[Security] Support JWE on OidcTokenHandler

[vincentchalamon]

Description

The OIDC Core Specification recommends to decrypt the ID Token if it's encrypted:

If the ID Token is encrypted, decrypt it using the keys and algorithms that the Client specified during Registration that the OP was to use to encrypt the ID Token. If encryption was negotiated with the OP at Registration time and the ID Token is not encrypted, the RP SHOULD reject it.

AFAIK, JWE are not often used. But as Symfony supports OIDC feature (experimentally), it could be interesting to support JWE. It concerns only OidcTokenHandler.

Question: should it be a new feature or a bugfix (as it's part of the Core Specification)?

Example

To decrypt a JWE, a public JWK is required. Hopefully, it is available on /certs endpoint on OIDC server, so we can import it dynamically (cf. #50434).

security:
  firewalls:
    main:
      oidc:
        # add new "encryption" option
        encryption:
          # proposal 1: same approach than "signature.key" option, the JWK is set here as JSON string
          key: '{"kid": "...","kty": "RSA","alg": "RS256","use": "sig","n": "3G..."}'
          # proposal 2: detect value is an URI, call it to import the JWK
          key: 'https://www.example.com/protocol/openid-connect/certs'
          # proposal 3: add "certs" option non combinable with "key" to import and set "key" option dynamically
          certs: 'https://www.example.com/protocol/openid-connect/certs'

[chalasr]

I'd say it's a new feature given solving it implies to extend the configuration.

It concerns only OidcTokenHandler.

Note that pretty much everything may be encrypted in OIDC interactions, even UserInfo success responses used by OidcUserInfoTokenHandler. Use cases are probably even less common though.

[carsonbot]

Thank you for this suggestion.
There has not been a lot of activity here for a while. Would you still like to see this feature?

[vincentchalamon]

Hey @carsonbot, let's keep this one open, I just didn't have time to focus on it yet.