Skip to content

[Security] Allow multiple OIDC discovery endpoints #62043

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 14, 2025
Merged

[Security] Allow multiple OIDC discovery endpoints #62043

merged 1 commit into from
Oct 14, 2025
+287 −60

Conversation

@ruudk
Copy link
Contributor

@ruudk ruudk commented Oct 12, 2025
edited
Loading

Q A
Branch? 7.4
Bug fix? no
New feature? yes
Deprecations? no
Issues
License MIT

When a firewall accepts tokens from multiple identity providers, it needs to validate tokens against different OIDC discovery endpoints. This change allows configuring multiple named discovery servers instead of just one, while keeping backward compatibility.

With this change, we allow configuring multiple discovery endpoints with different (or the same) cache storage. They all use a different cache key.

It then builds a JWTSet of all the keys fetched, from the multiple endpoints, and then validates the JWT against that total JWTSet.

/cc @vincentchalamon @Jean-Beru @chalasr @Spomky Tagging you as you were all involved in previous OIDC PR's. Curious to hear your opinions about this 🙏

@ruudk ruudk requested a review from chalasr as a code owner October 12, 2025 10:55
@carsonbot carsonbot added this to the 7.4 milestone Oct 12, 2025
@ruudk ruudk force-pushed the allow-config-multiple-oidc-discovery-endpoints branch 4 times, most recently from 13696f9 to c6bcc32 Compare October 12, 2025 11:40
@ruudk ruudk force-pushed the allow-config-multiple-oidc-discovery-endpoints branch from c6bcc32 to 50c135a Compare October 13, 2025 06:30
nicolas-grekas
nicolas-grekas reviewed Oct 13, 2025
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to keep synchronous HTTP calls? Shouldn't we do concurrent ones?

@ruudk
Copy link
Contributor Author

ruudk commented Oct 13, 2025

Do we want to keep synchronous HTTP calls? Shouldn't we do concurrent ones?

I like it, will check it out! Thanks for the review 🙏

@ruudk
Copy link
Contributor Author

ruudk commented Oct 13, 2025

Do we want to keep synchronous HTTP calls? Shouldn't we do concurrent ones?

But how to do that, in combination with the Symfony Cache callbacks?

They have their own cache, so they could also be evicted separately etc.

@ruudk ruudk force-pushed the allow-config-multiple-oidc-discovery-endpoints branch from 783e73c to 102be5e Compare October 13, 2025 06:46
nicolas-grekas
nicolas-grekas reviewed Oct 13, 2025
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to keep synchronous HTTP calls? Shouldn't we do concurrent ones?
But how to do that, in combination with the Symfony Cache callbacks?
They have their own cache, so they could also be evicted separately etc.

Let's have a single cache entry. I don't see the need for many 🤷

@ruudk ruudk force-pushed the allow-config-multiple-oidc-discovery-endpoints branch from 6f4ee9c to bbecc4d Compare October 13, 2025 07:42
nicolas-grekas
nicolas-grekas reviewed Oct 13, 2025
View reviewed changes
nicolas-grekas
nicolas-grekas approved these changes Oct 13, 2025
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor tweaks then LGTM, thanks.

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Oct 13, 2025

(well, please check tests before :)

@ruudk
Copy link
Contributor Author

ruudk commented Oct 13, 2025

Alright, it's ready !

Spomky
Spomky approved these changes Oct 14, 2025
View reviewed changes
Copy link
Contributor

@Spomky Spomky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @ruudk,

Thank you for this PR.
I really like the proposal and looks good to me. Just one small change to have a green CI.

@nicolas-grekas nicolas-grekas force-pushed the allow-config-multiple-oidc-discovery-endpoints branch from 1aeb0d8 to bc7424f Compare October 14, 2025 08:40
@nicolas-grekas
Copy link
Member

nicolas-grekas commented Oct 14, 2025

Thank you @ruudk.

@nicolas-grekas nicolas-grekas merged commit 058f45d into symfony:7.4 Oct 14, 2025
11 checks passed
@nicolas-grekas nicolas-grekas mentioned this pull request Oct 14, 2025
Closed
This was referenced Oct 27, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@fabpot fabpot fabpot requested changes

@Spomky Spomky Spomky approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees

No one assigned

Labels

Feature Security Status: Reviewed

Projects

None yet

Milestone

7.4

Development

Successfully merging this pull request may close these issues.

5 participants

@ruudk @nicolas-grekas @fabpot @Spomky @carsonbot