WIP

Author: cicnavi

config/module_oidc.php.dist

@@ -133,12 +133,25 @@ $config = [
     /**
      * Token related options.
      */
-    // Authorization code and tokens TTL (validity duration), with given examples. For duration format info, check
+    // Authorization code and tokens TTL (validity duration), with given examples.
+    // For duration format info, check
     // https://www.php.net/manual/en/dateinterval.construct.php
     ModuleConfig::OPTION_TOKEN_AUTHORIZATION_CODE_TTL => 'PT10M', // 10 minutes
     ModuleConfig::OPTION_TOKEN_REFRESH_TOKEN_TTL => 'P1M', // 1 month
     ModuleConfig::OPTION_TOKEN_ACCESS_TOKEN_TTL => 'PT1H', // 1 hour,
 
+    /**
+     * (optional) Timestamp Validation Leeway - additional time tolerance
+     * allowed for timestamp validation. This is used when validating
+     * timestamps like Expiration Time (exp), Issued At (iat), Not
+     * Before (nbf), and similar claims on JWS artifacts.
+     * If not set, falls back to 'PT1M' (1 minute).
+     *
+     * For duration format info, check
+     * https://www.php.net/manual/en/dateinterval.construct.php
+     */
+    ModuleConfig::OPTION_TIMESTAMP_VALIDATION_LEEWAY => 'PT1M',
+
     /**
      * Authentication related options.
      */

docs/6-oidc-upgrade.md

@@ -18,9 +18,14 @@ it in production.
 
 New configuration options:
 
-- ModuleConfig::OPTION_PROTOCOL_SIGNATURE_KEY_PAIRS - enables defining multiple
-protocol (Connect) related signing algorithms and key pairs.
-- ModuleConfig::OPTION_FEDERATION_SIGNATURE_KEY_PAIRS - enables defining
+- ModuleConfig::OPTION_PROTOCOL_SIGNATURE_KEY_PAIRS - (required) enables defining
+multiple protocol (Connect) related signing algorithms and key pairs. 
+- ModuleConfig::OPTION_FEDERATION_SIGNATURE_KEY_PAIRS - (required if federation
+capabilities are enabled) enables defining multiple key pairs for 
+Federation purposes like signing Entity Statements, publishing new key for
+key roll-ower scenarios, etc.
+- ModuleConfig::OPTION_TIMESTAMP_VALIDATION_LEEWAY - optional, used for setting
+allowed time tolerance for timestamp validation in artifacts like JWSs.
 multiple Federation related signing algorithms and key pairs.
 - Several new options regarding experimental support for OpenID4VCI.
 

routing/services/services.yml

@@ -75,30 +75,20 @@ services:
     class: League\OAuth2\Server\CryptKey
     factory: ['@SimpleSAML\Module\oidc\Factories\CryptKeyFactory', 'buildPublicKey']
 
-  SimpleSAML\Module\oidc\Factories\ResourceServerFactory:
-    arguments:
-      $publicKey: '@oidc.key.public'
   SimpleSAML\Module\oidc\Factories\AuthorizationServerFactory:
     arguments:
       $privateKey: '@oidc.key.private'
   SimpleSAML\Module\oidc\Factories\TokenResponseFactory:
     arguments:
       $privateKey: '@oidc.key.private'
-  SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory:
-    arguments:
-      $privateKey: '@oidc.key.private'
 
-  SimpleSAML\Module\oidc\Server\Validators\BearerTokenValidator:
-    arguments:
-      $publicKey: '@oidc.key.public'
+  SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory: ~
 
+  SimpleSAML\Module\oidc\Server\Validators\BearerTokenValidator: ~
+  SimpleSAML\Module\oidc\Server\ResourceServer: ~
   SimpleSAML\Module\oidc\Server\AuthorizationServer:
     factory: ['@SimpleSAML\Module\oidc\Factories\AuthorizationServerFactory', 'build']
 
-  # OAuth2 Server
-  League\OAuth2\Server\ResourceServer:
-    factory: ['@SimpleSAML\Module\oidc\Factories\ResourceServerFactory', 'build']
-
   # Utils
   SimpleSAML\Module\oidc\Utils\Debug\ArrayLogger: ~
   SimpleSAML\Module\oidc\Utils\FederationParticipationValidator: ~
@@ -134,6 +124,8 @@ services:
     factory: [ '@SimpleSAML\Module\oidc\Factories\JwksFactory', 'build' ]
   SimpleSAML\OpenID\Jwk: ~
   SimpleSAML\OpenID\Did: ~
+  SimpleSAML\OpenID\Jws:
+    factory: [ '@SimpleSAML\Module\oidc\Factories\JwsFactory', 'build' ]
 
 
   # SSP

src/Controllers/UserInfoController.php

@@ -18,7 +18,6 @@
 
 use Laminas\Diactoros\Response\JsonResponse;
 use League\OAuth2\Server\Exception\OAuthServerException;
-use League\OAuth2\Server\ResourceServer;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use SimpleSAML\Error;
@@ -29,6 +28,7 @@
 use SimpleSAML\Module\oidc\Repositories\AccessTokenRepository;
 use SimpleSAML\Module\oidc\Repositories\AllowedOriginRepository;
 use SimpleSAML\Module\oidc\Repositories\UserRepository;
+use SimpleSAML\Module\oidc\Server\ResourceServer;
 use SimpleSAML\Module\oidc\Services\ErrorResponder;
 use SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor;
 use Symfony\Component\HttpFoundation\Request;

src/Controllers/VerifiableCredentials/CredentialIssuerCredentialController.php

@@ -5,7 +5,6 @@
 namespace SimpleSAML\Module\oidc\Controllers\VerifiableCredentials;
 
 use Base64Url\Base64Url;
-use League\OAuth2\Server\ResourceServer;
 use SimpleSAML\Module\oidc\Bridges\PsrHttpBridge;
 use SimpleSAML\Module\oidc\Codebooks\FlowTypeEnum;
 use SimpleSAML\Module\oidc\Entities\AccessTokenEntity;
@@ -14,6 +13,7 @@
 use SimpleSAML\Module\oidc\Repositories\IssuerStateRepository;
 use SimpleSAML\Module\oidc\Repositories\UserRepository;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+use SimpleSAML\Module\oidc\Server\ResourceServer;
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
 use SimpleSAML\Module\oidc\Utils\Routes;

src/Entities/AccessTokenEntity.php

@@ -17,9 +17,6 @@
 namespace SimpleSAML\Module\oidc\Entities;
 
 use DateTimeImmutable;
-use Lcobucci\JWT\Configuration;
-use Lcobucci\JWT\Token;
-use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Entities\ClientEntityInterface as OAuth2ClientEntityInterface;
 use League\OAuth2\Server\Entities\Traits\AccessTokenTrait;
 use League\OAuth2\Server\Entities\Traits\EntityTrait;
@@ -29,7 +26,10 @@
 use SimpleSAML\Module\oidc\Entities\Interfaces\EntityStringRepresentationInterface;
 use SimpleSAML\Module\oidc\Entities\Traits\AssociateWithAuthCodeTrait;
 use SimpleSAML\Module\oidc\Entities\Traits\RevokeTokenTrait;
-use SimpleSAML\Module\oidc\Services\JsonWebTokenBuilderService;
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Jws;
+use SimpleSAML\OpenID\Jws\ParsedJws;
 use Stringable;
 
 /**
@@ -63,13 +63,12 @@ public function __construct(
         OAuth2ClientEntityInterface $clientEntity,
         array $scopes,
         DateTimeImmutable $expiryDateTime,
-        CryptKey $privateKey,
-        protected JsonWebTokenBuilderService $jsonWebTokenBuilderService,
+        protected readonly Jws $jws,
+        protected readonly ModuleConfig $moduleConfig,
         int|string|null $userIdentifier = null,
         ?string $authCodeId = null,
         ?array $requestedClaims = null,
         ?bool $isRevoked = false,
-        ?Configuration $jwtConfiguration = null,
         protected readonly ?FlowTypeEnum $flowTypeEnum = null,
         protected readonly ?array $authorizationDetails = null,
         protected readonly ?string $boundClientId = null,
@@ -82,14 +81,12 @@ public function __construct(
             $this->addScope($scope);
         }
         $this->setExpiryDateTime($expiryDateTime);
-        $this->setPrivateKey($privateKey);
         $this->setUserIdentifier($userIdentifier);
         $this->setAuthCodeId($authCodeId);
         $this->setRequestedClaims($requestedClaims ?? []);
         if ($isRevoked) {
             $this->revoke();
         }
-        $jwtConfiguration !== null ? $this->jwtConfiguration = $jwtConfiguration : $this->initJwtConfiguration();
     }
 
     /**
@@ -137,7 +134,7 @@ public function getState(): array
      */
     public function __toString(): string
     {
-        return $this->stringRepresentation = $this->convertToJWT()->toString();
+        return $this->stringRepresentation = $this->convertToJWT()->getToken();
     }
 
     /**
@@ -150,29 +147,40 @@ public function toString(): ?string
     }
 
     /**
-     * Implemented instead of original AccessTokenTrait::convertToJWT() method in order to remove microseconds from
-     * timestamps and to add claims like iss, etc., by using our own JWT builder service.
+     * Implemented instead of original AccessTokenTrait::convertToJWT() method
+     * in order to remove microseconds from timestamps and to add claims
+     * like iss, etc.
      *
-     * @return \Lcobucci\JWT\Token
      * @throws \League\OAuth2\Server\Exception\OAuthServerException
      * @throws \Exception
      */
-    protected function convertToJWT(): Token
+    protected function convertToJWT(): ParsedJws
     {
-        /** @psalm-suppress ArgumentTypeCoercion */
-        $jwtBuilder = $this->jsonWebTokenBuilderService->getProtocolJwtBuilder()
-            ->permittedFor($this->getClient()->getIdentifier())
-            ->identifiedBy((string)$this->getIdentifier())
-            ->issuedAt(new DateTimeImmutable())
-            ->canOnlyBeUsedAfter(new DateTimeImmutable())
-            ->expiresAt($this->getExpiryDateTime())
-            ->relatedTo((string) $this->getUserIdentifier())
-            ->withClaim('scopes', $this->getScopes());
-        if ($this->issuerState !== null) {
-            $jwtBuilder = $jwtBuilder->withClaim('issuer_state', $this->issuerState);
-        }
+        $protocolSignatureKeyPair = $this->moduleConfig->getProtocolSignatureKeyPairBag()->getFirstOrFail();
+        $currentTimestamp = $this->jws->helpers()->dateTime()->getUtc()->getTimestamp();
+
+        $payload = array_filter([
+            ClaimsEnum::Iss->value => $this->moduleConfig->getIssuer(),
+            ClaimsEnum::Iat->value => $currentTimestamp,
+            ClaimsEnum::Jti->value => (string)$this->getIdentifier(),
+            ClaimsEnum::Aud->value => $this->getClient()->getIdentifier(),
+            ClaimsEnum::Nbf->value => $currentTimestamp,
+            ClaimsEnum::Exp->value => $this->expiryDateTime->getTimestamp(),
+            ClaimsEnum::Sub->value => (string)$this->getUserIdentifier(),
+            'scopes' => $this->getScopes(),
+            ClaimsEnum::IssuerState->value => $this->issuerState,
+        ]);
+
+        $header = [
+            ClaimsEnum::Kid->value => $protocolSignatureKeyPair->getKeyPair()->getKeyId(),
+        ];
 
-        return $this->jsonWebTokenBuilderService->getSignedProtocolJwt($jwtBuilder);
+        return $this->jws->parsedJwsFactory()->fromData(
+            $protocolSignatureKeyPair->getKeyPair()->getPrivateKey(),
+            $protocolSignatureKeyPair->getSignatureAlgorithm(),
+            $payload,
+            $header,
+        );
     }
 
     public function getFlowTypeEnum(): ?FlowTypeEnum

src/Factories/CryptKeyFactory.php

@@ -5,6 +5,7 @@
 namespace SimpleSAML\Module\oidc\Factories;
 
 use League\OAuth2\Server\CryptKey;
+use SimpleSAML\Error\ConfigurationError;
 use SimpleSAML\Module\oidc\ModuleConfig;
 
 class CryptKeyFactory
@@ -19,9 +20,14 @@ public function __construct(
      */
     public function buildPrivateKey(): CryptKey
     {
+        $defaultSignatureKeyPairConfig = $this->getDefaultProtocolSignatureKeyPairConfig();
+
+        $privateKeyFilename = $defaultSignatureKeyPairConfig[ModuleConfig::KEY_PRIVATE_KEY_FILENAME];
+        $privateKeyPassword = $defaultSignatureKeyPairConfig[ModuleConfig::KEY_PRIVATE_KEY_PASSWORD] ?? null;
+
         return new CryptKey(
-            $this->moduleConfig->getProtocolPrivateKeyPath(),
-            $this->moduleConfig->getProtocolPrivateKeyPassPhrase(),
+            $privateKeyFilename,
+            $privateKeyPassword,
             true,
         );
     }
@@ -31,6 +37,33 @@ public function buildPrivateKey(): CryptKey
      */
     public function buildPublicKey(): CryptKey
     {
-        return new CryptKey($this->moduleConfig->getProtocolCertPath(), null, false);
+        $defaultSignatureKeyPairConfig = $this->getDefaultProtocolSignatureKeyPairConfig();
+        $publicKeyFilename = $defaultSignatureKeyPairConfig[ModuleConfig::KEY_PUBLIC_KEY_FILENAME];
+        return new CryptKey($publicKeyFilename, null, false);
+    }
+
+    /**
+     * @return array{
+     *      algorithm: \SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum,
+     *      private_key_filename: non-empty-string,
+     *      public_key_filename: non-empty-string,
+     *      private_key_password: ?non-empty-string,
+     *      key_id: ?non-empty-string
+     *  }
+     * @throws ConfigurationError
+     *
+     */
+    protected function getDefaultProtocolSignatureKeyPairConfig(): array
+    {
+        $defaultProtocolKeyPair = $this->moduleConfig->getProtocolSignatureKeyPairs();
+
+        /** @psalm-suppress MixedAssignment */
+        $defaultProtocolKeyPair = $defaultProtocolKeyPair[array_key_first($defaultProtocolKeyPair)];
+
+        if (!is_array($defaultProtocolKeyPair)) {
+            throw new ConfigurationError('Invalid protocol signature key pairs config.');
+        }
+
+        return $this->moduleConfig->getValidatedSignatureKeyPairArray($defaultProtocolKeyPair);
     }
 }

src/Factories/Entities/AccessTokenEntityFactory.php

@@ -5,22 +5,22 @@
 namespace SimpleSAML\Module\oidc\Factories\Entities;
 
 use DateTimeImmutable;
-use League\OAuth2\Server\CryptKey;
 use League\OAuth2\Server\Entities\ClientEntityInterface as OAuth2ClientEntityInterface;
 use SimpleSAML\Module\oidc\Codebooks\FlowTypeEnum;
 use SimpleSAML\Module\oidc\Entities\AccessTokenEntity;
 use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
 use SimpleSAML\Module\oidc\Helpers;
+use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
-use SimpleSAML\Module\oidc\Services\JsonWebTokenBuilderService;
+use SimpleSAML\OpenID\Jws;
 
 class AccessTokenEntityFactory
 {
     public function __construct(
         protected readonly Helpers $helpers,
-        protected readonly CryptKey $privateKey,
-        protected readonly JsonWebTokenBuilderService $jsonWebTokenBuilderService,
         protected readonly ScopeEntityFactory $scopeEntityFactory,
+        protected readonly Jws $jws,
+        protected readonly ModuleConfig $moduleConfig,
     ) {
     }
 
@@ -47,8 +47,8 @@ public function fromData(
             $clientEntity,
             $scopes,
             $expiryDateTime,
-            $this->privateKey,
-            $this->jsonWebTokenBuilderService,
+            $this->jws,
+            $this->moduleConfig,
             $userIdentifier,
             $authCodeId,
             $requestedClaims,

src/Factories/FederationFactory.php

@@ -27,6 +27,7 @@ public function build(): Federation
         return new Federation(
             supportedAlgorithms: $this->moduleConfig->getSupportedAlgorithms(),
             maxCacheDuration: $this->moduleConfig->getFederationCacheMaxDurationForFetched(),
+            timestampValidationLeeway: $this->moduleConfig->getTimestampValidationLeeway(),
             cache: $this->federationCache?->cache,
             logger: $this->loggerService,
             defaultTrustMarkStatusEndpointUsagePolicyEnum:

src/Factories/JwsFactory.php

@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\oidc\Factories;
+
+use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Services\LoggerService;
+use SimpleSAML\OpenID\Jws;
+
+class JwsFactory
+{
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly LoggerService $loggerService,
+    ) {
+    }
+
+    public function build(): Jws
+    {
+        return new Jws(
+            supportedAlgorithms: $this->moduleConfig->getSupportedAlgorithms(),
+            supportedSerializers: $this->moduleConfig->getSupportedSerializers(),
+            timestampValidationLeeway: $this->moduleConfig->getTimestampValidationLeeway(),
+            logger: $this->loggerService,
+        );
+    }
+}