Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feature #1041 WebToken support integration (Spomky)
This PR was merged into the 2.x branch.
Discussion
----------
WebToken support integration
This PR aims to integrate Web-Token for issuing and verifying access tokens.
The two processes are separated so that it is possible to issue a token on one server and verify them on another.
The configuration looks like as follow
```yaml
lexik_jwt_authentication:
encoder:
service: lexik_jwt_authentication.encoder.web_token #New encoder
access_token_issuance:
enabled: true
signature: # Access tokens are always signed
algorithm: 'HS256' # Signature/MAC algorithm.
key: '%env(LEXIK_SIGNATURE_KEY)%' # Signature/MAC key (private or shared key, JWK format)
encryption: # Access token may be encrypted
enabled: true
key_encryption_algorithm: 'A256GCMKW' # Key Encryption Algorithm.
content_encryption_algorithm: 'A256GCM' # Content Encryption Algorithm.
key: '%env(LEXIK_ENCRYPTION_KEY)%' # Encryption key (public or shared key, JWK format)
access_token_verification:
enabled: true
signature: # Received Access tokens shall always be signed
allowed_algorithms: ['HS256', 'RS256'] # List of allowed signature/MAC algorithms
keyset: '%env(LEXIK_ALLOWED_SIGNATURE_KEYSET)%' # Signature verification keys (public or shared keys, JWKSet format)
encryption:
enabled: true: # Received Access tokens may be encrypted
allowed_key_encryption_algorithms: ['A256GCMKW', 'ECDH-ES+A128KW'] # List of allowed key encryption algorithms
allowed_content_encryption_algorithms: ['A256GCM', 'A128CBC-HS256'] # List of allowed content encryption algorithms
keyset: '%env(LEXIK_ALLOWED_ENCRYPTION_KEYSET)%' # Decryption keys (private or shared keys, JWKSet format)
```
> **Note**
> To work with this feature, the application shall install the associated bundle and the algorithms to be used:
```shell
composer require web-token/jwt-bundle
composer require web-token/jwt-checker
composer require web-token/jwt-signature-algorithm-hmac
composer require web-token/jwt-encryption-algorithm-aesgcm
composer require web-token/jwt-encryption-algorithm-aesgcmkw
```
Complete lists of supported algorithms:
* Signature/MAC: https://web-token.spomky-labs.com/the-components/signed-tokens-jws/signature-algorithms
* Key encryption: https://web-token.spomky-labs.com/the-components/encrypted-tokens-jwe/encryption-algorithms#key-encryption
* Content encryption: https://web-token.spomky-labs.com/the-components/encrypted-tokens-jwe/encryption-algorithms#content-encryption
> **Warning**
> This feature is **NOT** compatible with the cookie split feature!
* [x] Documentation
* [x] JWT Builder
* [x] Signature alg+key
* [x] Encryption algs+key
* [x] Additional claims and header
* ~Allow additional claims and header to be disable~ (removed as too risky)
* [x] Allow custom JWE header
* [x] JWT Loader
* [x] Decryption algs+keyset
* [x] Verification algs+keyset
* [x] JWS claims and header checkers
* [x] JWE header checkers
* [x] Allow non-encrypted tokens even if encryption support is enable
* [x] Commands
* [x] Configuration migration + Key conversion
* [x] Encryption Support Helper
* ~Keyset Rotation Helper~ (will be part of another PR)
* [x] Tests
* [x] Success
* [x] Token issuance
* [x] Token verification
* [x] Failure
* [x] Not encrypted
* [x] Cannot be decrypted
* [x] Unsupported key encryption algorithm
* [x] Unsupported content encryption algorithm
* [x] Missing decryption key
* [x] Bad content
* [x] Bad signature
* [x] Unsupported signature algorithm
* [x] Missing verification key
* [x] Time sensitive (expired, not yet...)
* [x] Mandatory claims are missing
Commits
-------
15a5e3e WebToken support integration- Loading branch information
