Web-Token Suite 4.0 support

.github/workflows/web-token-ci.yml

@@ -48,7 +48,7 @@ jobs:
 
             - name: "Require web-token/*"
               run: |
-                  composer require --dev --no-update web-token/jwt-bundle:"^3.3.3"
+                  composer require --dev --no-update web-token/jwt-bundle:"^3.3.3|^4.0"
                   composer require --dev --no-update spomky-labs/aes-key-wrap:"^7.0"
 
             - name: "Install dependencies"

Command/EnableEncryptionConfigCommand.php

@@ -8,6 +8,7 @@
 use Jose\Component\Core\AlgorithmManagerFactory;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\JWKSet;
+use Jose\Component\Core\Util\Base64UrlSafe;
 use Jose\Component\Encryption\Algorithm\ContentEncryptionAlgorithm;
 use Jose\Component\Encryption\Algorithm\KeyEncryptionAlgorithm;
 use Jose\Component\Encryption\JWEBuilder;
@@ -16,7 +17,6 @@
 use Jose\Component\Signature\JWSBuilder;
 use Jose\Component\Signature\JWSLoader;
 use Lexik\Bundle\JWTAuthenticationBundle\Services\KeyLoader\KeyLoaderInterface;
-use ParagonIE\ConstantTime\Base64UrlSafe;
 use Symfony\Bundle\FrameworkBundle\Command\AbstractConfigCommand;
 use Symfony\Component\Config\Definition\Processor;
 use Symfony\Component\Console\Attribute\AsCommand;

Command/MigrateConfigCommand.php

@@ -6,11 +6,11 @@
 use Jose\Component\Checker\ClaimCheckerManager;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\JWKSet;
+use Jose\Component\Core\Util\Base64UrlSafe;
 use Jose\Component\KeyManagement\JWKFactory;
 use Jose\Component\Signature\JWSBuilder;
 use Jose\Component\Signature\JWSLoader;
 use Lexik\Bundle\JWTAuthenticationBundle\Services\KeyLoader\KeyLoaderInterface;
-use ParagonIE\ConstantTime\Base64UrlSafe;
 use Symfony\Bundle\FrameworkBundle\Command\AbstractConfigCommand;
 use Symfony\Component\Config\Definition\Processor;
 use Symfony\Component\Console\Attribute\AsCommand;

DependencyInjection/LexikJWTAuthenticationExtension.php

@@ -13,6 +13,7 @@
 use Symfony\Component\DependencyInjection\ChildDefinition;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Exception\LogicException;
+use Symfony\Component\DependencyInjection\Loader\PhpFileLoader;
 use Symfony\Component\DependencyInjection\Loader\XmlFileLoader;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\HttpKernel\DependencyInjection\Extension;
@@ -223,7 +224,8 @@ private function processWithWebTokenConfig(array $config, ContainerBuilder $cont
             }
         }
         if ($config['access_token_verification']['enabled'] === true) {
-            $loader->load('web_token_verification.xml');
+            $phpLoader = new PhpFileLoader($container, new FileLocator(__DIR__ . '/../Resources/config'));
+            $phpLoader->load('web_token_verification.php');
             $accessTokenLoader = 'lexik_jwt_authentication.access_token_loader';
             $accessTokenLoaderDefinition = $container->getDefinition($accessTokenLoader);
             $accessTokenLoaderDefinition
@@ -241,6 +243,14 @@ private function processWithWebTokenConfig(array $config, ContainerBuilder $cont
                     ->replaceArgument(11, $config['access_token_verification']['encryption']['allowed_content_encryption_algorithms'])
                     ->replaceArgument(12, $config['access_token_verification']['encryption']['keyset'])
                 ;
+            } else {
+                $accessTokenLoaderDefinition
+                    ->replaceArgument(8, null)
+                    ->replaceArgument(9, null)
+                    ->replaceArgument(10, null)
+                    ->replaceArgument(11, null)
+                    ->replaceArgument(12, null)
+                ;
             }
         }
     }

Resources/config/web_token_verification.php

@@ -0,0 +1,76 @@
+<?php
+
+
+declare(strict_types=1);
+
+use Lcobucci\Clock\SystemClock;
+use Lexik\Bundle\JWTAuthenticationBundle\Services\WebToken\AccessTokenLoader;
+use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
+use function Symfony\Component\DependencyInjection\Loader\Configurator\service;
+use function Symfony\Component\DependencyInjection\Loader\Configurator\param;
+use function Symfony\Component\DependencyInjection\Loader\Configurator\abstract_arg;
+
+return function (ContainerConfigurator $container): void {
+    $container = $container->services()
+        ->defaults()
+        ->private()
+        ->autoconfigure()
+        ->autowire();
+
+    $container->set('lexik_jwt_authentication.web_token.clock')
+        ->class(SystemClock::class)
+        ->factory([SystemClock::class, 'fromUTC'])
+    ;
+
+    $container->set('lexik_jwt_authentication.access_token_loader')
+        ->class(AccessTokenLoader::class)
+        ->args([
+            service(\Jose\Bundle\JoseFramework\Services\JWSLoaderFactory::class),
+            service(\Jose\Bundle\JoseFramework\Services\JWELoaderFactory::class),
+            service(\Jose\Bundle\JoseFramework\Services\ClaimCheckerManagerFactory::class),
+            abstract_arg('Claim checkers'),
+            abstract_arg('JWS header checkers'),
+            abstract_arg('Mandatory claims'),
+            abstract_arg('Allowed signature algorithms'),
+            abstract_arg('Signature keyset'),
+            abstract_arg('Continue on decryption failure'),
+            abstract_arg('JWE header checkers'),
+            abstract_arg('Allowed key encryption algorithms'),
+            abstract_arg('Allowed content encryption algorithms'),
+            abstract_arg('Encryption keyset'),
+        ])
+    ;
+
+    $container->set('lexik_jwt_authentication.web_token.iat_validator')
+        ->class(\Jose\Component\Checker\IssuedAtChecker::class)
+        ->args([
+            '$clock' => service('lexik_jwt_authentication.web_token.clock'),
+            '$allowedTimeDrift' => param('lexik_jwt_authentication.clock_skew'),
+            '$protectedHeaderOnly' => true,
+        ])
+        ->tag('jose.checker.claim', ['alias' => 'iat_with_clock_skew'])
+        ->tag('jose.checker.header', ['alias' => 'iat_with_clock_skew'])
+    ;
+
+    $container->set('lexik_jwt_authentication.web_token.exp_validator')
+        ->class(\Jose\Component\Checker\ExpirationTimeChecker::class)
+        ->args([
+            '$clock' => service('lexik_jwt_authentication.web_token.clock'),
+            '$allowedTimeDrift' => param('lexik_jwt_authentication.clock_skew'),
+            '$protectedHeaderOnly' => true,
+        ])
+        ->tag('jose.checker.claim', ['alias' => 'exp_with_clock_skew'])
+        ->tag('jose.checker.header', ['alias' => 'exp_with_clock_skew'])
+    ;
+
+    $container->set('lexik_jwt_authentication.web_token.nbf_validator')
+        ->class(\Jose\Component\Checker\NotBeforeChecker::class)
+        ->args([
+            '$clock' => service('lexik_jwt_authentication.web_token.clock'),
+            '$allowedTimeDrift' => param('lexik_jwt_authentication.clock_skew'),
+            '$protectedHeaderOnly' => true,
+        ])
+        ->tag('jose.checker.claim', ['alias' => 'nbf_with_clock_skew'])
+        ->tag('jose.checker.header', ['alias' => 'nbf_with_clock_skew'])
+    ;
+};

Services/WebToken/AccessTokenLoader.php

@@ -47,7 +47,7 @@ public function __construct(
     ) {
         $this->jwsLoader = $jwsLoaderFactory->create(['jws_compact'], $signatureAlgorithms, $jwsHeaderChecker);
         if ($jweLoaderFactory !== null && $keyEncryptionAlgorithms !== null && $contentEncryptionAlgorithms !== null && $jweHeaderChecker !== null) {
-            $this->jweLoader = $jweLoaderFactory->create(['jwe_compact'], array_merge($keyEncryptionAlgorithms, $contentEncryptionAlgorithms), null, null, $jweHeaderChecker);
+            $this->jweLoader = $jweLoaderFactory->create(['jwe_compact'], array_merge($keyEncryptionAlgorithms, $contentEncryptionAlgorithms), headerCheckers: $jweHeaderChecker);
             $this->continueOnDecryptionFailure = $continueOnDecryptionFailure;
         }
         $this->signatureKeyset = JWKSet::createFromJson($signatureKeyset);

Tests/Functional/WebTokenTest.php

@@ -4,11 +4,11 @@
 
 use Jose\Component\Core\AlgorithmManager;
 use Jose\Component\Core\JWK;
+use Jose\Component\Core\Util\Base64UrlSafe;
 use Jose\Component\Encryption\Algorithm\ContentEncryption\A128GCM;
 use Jose\Component\Encryption\Algorithm\ContentEncryption\A256GCM;
 use Jose\Component\Encryption\Algorithm\KeyEncryption\A128GCMKW;
 use Jose\Component\Encryption\Algorithm\KeyEncryption\A256GCMKW;
-use Jose\Component\Encryption\Compression\CompressionMethodManager;
 use Jose\Component\Encryption\JWEBuilder;
 use Jose\Component\Encryption\Serializer\CompactSerializer as JweCompactSerializer;
 use Jose\Component\Signature\Algorithm\HS256;
@@ -20,7 +20,6 @@
 use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTInvalidEvent;
 use Lexik\Bundle\JWTAuthenticationBundle\Events;
 use Lexik\Bundle\JWTAuthenticationBundle\Response\JWTAuthenticationSuccessResponse;
-use ParagonIE\ConstantTime\Base64UrlSafe;
 use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -336,9 +335,7 @@ private function buildJWS(array $claims, array $header, JWK $signatureKey): stri
     private function buildJWE(string $payload, array $header, JWK $encryptionKey): string
     {
         $builder = new JWEBuilder(
-            new AlgorithmManager([new A256GCMKW(), new A128GCMKW()]),
-            new AlgorithmManager([new A256GCM(), new A128GCM()]),
-            new CompressionMethodManager([])
+            new AlgorithmManager([new A256GCMKW(), new A128GCMKW(), new A256GCM(), new A128GCM()]),
         );
         $jwe = $builder
             ->create()