocol (Connect) signature key pairs
+     * (option ModuleConfig::OPTION_PROTOCOL_SIGNATURE_KEY_PAIRS)
+     */
+    ModuleConfig::OPTION_FEDERATION_SIGNATURE_KEY_PAIRS => [
+        [
+            ModuleConfig::KEY_ALGORITHM => \SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum::ES256,
+            ModuleConfig::KEY_PRIVATE_KEY_FILENAME => ModuleConfig::DEFAULT_PKI_FEDERATION_PRIVATE_KEY_FILENAME,
+            ModuleConfig::KEY_PUBLIC_KEY_FILENAME => ModuleConfig::OPTION_PKI_FEDERATION_CERTIFICATE_FILENAME,
+//            ModuleConfig::KEY_PRIVATE_KEY_PASSWORD => 'private-key-password', // Optional
+//            ModuleConfig::KEY_KEY_ID => 'ec-connect-signing-key-01', // Optional
+        ],
+    ],
+
     // Federation token signer, with given default.
+    /** @deprecated  */
     ModuleConfig::OPTION_FEDERATION_TOKEN_SIGNER => \Lcobucci\JWT\Signer\Rsa\Sha256::class,
 
     // Federation entity statement duration which determines the Expiration Time (exp) claim set in entity

docker/ssp/module_oidc.php

@@ -23,6 +23,16 @@
 
     ModuleConfig::OPTION_TOKEN_SIGNER => \Lcobucci\JWT\Signer\Rsa\Sha256::class,
 
+    ModuleConfig::OPTION_PROTOCOL_SIGNATURE_KEY_PAIRS => [
+        [
+            ModuleConfig::KEY_ALGORITHM => \SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum::RS256,
+            ModuleConfig::KEY_PRIVATE_KEY_FILENAME => ModuleConfig::DEFAULT_PKI_PRIVATE_KEY_FILENAME,
+            ModuleConfig::KEY_PUBLIC_KEY_FILENAME => ModuleConfig::DEFAULT_PKI_CERTIFICATE_FILENAME,
+//            ModuleConfig::KEY_PRIVATE_KEY_PASSWORD => 'private-key-password', // Optional
+//            ModuleConfig::KEY_KEY_ID => 'rsa-connect-signing-key-2026', // Optional
+        ],
+    ],
+
     ModuleConfig::OPTION_AUTH_SOURCE => 'example-userpass',
 
     ModuleConfig::OPTION_AUTH_USER_IDENTIFIER_ATTRIBUTE => 'uid',

src/Controllers/Federation/EntityStatementController.php

@@ -8,7 +8,6 @@
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\ClientRepository;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
-use SimpleSAML\Module\oidc\Services\JsonWebKeySetService;
 use SimpleSAML\Module\oidc\Services\JsonWebTokenBuilderService;
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Services\OpMetadataService;
@@ -25,6 +24,7 @@
 use SimpleSAML\OpenID\Codebooks\JwtTypesEnum;
 use SimpleSAML\OpenID\Federation;
 use SimpleSAML\OpenID\Jwk;
+use SimpleSAML\OpenID\Jwks;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -37,17 +37,17 @@ class EntityStatementController
      * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException
      */
     public function __construct(
-        private readonly ModuleConfig $moduleConfig,
-        private readonly JsonWebTokenBuilderService $jsonWebTokenBuilderService,
-        private readonly JsonWebKeySetService $jsonWebKeySetService,
-        private readonly OpMetadataService $opMetadataService,
-        private readonly ClientRepository $clientRepository,
-        private readonly Helpers $helpers,
-        private readonly Routes $routes,
-        private readonly Federation $federation,
-        private readonly Jwk $jwk,
-        private readonly LoggerService $loggerService,
-        private readonly ?FederationCache $federationCache,
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly JsonWebTokenBuilderService $jsonWebTokenBuilderService,
+        protected readonly Jwks $jwks,
+        protected readonly OpMetadataService $opMetadataService,
+        protected readonly ClientRepository $clientRepository,
+        protected readonly Helpers $helpers,
+        protected readonly Routes $routes,
+        protected readonly Federation $federation,
+        protected readonly Jwk $jwk,
+        protected readonly LoggerService $loggerService,
+        protected readonly ?FederationCache $federationCache,
     ) {
         if (!$this->moduleConfig->getFederationEnabled()) {
             throw OidcServerException::forbidden('federation capabilities not enabled');
@@ -82,6 +82,10 @@ public function configuration(): Response
             ),
         ];
 
+        $jwks = $this->jwks->jwksDecoratorFactory()->fromJwkDecorators(
+            ...$this->moduleConfig->getFederationSignatureKeyPairBag()->getAllPublicKeys(),
+        )->jsonSerialize();
+
         $payload = [
             ClaimsEnum::Iss->value => $this->moduleConfig->getIssuer(),
             ClaimsEnum::Iat->value => $currentTimestamp,
@@ -91,7 +95,7 @@ public function configuration(): Response
             ClaimsEnum::Exp->value => $this->helpers->dateTime()->getUtc()->add(
                 $this->moduleConfig->getFederationEntityStatementDuration(),
             )->getTimestamp(),
-            ClaimsEnum::Jwks->value => ['keys' => array_values($this->jsonWebKeySetService->federationKeys()),],
+            ClaimsEnum::Jwks->value => $jwks,
             ClaimsEnum::Metadata->value => [
                 EntityTypesEnum::FederationEntity->value => [
                     // Common https://openid.net/specs/openid-federation-1_0.html#name-common-metadata-parameters

src/Controllers/JwksController.php

@@ -18,22 +18,29 @@
 
 use Laminas\Diactoros\Response\JsonResponse;
 use SimpleSAML\Module\oidc\Bridges\PsrHttpBridge;
-use SimpleSAML\Module\oidc\Services\JsonWebKeySetService;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\OpenID\Jwks;
 use Symfony\Component\HttpFoundation\Response;
 
 class JwksController
 {
     public function __construct(
-        private readonly JsonWebKeySetService $jsonWebKeySetService,
-        private readonly PsrHttpBridge $psrHttpBridge,
+        protected readonly PsrHttpBridge $psrHttpBridge,
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly Jwks $jwks,
     ) {
     }
 
+    /**
+     * @throws \SimpleSAML\Error\ConfigurationError
+     */
     public function __invoke(): JsonResponse
     {
-        return new JsonResponse([
-            'keys' => array_values($this->jsonWebKeySetService->protocolKeys()),
-        ]);
+        return new JsonResponse(
+            $this->jwks->jwksDecoratorFactory()->fromJwkDecorators(
+                ...$this->moduleConfig->getProtocolSignatureKeyPairBag()->getAllPublicKeys(),
+            )->jsonSerialize(),
+        );
     }
 
     public function jwks(): Response