[Security] Allow multiple OIDC discovery endpoints

ruudk · ruudk · commit c6bcc32b8003 · 2025-10-12T13:40:41.000+02:00
When a firewall accepts tokens from multiple identity providers,
it needs to validate tokens against different OIDC discovery
endpoints. This change allows configuring multiple named discovery
servers instead of just one, while keeping backward compatibility.
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
@@ -28,6 +28,8 @@ class OidcTokenHandlerFactory implements TokenHandlerFactoryInterface
 {
     public function create(ContainerBuilder $container, string $id, array|string $config): void
     {
+        \assert(\is_array($config));
+
         $tokenHandlerDefinition = $container->setDefinition($id, (new ChildDefinition('security.access_token_handler.oidc'))
             ->replaceArgument(2, $config['audience'])
             ->replaceArgument(3, $config['issuers'])
@@ -41,23 +43,26 @@ public function create(ContainerBuilder $container, string $id, array|string $co
         $tokenHandlerDefinition->replaceArgument(0, (new ChildDefinition('security.access_token_handler.oidc.signature'))
             ->replaceArgument(0, $config['algorithms']));
 
-        if (isset($config['discovery'])) {
+        if ($config['discovery']) {
             if (!ContainerBuilder::willBeAvailable('symfony/http-client', HttpClientInterface::class, ['symfony/security-bundle'])) {
                 throw new LogicException('You cannot use the "oidc" token handler with "discovery" since the HttpClient component is not installed. Try running "composer require symfony/http-client".');
             }
 
             // disable JWKSet argument
             $tokenHandlerDefinition->replaceArgument(1, null);
-            $tokenHandlerDefinition->addMethodCall(
-                'enableDiscovery',
-                [
-                    new Reference($config['discovery']['cache']['id']),
-                    (new ChildDefinition('security.access_token_handler.oidc_discovery.http_client'))
-                        ->replaceArgument(0, ['base_uri' => $config['discovery']['base_uri']]),
-                    "$id.oidc_configuration",
-                    "$id.oidc_jwk_set",
-                ]
-            );
+
+            foreach ($config['discovery'] as $name => $discovery) {
+                $tokenHandlerDefinition->addMethodCall(
+                    'enableDiscovery',
+                    [
+                        new Reference($discovery['cache']['id']),
+                        (new ChildDefinition('security.access_token_handler.oidc_discovery.http_client'))
+                            ->replaceArgument(0, ['base_uri' => $discovery['base_uri']]),
+                        'default' === $name && 1 === \count($config['discovery']) ? "$id.oidc_configuration" : "$id.$name.oidc_configuration",
+                        'default' === $name && 1 === \count($config['discovery']) ? "$id.oidc_jwk_set" : "$id.$name.oidc_jwk_set",
+                    ]
+                );
+            }
 
             return;
         }
@@ -93,7 +98,7 @@ public function create(ContainerBuilder $container, string $id, array|string $co
             ;
         }
 
-        $firewall = substr($id, strlen('security.access_token_handler.'));
+        $firewall = substr($id, \strlen('security.access_token_handler.'));
         $container->getDefinition('security.access_token_handler.oidc.command.generate')
             ->addMethodCall('addGenerator', [
                 $firewall,
@@ -123,7 +128,7 @@ public function addConfiguration(NodeBuilder $node): void
                     ->thenInvalid('You must set either "algorithm" or "algorithms".')
                 ->end()
                 ->validate()
-                    ->ifTrue(static fn ($v) => !isset($v['discovery']) && !isset($v['key']) && !isset($v['keyset']))
+                    ->ifTrue(static fn ($v) => !$v['discovery'] && !isset($v['key']) && !isset($v['keyset']))
                     ->thenInvalid('You must set either "discovery" or "key" or "keyset".')
                 ->end()
                 ->beforeNormalization()
@@ -150,24 +155,30 @@ public function addConfiguration(NodeBuilder $node): void
                             $v['keyset'] = \sprintf('{"keys":[%s]}', $v['key']);
                         }
 
+                        if (isset($v['discovery']['base_uri'])) {
+                            $v['discovery'] = ['default' => $v['discovery']];
+                        }
+
                         return $v;
                     })
                 ->end()
                 ->children()
-                    ->arrayNode('discovery')
-                        ->info('Enable the OIDC discovery.')
-                        ->children()
-                            ->scalarNode('base_uri')
-                                ->info('Base URI of the OIDC server.')
-                                ->isRequired()
-                                ->cannotBeEmpty()
-                            ->end()
-                            ->arrayNode('cache')
-                                ->children()
-                                    ->scalarNode('id')
-                                        ->info('Cache service id to use to cache the OIDC discovery configuration.')
-                                        ->isRequired()
-                                        ->cannotBeEmpty()
+                     ->arrayNode('discovery')
+                        ->useAttributeAsKey('name')
+                        ->prototype('array')
+                            ->children()
+                                ->scalarNode('base_uri')
+                                    ->info('Base URI of the OIDC server.')
+                                    ->isRequired()
+                                    ->cannotBeEmpty()
+                                    ->end()
+                                ->arrayNode('cache')
+                                    ->children()
+                                        ->scalarNode('id')
+                                            ->info('Cache service id to use to cache the OIDC discovery configuration.')
+                                            ->isRequired()
+                                            ->cannotBeEmpty()
+                                        ->end()
                                     ->end()
                                 ->end()
                             ->end()
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/access_token_oidc_user_info_multiple_discovery.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/access_token_oidc_user_info_multiple_discovery.php
@@ -0,0 +1,37 @@
+<?php
+
+$container->loadFromExtension('security', [
+    'providers' => [
+        'default' => [
+            'memory' => null,
+        ],
+    ],
+    'firewalls' => [
+        'firewall1' => [
+            'provider' => 'default',
+            'access_token' => [
+                'token_handler' => [
+                    'oidc_user_info' => [
+                        'example' => [
+                            'base_uri' => 'https://www.example.com/realms/demo/protocol/openid-connect/userinfo',
+                            'discovery' => [
+                                'cache' => [
+                                    'id' => 'oidc_cache',
+                                ],
+                            ],
+                        ],
+                        'github' => [
+                            'base_uri' => 'https://www.github.com/realms/demo/protocol/openid-connect/userinfo',
+                            'discovery' => [
+                                'cache' => [
+                                    'id' => 'oidc_cache_github',
+                                ],
+                            ],
+                        ],
+                    ],
+                ],
+            ],
+        ],
+    ],
+]);
+
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Security/Factory/AccessTokenFactoryTest.php
@@ -395,6 +395,76 @@ public function testOidcTokenHandlerConfigurationWithDiscovery()
         $this->assertEquals($expectedCalls, $container->getDefinition('security.access_token_handler.firewall1')->getMethodCalls());
     }
 
+    public function testOidcTokenHandlerConfigurationWithMultipleDiscovery()
+    {
+        $container = new ContainerBuilder();
+        $jwkset = '{"keys":[{"kty":"EC","crv":"P-256","x":"FtgMtrsKDboRO-Zo0XC7tDJTATHVmwuf9GK409kkars","y":"rWDE0ERU2SfwGYCo1DWWdgFEbZ0MiAXLRBBOzBgs_jY","d":"4G7bRIiKih0qrFxc0dtvkHUll19tTyctoCR3eIbOrO0"},{"kty":"EC","crv":"P-256","x":"0QEAsI1wGI-dmYatdUZoWSRWggLEpyzopuhwk-YUnA4","y":"KYl-qyZ26HobuYwlQh-r0iHX61thfP82qqEku7i0woo","d":"iA_TV2zvftni_9aFAQwFO_9aypfJFCSpcCyevDvz220"}]}';
+        $config = [
+            'token_handler' => [
+                'oidc' => [
+                    'discovery' => [
+                        'demo' => [
+                            'base_uri' => 'https://www.example.com/realms/demo/',
+                            'cache' => [
+                                'id' => 'oidc_cache',
+                            ],
+                        ],
+                        'api' => [
+                            'base_uri' => 'https://www.api.com/realms/api/',
+                            'cache' => [
+                                'id' => 'oidc_cache_for_api',
+                            ],
+                        ],
+                    ],
+                    'algorithms' => ['RS256', 'ES256'],
+                    'issuers' => ['https://www.example.com'],
+                    'audience' => 'audience',
+                ],
+            ],
+        ];
+
+        $factory = new AccessTokenFactory($this->createTokenHandlerFactories());
+        $finalizedConfig = $this->processConfig($config, $factory);
+
+        $factory->createAuthenticator($container, 'firewall1', $finalizedConfig, 'userprovider');
+
+        $this->assertTrue($container->hasDefinition('security.authenticator.access_token.firewall1'));
+        $this->assertTrue($container->hasDefinition('security.access_token_handler.firewall1'));
+
+        $expectedArgs = [
+            'index_0' => (new ChildDefinition('security.access_token_handler.oidc.signature'))
+                ->replaceArgument(0, ['RS256', 'ES256']),
+            'index_1' => null,
+            'index_2' => 'audience',
+            'index_3' => ['https://www.example.com'],
+            'index_4' => 'sub',
+        ];
+        $expectedCalls = [
+            [
+                'enableDiscovery',
+                [
+                    new Reference('oidc_cache'),
+                    (new ChildDefinition('security.access_token_handler.oidc_discovery.http_client'))
+                        ->replaceArgument(0, ['base_uri' => 'https://www.example.com/realms/demo/']),
+                    'security.access_token_handler.firewall1.demo.oidc_configuration',
+                    'security.access_token_handler.firewall1.demo.oidc_jwk_set',
+                ],
+            ],
+            [
+                'enableDiscovery',
+                [
+                    new Reference('oidc_cache_for_api'),
+                    (new ChildDefinition('security.access_token_handler.oidc_discovery.http_client'))
+                        ->replaceArgument(0, ['base_uri' => 'https://www.api.com/realms/api/']),
+                    'security.access_token_handler.firewall1.api.oidc_configuration',
+                    'security.access_token_handler.firewall1.api.oidc_jwk_set',
+                ],
+            ],
+        ];
+        $this->assertEquals($expectedArgs, $container->getDefinition('security.access_token_handler.firewall1')->getArguments());
+        $this->assertEquals($expectedCalls, $container->getDefinition('security.access_token_handler.firewall1')->getMethodCalls());
+    }
+
     public function testOidcUserInfoTokenHandlerConfigurationWithExistingClient()
     {
         $container = new ContainerBuilder();
diff --git a/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php b/src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php
@@ -47,10 +47,15 @@ final class OidcTokenHandler implements AccessTokenHandlerInterface
     private ?AlgorithmManager $decryptionAlgorithms = null;
     private bool $enforceEncryption = false;
 
-    private ?CacheInterface $discoveryCache = null;
-    private ?HttpClientInterface $discoveryClient = null;
-    private ?string $oidcConfigurationCacheKey = null;
-    private ?string $oidcJWKSetCacheKey = null;
+    /**
+     * @var list<array{
+     *     cache: CacheInterface,
+     *     client: HttpClientInterface,
+     *     oidcConfigurationCacheKey: string,
+     *     oidcJWKSetCacheKey: string
+     * }>
+     */
+    private array $discovery = [];
 
     public function __construct(
         private Algorithm|AlgorithmManager $signatureAlgorithm,
@@ -80,10 +85,12 @@ public function enableJweSupport(JWKSet $decryptionKeyset, AlgorithmManager $dec
 
     public function enableDiscovery(CacheInterface $cache, HttpClientInterface $client, string $oidcConfigurationCacheKey, string $oidcJWKSetCacheKey): void
     {
-        $this->discoveryCache = $cache;
-        $this->discoveryClient = $client;
-        $this->oidcConfigurationCacheKey = $oidcConfigurationCacheKey;
-        $this->oidcJWKSetCacheKey = $oidcJWKSetCacheKey;
+        $this->discovery[] = [
+            'cache' => $cache,
+            'client' => $client,
+            'oidcConfigurationCacheKey' => $oidcConfigurationCacheKey,
+            'oidcJWKSetCacheKey' => $oidcJWKSetCacheKey,
+        ];
     }
 
     public function getUserBadgeFrom(string $accessToken): UserBadge
@@ -92,44 +99,51 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
             throw new \LogicException('You cannot use the "oidc" token handler since "web-token/jwt-signature" and "web-token/jwt-checker" are not installed. Try running "composer require web-token/jwt-signature web-token/jwt-checker".');
         }
 
-        if (!$this->discoveryCache && !$this->signatureKeyset) {
+        if (!$this->discovery && !$this->signatureKeyset) {
             throw new \LogicException('You cannot use the "oidc" token handler without JWKSet nor "discovery". Please configure JWKSet in the constructor, or call "enableDiscovery" method.');
         }
 
         $jwkset = $this->signatureKeyset;
-        if ($this->discoveryCache) {
-            try {
-                $oidcConfiguration = json_decode($this->discoveryCache->get($this->oidcConfigurationCacheKey, function (): string {
-                    $response = $this->discoveryClient->request('GET', '.well-known/openid-configuration');
-
-                    return $response->getContent();
-                }), true, 512, \JSON_THROW_ON_ERROR);
-            } catch (\Throwable $e) {
-                $this->logger?->error('An error occurred while requesting OIDC configuration.', [
-                    'error' => $e->getMessage(),
-                    'trace' => $e->getTraceAsString(),
-                ]);
-
-                throw new BadCredentialsException('Invalid credentials.', $e->getCode(), $e);
-            }
-
-            try {
-                $jwkset = JWKSet::createFromJson(
-                    $this->discoveryCache->get($this->oidcJWKSetCacheKey, function () use ($oidcConfiguration): string {
-                        $response = $this->discoveryClient->request('GET', $oidcConfiguration['jwks_uri']);
+        if ($this->discovery) {
+            $jwkset = new JWKSet([]);
+            foreach ($this->discovery as ['cache' => $discoveryCache, 'client' => $discoveryClient, 'oidcConfigurationCacheKey' => $oidcConfigurationCacheKey, 'oidcJWKSetCacheKey' => $oidcJWKSetCacheKey]) {
+                try {
+                    $oidcConfiguration = json_decode($discoveryCache->get($oidcConfigurationCacheKey, function () use ($discoveryClient): string {
+                        $response = $discoveryClient->request('GET', '.well-known/openid-configuration');
+
+                        return $response->getContent();
+                    }), true, 512, \JSON_THROW_ON_ERROR);
+                } catch (\Throwable $e) {
+                    $this->logger?->error('An error occurred while requesting OIDC configuration.', [
+                        'error' => $e->getMessage(),
+                        'trace' => $e->getTraceAsString(),
+                    ]);
+
+                    throw new BadCredentialsException('Invalid credentials.', $e->getCode(), $e);
+                }
+
+                try {
+                    $json = $discoveryCache->get($oidcJWKSetCacheKey, function () use (
+                        $discoveryClient,
+                        $oidcConfiguration): string {
+                        $response = $discoveryClient->request('GET', $oidcConfiguration['jwks_uri']);
                         // we only need signature key
                         $keys = array_filter($response->toArray()['keys'], static fn (array $key) => 'sig' === $key['use']);
 
                         return json_encode(['keys' => $keys]);
-                    })
-                );
-            } catch (\Throwable $e) {
-                $this->logger?->error('An error occurred while requesting OIDC certs.', [
-                    'error' => $e->getMessage(),
-                    'trace' => $e->getTraceAsString(),
-                ]);
-
-                throw new BadCredentialsException('Invalid credentials.', $e->getCode(), $e);
+                    });
+
+                    foreach (JWKSet::createFromJson($json) as $key) {
+                        $jwkset = $jwkset->with($key);
+                    }
+                } catch (\Throwable $e) {
+                    $this->logger?->error('An error occurred while requesting OIDC certs.', [
+                        'error' => $e->getMessage(),
+                        'trace' => $e->getTraceAsString(),
+                    ]);
+
+                    throw new BadCredentialsException('Invalid credentials.', $e->getCode(), $e);
+                }
             }
         }
 
diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md
@@ -36,6 +36,7 @@ CHANGELOG
  * Allow subclassing `#[IsGranted]`
  * Add `$tokenSource` argument to `#[IsCsrfTokenValid]` to support reading tokens from the query string or headers
  * Deprecate `RememberMeDetails::getUserFqcn()`, the user FQCN will be removed from the remember-me cookie in 8.0
+ * Allow configuring multiple OIDC discovery endpoints
 
 7.3
 ---
diff --git a/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php
