feature #60660 [Security] Add security:oidc-token:generate command (Jean-Beru)

This PR was squashed before being merged into the 7.4 branch.

Discussion
----------

[Security] Add security:oidc-token:generate command

| Q             | A
| ------------- | ---
| Branch?       | 7.4
| Bug fix?      | no
| New feature?  | yes (should I create the CHANGELOG-7.4.md file?)
| Deprecations? | no
| Issues        |
| License       | MIT

The `OidcTokenHandler`, [introduced in Symfony 6.3](https://symfony.com/blog/new-in-symfony-6-3-openid-connect-token-handler), allows to decode a JWT token, validate it and retrieve the user info from it.

This pull request introduces a new Symfony command, `bin/console security:oidc-token:generate`, designed to facilitate the generation of JWTs. It can be useful for generating a token for testing purpose.

### Argument and options

```
Description:
  Generate an OIDC token for a given user

Usage:
  security:oidc-token:generate [options] [--] <user-identifier>

Arguments:
  user-identifier              User identifier

Options:
      --firewall=FIREWALL      Firewall
      --algorithm=ALGORITHM    Algorithm name to use to sign
      --issuer=ISSUER          Set the Issuer claim (iss)
      --ttl=TTL                Set the Expiration Time claim (exp) (time to live in seconds)
      --not-before=NOT-BEFORE  Set the Not Before claim (nbf)

```

### Usage

```bash
php bin/console security:oidc-token:generate [email protected] \
  --firewall="api" \
  --algorithm="HS256" \
  --issuer="https://example.com" \
  --ttl=7200 \
  --not-before=tomorrow
```

> [!TIP]
> When there is only one value, both "firewall", "algorithm" and "issuer" are not required..

Commits
-------

5c18b1acaa5 [Security] Add security:oidc-token:generate command

Author: fabpot

DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php

@@ -18,6 +18,7 @@
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Exception\LogicException;
 use Symfony\Component\DependencyInjection\Reference;
+use Symfony\Component\Security\Http\Command\OidcTokenGenerateCommand;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
 /**
@@ -79,6 +80,33 @@ public function create(ContainerBuilder $container, string $id, array|string $co
                 ]
             );
         }
+
+        // Generate command
+        if (!class_exists(OidcTokenGenerateCommand::class)) {
+            return;
+        }
+
+        if (!$container->hasDefinition('security.access_token_handler.oidc.command.generate')) {
+            $container
+                ->register('security.access_token_handler.oidc.command.generate', OidcTokenGenerateCommand::class)
+                ->addTag('console.command')
+            ;
+        }
+
+        $firewall = substr($id, strlen('security.access_token_handler.'));
+        $container->getDefinition('security.access_token_handler.oidc.command.generate')
+            ->addMethodCall('addGenerator', [
+                $firewall,
+                (new ChildDefinition('security.access_token_handler.oidc.generator'))
+                    ->replaceArgument(0, (new ChildDefinition('security.access_token_handler.oidc.signature'))->replaceArgument(0, $config['algorithms']))
+                    ->replaceArgument(1, (new ChildDefinition('security.access_token_handler.oidc.jwkset'))->replaceArgument(0, $config['keyset']))
+                    ->replaceArgument(2, $config['audience'])
+                    ->replaceArgument(3, $config['issuers'])
+                    ->replaceArgument(4, $config['claim']),
+                $config['algorithms'],
+                $config['issuers'],
+            ])
+        ;
     }
 
     public function getKey(): string

Resources/config/security_authenticator_access_token.php

@@ -37,10 +37,12 @@
 use Symfony\Component\Security\Http\AccessToken\FormEncodedBodyExtractor;
 use Symfony\Component\Security\Http\AccessToken\HeaderAccessTokenExtractor;
 use Symfony\Component\Security\Http\AccessToken\OAuth2\Oauth2TokenHandler;
+use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenGenerator;
 use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenHandler;
 use Symfony\Component\Security\Http\AccessToken\Oidc\OidcUserInfoTokenHandler;
 use Symfony\Component\Security\Http\AccessToken\QueryAccessTokenExtractor;
 use Symfony\Component\Security\Http\Authenticator\AccessTokenAuthenticator;
+use Symfony\Component\Security\Http\Command\OidcTokenGenerateCommand;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
 return static function (ContainerConfigurator $container) {
@@ -200,5 +202,16 @@
                 service('http_client'),
                 service('logger')->nullOnInvalid(),
             ])
+
+        ->set('security.access_token_handler.oidc.generator', OidcTokenGenerator::class)
+            ->abstract()
+            ->args([
+                abstract_arg('signature algorithm'),
+                abstract_arg('signature key'),
+                abstract_arg('audience'),
+                abstract_arg('issuers'),
+                abstract_arg('claim'),
+                service('clock'),
+            ])
     ;
 };

Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php

@@ -27,6 +27,7 @@
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Exception\LogicException;
 use Symfony\Component\DependencyInjection\Reference;
+use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenGenerator;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
 class AccessTokenFactoryTest extends TestCase
@@ -596,4 +597,52 @@ private function createTokenHandlerFactories(): array
             new OAuth2TokenHandlerFactory(),
         ];
     }
+
+    public function testOidcTokenGenerator()
+    {
+        if (!class_exists(OidcTokenGenerator::class)) {
+            $this->markTestSkipped('OidcTokenGenerator not available.');
+        }
+
+        $container = new ContainerBuilder();
+        $jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
+        $config = [
+            'token_handler' => [
+                'oidc' => [
+                    'algorithms' => ['RS256', 'ES256'],
+                    'issuers' => ['https://www.example.com'],
+                    'audience' => 'audience',
+                    'keyset' => $jwkset,
+                ],
+            ],
+        ];
+
+        $factory = new AccessTokenFactory($this->createTokenHandlerFactories());
+        $finalizedConfig = $this->processConfig($config, $factory);
+
+        $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider');
+
+        $this->assertTrue($container->hasDefinition('security.access_token_handler.oidc.command.generate'));
+        $this->assertTrue($container->getDefinition('security.access_token_handler.oidc.command.generate')->hasMethodCall('addGenerator'));
+    }
+
+    public function testOidcTokenGeneratorCommandWithNoTokenHandler()
+    {
+        $container = new ContainerBuilder();
+        $config = [
+            'token_handler' => [
+                'oidc_user_info' => [
+                    'base_uri' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo',
+                    'client' => 'oidc.client',
+                ],
+            ],
+        ];
+
+        $factory = new AccessTokenFactory($this->createTokenHandlerFactories());
+        $finalizedConfig = $this->processConfig($config, $factory);
+
+        $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider');
+
+        $this->assertFalse($container->hasDefinition('security.access_token_handler.oidc.command.generate'));
+    }
 }