WebToken support integration

[Spomky]

This PR aims to integrate Web-Token for issuing and verifying access tokens.
The two processes are separated so that it is possible to issue a token on one server and verify them on another.

The configuration looks like as follow

lexik_jwt_authentication:
    encoder:
        service: lexik_jwt_authentication.encoder.web_token #New encoder
    access_token_issuance:
        enabled: true
        signature: # Access tokens are always signed
            algorithm: 'HS256' # Signature/MAC algorithm.
            key: '%env(LEXIK_SIGNATURE_KEY)%' # Signature/MAC key (private or shared key, JWK format)
        encryption: # Access token may be encrypted
            enabled: true
            key_encryption_algorithm: 'A256GCMKW' # Key Encryption Algorithm.
            content_encryption_algorithm: 'A256GCM' # Content Encryption Algorithm.
            key: '%env(LEXIK_ENCRYPTION_KEY)%' # Encryption key (public or shared key, JWK format)
    access_token_verification:
        enabled: true
        signature: # Received Access tokens shall always be signed
            allowed_algorithms: ['HS256', 'RS256'] # List of allowed signature/MAC algorithms
            keyset: '%env(LEXIK_ALLOWED_SIGNATURE_KEYSET)%' # Signature verification keys (public or shared keys, JWKSet format)
        encryption:
            enabled: true: # Received Access tokens may be encrypted
            allowed_key_encryption_algorithms: ['A256GCMKW', 'ECDH-ES+A128KW'] # List of allowed key encryption algorithms
            allowed_content_encryption_algorithms: ['A256GCM', 'A128CBC-HS256'] # List of allowed content encryption algorithms
            keyset: '%env(LEXIK_ALLOWED_ENCRYPTION_KEYSET)%' # Decryption keys (private or shared keys, JWKSet format)

Note
To work with this feature, the application shall install the associated bundle and the algorithms to be used:

composer require web-token/jwt-bundle
composer require web-token/jwt-checker

composer require web-token/jwt-signature-algorithm-hmac
composer require web-token/jwt-encryption-algorithm-aesgcm
composer require web-token/jwt-encryption-algorithm-aesgcmkw

Complete lists of supported algorithms:

• Signature/MAC: https://web-token.spomky-labs.com/the-components/signed-tokens-jws/signature-algorithms
• Key encryption: https://web-token.spomky-labs.com/the-components/encrypted-tokens-jwe/encryption-algorithms#key-encryption
• Content encryption: https://web-token.spomky-labs.com/the-components/encrypted-tokens-jwe/encryption-algorithms#content-encryption

Warning
This feature is NOT compatible with the cookie split feature!

• Documentation
• JWT Builder
  • Signature alg+key
  • Encryption algs+key
  • Additional claims and header
  • Allow additional claims and header to be disable (removed as too risky)
  • Allow custom JWE header
• JWT Loader
  • Decryption algs+keyset
  • Verification algs+keyset
  • JWS claims and header checkers
  • JWE header checkers
  • Allow non-encrypted tokens even if encryption support is enable
• Commands
  • Configuration migration + Key conversion
  • Encryption Support Helper
  • Keyset Rotation Helper (will be part of another PR)
• Tests
  • Success
    • Token issuance
    • Token verification
  • Failure
    • Not encrypted
    • Cannot be decrypted
      • Unsupported key encryption algorithm
      • Unsupported content encryption algorithm
      • Missing decryption key
    • Bad content
    • Bad signature
    • Unsupported signature algorithm
    • Missing verification key
    • Time sensitive (expired, not yet...)
    • Mandatory claims are missing

[Spomky]

Hi @chalasr and all,

It looks good to me. Can you please take time to review this PR and let me know if you see issues, feature or anything that should be addressed here.

Many thanks,
Regards.

[chalasr]

Thanks for the amazing work @Spomky. Review on its way :)

[chalasr]

First round of comments and questions :)

[chalasr]

Some more comments :) I'm really looking forward to merge this.
Also FYI version the 3.x branch of this bundle is going to require PHP 8.1 minimum, so we will be able to remove the specificities there.

[Spomky]

Hi,

I rebased the and finished the last things including the documentation.
If anyone passing here can test it, I'll be happy to receive comments and feedback on it.

Many thanks.

[chalasr]

It took time, but here we go, this is in now. Thank you very much @Spomky.

[Spomky]

Excellent! TBH I missed this PR and forget to have it in line with the branch.
Let me know if there is any trouble with this feature and I will take care of it.