Merge branch '7.4' into 8.0

* 7.4: (28 commits)
  [Messenger] Allow Pheanstalk v8
  [TypeInfo] Fix resolving constructor type with templates
  fix compatibility with RelayCluster 0.12
  fix type alias with template resolving
  fix compatibility with RelayCluster 0.11 and 0.12
  [DependencyInjection] Register a custom autoloader to generate `*Config` classes when they don't exist yet
  [Security] Add security:oidc-token:generate command
  [PropertyInfo][TypeInfo] Fix resolving constructor type with templates
  [WebProfilerBundle] ”finish” errored requests
  Add support for union types on AsEventListener
  [Console] Update CHANGELOG to reflect attribute name changes for interactive invokable commands
  bump ext-redis to 6.2 and ext-relay to 0.12 minimum
  [TypeInfo] Fix type alias with template resolving
  [Console] Add support for interactive invokable commands with `#[Interact]` and `#[Ask]` attributes
  bump ext-relay to 0.12+
  fix merge
  [Config] Generate the array-shape of the current node instead of the whole root node in Config classes
  [HttpFoundation] Deprecate Request::get() in favor of using properties ->attributes, query or request directly
  fix Relay Cluster 0.12 compatibility
  [TypeInfo] ArrayShape can resolve key type as callable instead of string
  ...

Author: nicolas-grekas

DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php

@@ -17,6 +17,7 @@
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Exception\LogicException;
 use Symfony\Component\DependencyInjection\Reference;
+use Symfony\Component\Security\Http\Command\OidcTokenGenerateCommand;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
 /**
@@ -78,6 +79,33 @@ public function create(ContainerBuilder $container, string $id, array|string $co
                 ]
             );
         }
+
+        // Generate command
+        if (!class_exists(OidcTokenGenerateCommand::class)) {
+            return;
+        }
+
+        if (!$container->hasDefinition('security.access_token_handler.oidc.command.generate')) {
+            $container
+                ->register('security.access_token_handler.oidc.command.generate', OidcTokenGenerateCommand::class)
+                ->addTag('console.command')
+            ;
+        }
+
+        $firewall = substr($id, strlen('security.access_token_handler.'));
+        $container->getDefinition('security.access_token_handler.oidc.command.generate')
+            ->addMethodCall('addGenerator', [
+                $firewall,
+                (new ChildDefinition('security.access_token_handler.oidc.generator'))
+                    ->replaceArgument(0, (new ChildDefinition('security.access_token_handler.oidc.signature'))->replaceArgument(0, $config['algorithms']))
+                    ->replaceArgument(1, (new ChildDefinition('security.access_token_handler.oidc.jwkset'))->replaceArgument(0, $config['keyset']))
+                    ->replaceArgument(2, $config['audience'])
+                    ->replaceArgument(3, $config['issuers'])
+                    ->replaceArgument(4, $config['claim']),
+                $config['algorithms'],
+                $config['issuers'],
+            ])
+        ;
     }
 
     public function getKey(): string

Resources/config/security_authenticator_access_token.php

@@ -37,10 +37,12 @@
 use Symfony\Component\Security\Http\AccessToken\FormEncodedBodyExtractor;
 use Symfony\Component\Security\Http\AccessToken\HeaderAccessTokenExtractor;
 use Symfony\Component\Security\Http\AccessToken\OAuth2\Oauth2TokenHandler;
+use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenGenerator;
 use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenHandler;
 use Symfony\Component\Security\Http\AccessToken\Oidc\OidcUserInfoTokenHandler;
 use Symfony\Component\Security\Http\AccessToken\QueryAccessTokenExtractor;
 use Symfony\Component\Security\Http\Authenticator\AccessTokenAuthenticator;
+use Symfony\Component\Security\Http\Command\OidcTokenGenerateCommand;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
 return static function (ContainerConfigurator $container) {
@@ -200,5 +202,16 @@
                 service('http_client'),
                 service('logger')->nullOnInvalid(),
             ])
+
+        ->set('security.access_token_handler.oidc.generator', OidcTokenGenerator::class)
+            ->abstract()
+            ->args([
+                abstract_arg('signature algorithm'),
+                abstract_arg('signature key'),
+                abstract_arg('audience'),
+                abstract_arg('issuers'),
+                abstract_arg('claim'),
+                service('clock'),
+            ])
     ;
 };

Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php

@@ -25,6 +25,7 @@
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Exception\LogicException;
 use Symfony\Component\DependencyInjection\Reference;
+use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenGenerator;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
 class AccessTokenFactoryTest extends TestCase
@@ -511,4 +512,52 @@ private function createTokenHandlerFactories(): array
             new OAuth2TokenHandlerFactory(),
         ];
     }
+
+    public function testOidcTokenGenerator()
+    {
+        if (!class_exists(OidcTokenGenerator::class)) {
+            $this->markTestSkipped('OidcTokenGenerator not available.');
+        }
+
+        $container = new ContainerBuilder();
+        $jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
+        $config = [
+            'token_handler' => [
+                'oidc' => [
+                    'algorithms' => ['RS256', 'ES256'],
+                    'issuers' => ['https://www.example.com'],
+                    'audience' => 'audience',
+                    'keyset' => $jwkset,
+                ],
+            ],
+        ];
+
+        $factory = new AccessTokenFactory($this->createTokenHandlerFactories());
+        $finalizedConfig = $this->processConfig($config, $factory);
+
+        $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider');
+
+        $this->assertTrue($container->hasDefinition('security.access_token_handler.oidc.command.generate'));
+        $this->assertTrue($container->getDefinition('security.access_token_handler.oidc.command.generate')->hasMethodCall('addGenerator'));
+    }
+
+    public function testOidcTokenGeneratorCommandWithNoTokenHandler()
+    {
+        $container = new ContainerBuilder();
+        $config = [
+            'token_handler' => [
+                'oidc_user_info' => [
+                    'base_uri' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo',
+                    'client' => 'oidc.client',
+                ],
+            ],
+        ];
+
+        $factory = new AccessTokenFactory($this->createTokenHandlerFactories());
+        $finalizedConfig = $this->processConfig($config, $factory);
+
+        $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider');
+
+        $this->assertFalse($container->hasDefinition('security.access_token_handler.oidc.command.generate'));
+    }
 }