[Security] Import oidc.signature.key JWK from OIDC server

[vincentchalamon]

Description

On OIDC (experimental) feature, the JWK must be set in the configuration (e.g.: key: %env(OIDC_JWK)%). This JWK is generated on the OIDC server. If it changes on it, its value must be updated on the Symfony project.

To access it, most OIDC servers implement a /protocol/openid-connect/certs URI exposing public JWKs used to encrypt JWTs and sign them. I suggest to import this JWK from this URI dynamically, and save it locally to prevent any extra HTTP request (app cache?).

Question: should it be a new feature or a bugfix?

Example

Current implementation:

security:
  firewalls:
    main:
      oidc:
        signature:
          key: '{"kid": "...","kty": "RSA","alg": "RS256","use": "sig","n": "3G..."}'

Proposals:

security:
  firewalls:
    main:
      oidc:
        signature:
          # proposal 1: detect value is an URI, call it to import the JWK
          key: 'https://www.example.com/protocol/openid-connect/certs'
          # proposal 2: add new option "certs" non combinable with "key" to import and set "key" option dynamically
          certs: 'https://www.example.com/protocol/openid-connect/certs'

[carsonbot]

Thank you for this issue.
There has not been a lot of activity here for a while. Has this been resolved?

[tomme87]

ideally it should be possible to set configure a oidc discovery endpoint and use the jwks_uri to fetch the keys.
Also it should be cacheable.