Add support for using multiple signature algorithms (#325)

Related to #324

Author: cicnavi

config/module_oidc.php.dist

@@ -556,7 +556,7 @@
                                     "xpath",
                                     "//*",
                                     10,
-                                    "The JWT string is missing the Signature part",
+                                    "The algorithm \"none\" is not supported.",
                                     "update-image-placeholder"
                                 ]
                             ]
@@ -620,7 +620,7 @@
                                     "xpath",
                                     "//*",
                                     10,
-                                    "The token was not issued by the given issuers",
+                                    "Issuer claim",
                                     "update-image-placeholder"
                                 ]
                             ]

conformance-tests/conformance-rp-initiated-logout-ci.json

@@ -14,6 +14,22 @@ INSERT INTO oidc_migration_versions VALUES('20210916153400');
 INSERT INTO oidc_migration_versions VALUES('20210916173400');
 INSERT INTO oidc_migration_versions VALUES('20240603141400');
 INSERT INTO oidc_migration_versions VALUES('20240605145700');
+INSERT INTO oidc_migration_versions VALUES('20240820132400');
+INSERT INTO oidc_migration_versions VALUES('20240828153300');
+INSERT INTO oidc_migration_versions VALUES('20240830153300');
+INSERT INTO oidc_migration_versions VALUES('20240902120000');
+INSERT INTO oidc_migration_versions VALUES('20240905120000');
+INSERT INTO oidc_migration_versions VALUES('20240906120000');
+INSERT INTO oidc_migration_versions VALUES('20250818163000');
+INSERT INTO oidc_migration_versions VALUES('20250908163000');
+INSERT INTO oidc_migration_versions VALUES('20250912163000');
+INSERT INTO oidc_migration_versions VALUES('20250913163000');
+INSERT INTO oidc_migration_versions VALUES('20250915163000');
+INSERT INTO oidc_migration_versions VALUES('20250916163000');
+INSERT INTO oidc_migration_versions VALUES('20250917163000');
+INSERT INTO oidc_migration_versions VALUES('20251021000001');
+INSERT INTO oidc_migration_versions VALUES('20251021000002');
+INSERT INTO oidc_migration_versions VALUES('20260109000001');
 CREATE TABLE oidc_user (
             id VARCHAR(191) PRIMARY KEY NOT NULL,
             claims TEXT,
@@ -44,15 +60,16 @@ CREATE TABLE oidc_client (
             created_at TIMESTAMP NULL DEFAULT NULL,
             expires_at TIMESTAMP NULL DEFAULT NULL,
             is_federated BOOLEAN NOT NULL DEFAULT false,
-            is_generic BOOLEAN NOT NULL DEFAULT false
+            is_generic BOOLEAN NOT NULL DEFAULT false,
+            extra_metadata TEXT NULL
 );
 -- Used 'httpd' host for back-channel logout url (https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout)
 -- since this is the hostname of conformance server while running in container environment
-INSERT INTO oidc_client VALUES('_55a99a1d298da921cb27d700d4604352e51171ebc4','_8967dd97d07cc59db7055e84ac00e79005157c1132','Conformance Client 1',replace('Client 1 for Conformance Testing  https://openid.net/certification/connect_op_testing/\n','\n',char(10)),'example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone","offline_access"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
-INSERT INTO oidc_client VALUES('_34efb61060172a11d62101bc804db789f8f9100b0e','_91a4607a1c10ba801268929b961b3f6c067ff82d21','Conformance Client 2','','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","offline_access"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
-INSERT INTO oidc_client VALUES('_0afb7d18e54b2de8205a93e38ca119e62ee321d031','_944e73bbeec7850d32b68f1b5c780562c955967e4e','Conformance Client 3','Client for client_secret_post','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
-INSERT INTO oidc_client VALUES('_8957eda35234902ba8343c0cdacac040310f17dfca','_322d16999f9da8b5abc9e9c0c08e853f60f4dc4804','RP-Initiated Logout Client','Client for testing RP-Initiated Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]',NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
-INSERT INTO oidc_client VALUES('_9fe2f7589ece1b71f5ef75a91847d71bc5125ec2a6','_3c0beb20194179c01d7796c6836f62801e9ed4b368','Back-Channel Logout Client','Client for testing Back-Channel Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
+INSERT INTO oidc_client VALUES('_55a99a1d298da921cb27d700d4604352e51171ebc4','_8967dd97d07cc59db7055e84ac00e79005157c1132','Conformance Client 1',replace('Client 1 for Conformance Testing  https://openid.net/certification/connect_op_testing/\n','\n',char(10)),'example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone","offline_access"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
+INSERT INTO oidc_client VALUES('_34efb61060172a11d62101bc804db789f8f9100b0e','_91a4607a1c10ba801268929b961b3f6c067ff82d21','Conformance Client 2','','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","offline_access"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
+INSERT INTO oidc_client VALUES('_0afb7d18e54b2de8205a93e38ca119e62ee321d031','_944e73bbeec7850d32b68f1b5c780562c955967e4e','Conformance Client 3','Client for client_secret_post','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
+INSERT INTO oidc_client VALUES('_8957eda35234902ba8343c0cdacac040310f17dfca','_322d16999f9da8b5abc9e9c0c08e853f60f4dc4804','RP-Initiated Logout Client','Client for testing RP-Initiated Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]',NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
+INSERT INTO oidc_client VALUES('_9fe2f7589ece1b71f5ef75a91847d71bc5125ec2a6','_3c0beb20194179c01d7796c6836f62801e9ed4b368','Back-Channel Logout Client','Client for testing Back-Channel Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
 CREATE TABLE oidc_access_token (
             id VARCHAR(191) PRIMARY KEY NOT NULL,
             scopes TEXT,

docker/conformance.sql

@@ -21,7 +21,15 @@
     ModuleConfig::OPTION_TOKEN_REFRESH_TOKEN_TTL => 'P1M',
     ModuleConfig::OPTION_TOKEN_ACCESS_TOKEN_TTL => 'PT1H',
 
-    ModuleConfig::OPTION_TOKEN_SIGNER => \Lcobucci\JWT\Signer\Rsa\Sha256::class,
+    ModuleConfig::OPTION_PROTOCOL_SIGNATURE_KEY_PAIRS => [
+        [
+            ModuleConfig::KEY_ALGORITHM => \SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum::RS256,
+            ModuleConfig::KEY_PRIVATE_KEY_FILENAME => ModuleConfig::DEFAULT_PKI_PRIVATE_KEY_FILENAME,
+            ModuleConfig::KEY_PUBLIC_KEY_FILENAME => ModuleConfig::DEFAULT_PKI_CERTIFICATE_FILENAME,
+//            ModuleConfig::KEY_PRIVATE_KEY_PASSWORD => 'private-key-password', // Optional
+//            ModuleConfig::KEY_KEY_ID => 'rsa-connect-signing-key-2026', // Optional
+        ],
+    ],
 
     ModuleConfig::OPTION_AUTH_SOURCE => 'example-userpass',
 

docker/ssp/module_oidc.php

@@ -13,8 +13,7 @@ Supported flows:
 
 ## Note on OpenID Federation (OIDFed)
 
-OpenID Federation support is in draft, as is the
-[specification](https://openid.net/specs/openid-federation-1_0). You can
+OpenID Federation support is in draft phase. You can
 expect breaking changes in future releases related to OIDFed
 capabilities. OIDFed can be enabled or disabled in the module
 configuration.

docs/1-oidc.md

@@ -22,8 +22,8 @@ cp modules/oidc/config/module_oidc.php.dist config/module_oidc.php
 
 ## 3. Configure the database
 
-The module uses SimpleSAMLphp's database feature to store access and
-refresh tokens, user data, and other artifacts. Edit `config/config.php`
+The module uses SimpleSAMLphp's database feature to store Access and
+Refresh tokens, user data, and other artifacts. Edit `config/config.php`
 and ensure at least the following parameters are set:
 
 ```php
@@ -34,83 +34,135 @@ and ensure at least the following parameters are set:
 
 Note: SQLite, PostgreSQL, and MySQL are supported.
 
-## 4. Create key pairs
+## 4. Create signature key pairs
 
-ID and Access tokens are signed JWTs. Create a public/private RSA key
-pair for OIDC protocol operations. If you plan to use OpenID Federation,
-create a separate key pair for federation operations.
+In order to sign JWS artifacts (ID Tokens, Entity Statements, Verifiable
+Credentials, etc.), you must create a public / private key pair for each
+signature algorithm that you want to support. You should use different
+keys for protocol (Connect), Federation and Verifiable Credential (VCI)
+operations. You must have at least one algorithm / key-pair for protocol
+(Connect), and for Federation and VCI if you use those features.
 
-### RSA key pair generation
+### RSA key pair generation, for `RS256/384/512` and `PS256/384/512` algorithms
 
-Generate private keys without a passphrase:
+Generate private keys without a password:
 
 ```bash
-openssl genrsa -out cert/oidc_module.key 3072
-openssl genrsa -out cert/oidc_module_federation.key 3072
+openssl genrsa -out cert/oidc_module_connect_rsa_01.key 3072
+openssl genrsa -out cert/oidc_module_federation_rsa_01.key 3072
+openssl genrsa -out cert/oidc_module_vci_rsa_01.key 3072
 ```
 
-Generate private keys with a passphrase:
+Generate private keys with a password:
 
 ```bash
-openssl genrsa -passout pass:myPassPhrase -out cert/oidc_module.key 3072
-openssl genrsa -passout pass:myPassPhrase -out cert/oidc_module_federation.key 3072
+openssl genrsa -passout pass:somePassword -out cert/oidc_module_connect_rsa_01.key 3072
+openssl genrsa -passout pass:somePassword -out cert/oidc_module_federation_rsa_01.key 3072
+openssl genrsa -passout pass:somePassword -out cert/oidc_module_vci_rsa_01.key 3072
 ```
 
 Extract public keys:
 
-Without passphrase:
+Without password:
 
 ```bash
-openssl rsa -in cert/oidc_module.key -pubout -out cert/oidc_module.crt
-openssl rsa -in cert/oidc_module_federation.key -pubout -out cert/oidc_module_federation.crt
+openssl rsa -in cert/oidc_module_connect_rsa_01.key -pubout -out cert/oidc_module_connect_rsa_01.pub
+openssl rsa -in cert/oidc_module_federation_rsa_01.key -pubout -out cert/oidc_module_federation_rsa_01.pub
+openssl rsa -in cert/oidc_module_vci_rsa_01.key -pubout -out cert/oidc_module_vci_rsa_01.pub
 ```
 
-With a passphrase:
+With a password:
 
 ```bash
-openssl rsa -in cert/oidc_module.key -passin pass:myPassPhrase -pubout -out cert/oidc_module.crt
-openssl rsa -in cert/oidc_module_federation.key -passin pass:myPassPhrase -pubout -out cert/oidc_module_federation.crt
+openssl rsa -in cert/oidc_module_connect_rsa_01.key -passin pass:somePassword -pubout -out cert/oidc_module_connect_rsa_01.pub
+openssl rsa -in cert/oidc_module_federation_rsa_01.key -passin pass:somePassword -pubout -out cert/oidc_module_federation_rsa_01.pub
+openssl rsa -in cert/oidc_module_vci_rsa_01.key -passin pass:somePassword -pubout -out cert/oidc_module_vci_rsa_01.pub
 ```
 
-If you use different file names or a passphrase, update
-`config/module_oidc.php` accordingly.
+Enter algorithm, key file names, and a password (if used) in `config/module_oidc.php` accordingly.
 
-### EC key pair generation
+### EC key pair generation, per curve for different algorithms
 
 If you prefer to use Elliptic Curve Cryptography (ECC) instead of RSA.
 
-Generate private keys without a passphrase:
+Generate private EC P‑256 keys without a password, usable for `ES256` algorithm:
 
 ```bash
-openssl ecparam -name prime256v1 -genkey -noout -out cert/oidc_module.key
-openssl ecparam -name prime256v1 -genkey -noout -out cert/oidc_module_federation.key
+openssl ecparam -genkey -name prime256v1 -noout -out cert/oidc_module_connect_ec_p256_01.key
+openssl ecparam -genkey -name prime256v1 -noout -out cert/oidc_module_federation_ec_p256_01.key
+openssl ecparam -genkey -name prime256v1 -noout -out cert/oidc_module_vci_ec_p256_01.key
 ```
 
-Generate private keys with a passphrase:
+Generate private EC P‑256 keys with a password, usable for `ES256` algorithm:
 
 ```bash
-openssl ecparam -genkey -name secp384r1 -noout -out cert/oidc_module.key -passout pass:myPassPhrase
-openssl ecparam -genkey -name secp384r1 -noout -out cert/oidc_module_federation.key -passout pass:myPassPhrase
+openssl ecparam -genkey -name prime256v1 | openssl ec -AES-128-CBC -passout pass:somePassword -out cert/oidc_module_connect_ec_p256_01.key
+openssl ecparam -genkey -name prime256v1 | openssl ec -AES-128-CBC -passout pass:somePassword -out cert/oidc_module_federation_ec_p256_01.key
+openssl ecparam -genkey -name prime256v1 | openssl ec -AES-128-CBC -passout pass:somePassword -out cert/oidc_module_vci_ec_p256_01.key
 ```
 
 Extract public keys:
 
-Without passphrase:
+Without password:
 
 ```bash
-openssl ec -in cert/oidc_module.key -pubout -out cert/oidc_module.crt
-openssl ec -in cert/oidc_module_federation.key -pubout -out cert/oidc_module_federation.crt
+openssl ec -in cert/oidc_module_connect_ec_p256_01.key -pubout -out cert/oidc_module_connect_ec_p256_01.pub
+openssl ec -in cert/oidc_module_federation_ec_p256_01.key -pubout -out cert/oidc_module_federation_ec_p256_01.pub
+openssl ec -in cert/oidc_module_vci_ec_p256_01.key -pubout -out cert/oidc_module_vci_ec_p256_01.pub
 ```
 
-With a passphrase:
+With a password:
 
 ```bash
-openssl ec -in cert/oidc_module.key -passin pass:myPassPhrase -pubout -out cert/oidc_module.crt
-openssl ec -in cert/oidc_module.key -passin pass:myPassPhrase -pubout -out cert/oidc_module.crt
+openssl ec -in cert/oidc_module_connect_ec_p256_01.key -passin pass:somePassword -pubout -out cert/oidc_module_connect_ec_p256_01.pub
+openssl ec -in cert/oidc_module_federation_ec_p256_01.key -passin pass:somePassword -pubout -out cert/oidc_module_federation_ec_p256_01.pub
+openssl ec -in cert/oidc_module_vci_ec_p256_01.key -passin pass:somePassword -pubout -out cert/oidc_module_vci_ec_p256_01.pub
 ```
 
-If you use different file names or a passphrase, update
-`config/module_oidc.php` accordingly.
+For other curves, replace the `-name` option value depending on which
+algorithm you want to support:
+- `-name secp384r1`: usable for `ES384` algorithm
+- `-name secp521r1`: usable for `ES512` algorithm
+
+Enter algorithm, key file names, and a password (if used) in `config/module_oidc.php` accordingly.
+
+### Ed25519 key pair generation, for `EdDSA` algorithm
+
+Generate private keys without a password:
+
+```bash
+openssl genpkey -algorithm ED25519 -out cert/oidc_module_connect_ed25519_01.key
+openssl genpkey -algorithm ED25519 -out cert/oidc_module_federation_ed25519_01.key
+openssl genpkey -algorithm ED25519 -out cert/oidc_module_vci_ed25519_01.key
+```
+
+Generate private keys with a password:
+
+```bash
+openssl genpkey -algorithm ED25519 -AES-128-CBC -pass pass:somePassword -out cert/oidc_module_connect_ed25519_01.key
+openssl genpkey -algorithm ED25519 -AES-128-CBC -pass pass:somePassword -out cert/oidc_module_federation_ed25519_01.key
+openssl genpkey -algorithm ED25519 -AES-128-CBC -pass pass:somePassword -out cert/oidc_module_vci_ed25519_01.key
+```
+
+Extract public keys:
+
+Without password:
+
+```bash
+openssl pkey -in cert/oidc_module_connect_ed25519_01.key -pubout -out cert/oidc_module_connect_ed25519_01.pub
+openssl pkey -in cert/oidc_module_federation_ed25519_01.key -pubout -out cert/oidc_module_federation_ed25519_01.pub
+openssl pkey -in cert/oidc_module_vci_ed25519_01.key -pubout -out cert/oidc_module_vci_ed25519_01.pub
+```
+
+With a password:
+
+```bash
+openssl pkey -in cert/oidc_module_connect_ed25519_01.key -passin pass:somePassword -pubout -out cert/oidc_module_connect_ed25519_01.pub
+openssl pkey -in cert/oidc_module_federation_ed25519_01.key -passin pass:somePassword -pubout -out cert/oidc_module_federation_ed25519_01.pub
+openssl pkey -in cert/oidc_module_vci_ed25519_01.key -passin pass:somePassword -pubout -out cert/oidc_module_vci_ed25519_01.pub
+```
+
+Enter algorithm, key file names, and a password (if used) in `config/module_oidc.php` accordingly.
 
 ## 5. Enable the module