Identity Crisis: OAuth2, OIDC & Symfony

Transcript

1. IDENTITY CRISIS OAuth 2, OIDC & Symfony

2. T H E P O W E R O F

   M A N Y

3. Next Kraftwerke GmbH Speaker Denis Brumann @dbrumann Solutions Architect

4. None
5. None
6. None
7. None

8. Having a support for Bearer tokens containing a JWT (similarly

   to the HTTP Basic support we already have) will be useful in a lot of contexts, even when not using OIDC. Keep in mind that JWT is only one way to implement bearer tokens. Adding this feature is fine as long as we remain open to different implementations.
9. None

10. JWT creation and verification implies to rely on a third

    party library such as lcobucci/jwt (which is the default one in the lexik bundle), as suggested by this issue. Fact is that depending on lcobucci/jwt is a non trivial task.
11. None

12. Access Token Handler

13. class User implements UserInterface, PasswordAuthenticatedUserInterface { !"ORM\Id] !"ORM\GeneratedValue] !"ORM\Column(type: 'integer')]

    private int $id; !"ORM\Column(type: 'string', length: 180, unique: true)] private ?string $email; !"ORM\Column(type: 'json')] private array $roles = []; !"ORM\Column(type: 'string')] private string $password; !"ORM\Column(type: 'string', unique: true)] private string $apiToken;

14. security: password_hashers: Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto' providers: users_in_memory: { memory: null }

    firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false main: lazy: true provider: users_in_memory stateless:true access_token: token_handler: App\Security\AccessTokenHandler

15. namespace App\Security; use …; class ApiKeyAuthenticator extends AbstractAuthenticator { public

    function supports(Request $request): ?bool { return $request->headers->has('X-AUTH-TOKEN'); } public function authenticate(Request $request): Passport { $apiToken = $request->headers->get('X-AUTH-TOKEN'); if (null === $apiToken) { // The token header was empty, authentication fails with HTTP Status // Code 401 "Unauthorized" throw new CustomUserMessageAuthenticationException('No API token provided'); } // implement your own logic to get the user identifier from `$apiToken` // e.g. by looking up a user in the database using its API key $userIdentifier = /** ... */; return new SelfValidatingPassport(new UserBadge($userIdentifier)); } public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response { // on success, let the request continue return null; } public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response { $data = [ // you may want to customize or obfuscate the message first 'message' => strtr($exception->getMessageKey(), $exception->getMessageData()) // or to translate this message // $this->translator->trans($exception->getMessageKey(), $exception->getMessageData()) ]; return new JsonResponse($data, Response::HTTP_UNAUTHORIZED); } }

16. namespace App\Security; use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface; use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge; class AccessTokenHandler implements AccessTokenHandlerInterface

    { public function getUserBadgeFrom( !"\SensitiveParameter] string $accessToken ): UserBadge { $user = $this!#userRepository!#findOneByApiToken($accessToken); if (null !!$ $user) { throw new BadCredentialsException('Invalid credentials.'); } !" and return a UserBadge object containing the user identifier from the found token return new UserBadge($user!#getUserIdentifier()); } }

17. namespace App\Security; use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface; use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge; class AccessTokenHandler implements AccessTokenHandlerInterface

    { public function getUserBadgeFrom( !"\SensitiveParameter] string $accessToken ): UserBadge { $user = $this!#userRepository!#findOneByApiToken($accessToken); if (null !!$ $user) { throw new BadCredentialsException('Invalid credentials.'); } !" and return a UserBadge object containing the user identifier from the found token return new UserBadge($user!#getUserIdentifier()); } }

18. namespace App\Security; use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface; use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge; class AccessTokenHandler implements AccessTokenHandlerInterface

    { public function getUserBadgeFrom( !"\SensitiveParameter] string $accessToken ): UserBadge { $user = $this!#userRepository!#findOneByApiToken($accessToken); if (null !!$ $user) { throw new BadCredentialsException('Invalid credentials.'); } !" and return a UserBadge object containing the user identifier from the found token return new UserBadge($user!#getUserIdentifier()); } } ?

19. Access Token Extractor Customizable token extraction By default: header, query_string

    and request_body

20. namespace Symfony\Component\Security\Http\AccessToken; use Symfony\Component\HttpFoundation\Request; interface AccessTokenExtractorInterface { public function extractAccessToken(Request

    $request): ?string; }

21. final class HeaderAccessTokenExtractor implements AccessTokenExtractorInterface { private string $regex; public

    function !%construct( private readonly string $headerParameter = 'Authorization', private readonly string $tokenType = 'Bearer' ) { $this!#regex = sprintf( '/^%s([a-zA-Z0-9\-_\+~\/\.]+)$/', '' !!$ $this!#tokenType ? '' : preg_quote($this!#tokenType).'\s+' ); } public function extractAccessToken(Request $request): ?string { #!!# } }

22. final class HeaderAccessTokenExtractor implements AccessTokenExtractorInterface { private string $regex; public

    function !%construct( private readonly string $headerParameter = 'Authorization', private readonly string $tokenType = 'Bearer' ) { $this!#regex = sprintf( '/^%s([a-zA-Z0-9\-_\+~\/\.]+)$/', '' !!$ $this!#tokenType ? '' : preg_quote($this!#tokenType).'\s+' ); } public function extractAccessToken(Request $request): ?string { #!!# } }

23. final class HeaderAccessTokenExtractor implements AccessTokenExtractorInterface { private string $regex; public

    function !%construct( private readonly string $headerParameter = 'Authorization', private readonly string $tokenType = 'Bearer' ) { $this!#regex = sprintf( '/^%s([a-zA-Z0-9\-_\+~\/\.]+)$/', '' !!$ $this!#tokenType ? '' : preg_quote($this!#tokenType).'\s+' ); } public function extractAccessToken(Request $request): ?string { #!!# } }

24. namespace App\Security; use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface; use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge; class AccessTokenHandler implements AccessTokenHandlerInterface

    { public function getUserBadgeFrom( !"\SensitiveParameter] string $accessToken ): UserBadge { !" TODO: Implement getUserBadgeFrom() method. } } !
25. None

26. OAuth 2 & OIDC

27. None
28. None
29. None
30. None
31. None
32. None
33. None
34. None
35. None
36. None
37. None
38. None
39. None
40. None
41. None
42. None

43. Setup Instructions hwi/oauth-bundle

44. None
45. None
46. None
47. None
48. None
49. None
50. None

51. Part of Symfony’s AccessTokenAuthenticator OIDC TokenHandler

52. security: firewalls: main: lazy: true provider: users_in_memory stateless: true access_token:

    token_handler: oidc: claim: 'email' # default is `sub` algorithm: 'ES256' key: '{"kty":"!!&","k":"!!&"}' audience: 'auth_demo' issuers: ['http:!'keycloak:8080/realms/sflive']

53. security: firewalls: main: lazy: true provider: users_in_memory stateless: true access_token:

    token_handler: oidc: claim: 'email' # default is `sub` algorithm: 'ES256' key: '{"kty":"!!&","k":"!!&"}' audience: 'auth_demo' issuers: ['http:!'keycloak:8080/realms/sflive']

54. security: firewalls: main: lazy: true provider: users_in_memory stateless: true access_token:

    token_handler: oidc: claim: 'email' # default is `sub` algorithm: 'ES256' key: '{"kty":"!!&","k":"!!&"}' audience: 'auth_demo' issuers: ['http:!'keycloak:8080/realms/sflive'] !

55. security: providers: users_in_memory: memory: users: [email protected]: password: '' roles: ['ROLE_USER']

    firewalls: main: lazy: true provider: users_in_memory stateless: true access_token: oidc: claim: 'email' algorithm: 'ES256' key: '{"kid":"1AN47oUyo3BctVir9OcLUlozok0D0J62HPw83mm7a5I",!!&}' audience: 'account' issuers: ['http:!'localhost:8080/realms/sflive']

56. security: providers: users_in_memory: memory: users: [email protected]: password: '' roles: ['ROLE_USER']

    firewalls: main: lazy: true provider: users_in_memory stateless: true access_token: oidc: claim: 'email' algorithm: 'ES256' key: '{"kid":"1AN47oUyo3BctVir9OcLUlozok0D0J62HPw83mm7a5I",!!&}' audience: 'account' issuers: ['http:!'localhost:8080/realms/sflive'] Map claim to user

57. security: providers: users_in_memory: memory: users: [email protected]: password: '' roles: ['ROLE_USER']

    firewalls: main: lazy: true provider: users_in_memory stateless: true access_token: oidc: claim: 'email' algorithm: 'ES256' key: '{"kid":"1AN47oUyo3BctVir9OcLUlozok0D0J62HPw83mm7a5I",!!&}' audience: 'account' issuers: ['http:!'localhost:8080/realms/sflive'] Map claim to user

58. security: providers: users_in_memory: memory: users: [email protected]: password: '' roles: ['ROLE_USER']

    firewalls: main: lazy: true provider: users_in_memory stateless: true access_token: oidc: claim: 'email' algorithm: 'ES256' key: '{"kid":"1AN47oUyo3BctVir9OcLUlozok0D0J62HPw83mm7a5I",!!&}' audience: 'account' issuers: ['http:!'localhost:8080/realms/sflive'] Map claim to user
59. None
60. None
61. None
62. None

63. !" UserLoader argument can be overridden by a UserProvider on

    AccessTokenAuthenticator!$authenticate return new UserBadge( $claims[$this!#claim], new FallbackUserLoader(fn () !( $this!#createUser($claims)), $claims );

64. !" UserLoader argument can be overridden by a UserProvider on

    AccessTokenAuthenticator!$authenticate return new UserBadge( $claims[$this!#claim], new FallbackUserLoader(fn () !( $this!#createUser($claims)), $claims ); !

65. security: providers: users_in_memory: memory: users: [email protected]: password: '' roles: ['ROLE_USER']

    firewalls: main: provider: users_in_memory stateless: true lazy: true access_token: oidc: claim: 'email' algorithm: 'ES256' key: '{"kid":"1AN47oUyo3BctVir9OcLUlozok0D0J62HPw83mm7a5I",!!&}' audience: 'account' issuers: ['http:!'localhost:8080/realms/sflive']

66. namespace App\Security; use Symfony\Component\Security\Core\User\AttributesBasedUserProviderInterface; use Symfony\Component\Security\Core\User\OidcUser; use Symfony\Component\Security\Core\User\UserInterface; class OidcUserProvider

    implements AttributesBasedUserProviderInterface { public function supportsClass(string $class): bool { return $class !!$ OidcUser!)class !* is_subclass_of($class, OidcUser!)class); } public function loadUserByIdentifier(string $identifier, array $attributes = []): UserInterface { return new OidcUser( identifier: $identifier, sub: $attributes['sub'] ); } public function refreshUser(UserInterface $user): UserInterface { return $user; } }

67. namespace App\Security; use Symfony\Component\Security\Core\User\AttributesBasedUserProviderInterface; use Symfony\Component\Security\Core\User\OidcUser; use Symfony\Component\Security\Core\User\UserInterface; class OidcUserProvider

    implements AttributesBasedUserProviderInterface { public function supportsClass(string $class): bool { return $class !!$ OidcUser!)class !* is_subclass_of($class, OidcUser!)class); } public function loadUserByIdentifier(string $identifier, array $attributes = []): UserInterface { return new OidcUser( identifier: $identifier, sub: $attributes['sub'] ); } public function refreshUser(UserInterface $user): UserInterface { return $user; } }

68. namespace App\Security; use Symfony\Component\Security\Core\User\AttributesBasedUserProviderInterface; use Symfony\Component\Security\Core\User\OidcUser; use Symfony\Component\Security\Core\User\UserInterface; class OidcUserProvider

    implements AttributesBasedUserProviderInterface { public function supportsClass(string $class): bool { return $class !!$ OidcUser!)class !* is_subclass_of($class, OidcUser!)class); } public function loadUserByIdentifier(string $identifier, array $attributes = []): UserInterface { return new OidcUser( identifier: $identifier, sub: $attributes['sub'] ); } public function refreshUser(UserInterface $user): UserInterface { return $user; } }

69. Validating OIDC Access Tokens using the UserInfo endpoint OIDC UserInfo

    TokenHandler

70. security: firewalls: main: lazy: true stateless: true access_token: token_handler: oidc_user_info:

    'https:/example.com/protocol/openid-connect/userinfo'
71. None
72. None
73. None
74. None

75. Summary

76. None

77. What’s next?

78. None
79. None
80. None
81. None
82. None

83. Thank You!

84. Next Kraftwerke GmbH Lichtstr. 43g 50825 Köln Germany +49 221

    – 820085-0 [email protected] Twitter: @Next_Kraftwerke LinkedIn: Next-Kraftwerke GmbH Contact