Adds support for Web-Token suite 4.0

Author: Spomky

.github/workflows/web-token-ci.yml

@@ -51,7 +51,7 @@ jobs:
 
             - name: "Require web-token/*"
               run: |
-                  composer require --dev --no-update web-token/jwt-bundle:"^3.3.3"
+                  composer require --dev --no-update web-token/jwt-bundle:"^3.3.3|^4.0"
                   composer require --dev --no-update spomky-labs/aes-key-wrap:"^7.0"
 
             - name: "Install dependencies"

Command/EnableEncryptionConfigCommand.php

@@ -8,6 +8,7 @@
 use Jose\Component\Core\AlgorithmManagerFactory;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\JWKSet;
+use Jose\Component\Core\Util\Base64UrlSafe;
 use Jose\Component\Encryption\Algorithm\ContentEncryptionAlgorithm;
 use Jose\Component\Encryption\Algorithm\KeyEncryptionAlgorithm;
 use Jose\Component\Encryption\JWEBuilder;
@@ -16,7 +17,6 @@
 use Jose\Component\Signature\JWSBuilder;
 use Jose\Component\Signature\JWSLoader;
 use Lexik\Bundle\JWTAuthenticationBundle\Services\KeyLoader\KeyLoaderInterface;
-use ParagonIE\ConstantTime\Base64UrlSafe;
 use Symfony\Bundle\FrameworkBundle\Command\AbstractConfigCommand;
 use Symfony\Component\Config\Definition\Processor;
 use Symfony\Component\Console\Attribute\AsCommand;

Command/MigrateConfigCommand.php

@@ -6,11 +6,11 @@
 use Jose\Component\Checker\ClaimCheckerManager;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\JWKSet;
+use Jose\Component\Core\Util\Base64UrlSafe;
 use Jose\Component\KeyManagement\JWKFactory;
 use Jose\Component\Signature\JWSBuilder;
 use Jose\Component\Signature\JWSLoader;
 use Lexik\Bundle\JWTAuthenticationBundle\Services\KeyLoader\KeyLoaderInterface;
-use ParagonIE\ConstantTime\Base64UrlSafe;
 use Symfony\Bundle\FrameworkBundle\Command\AbstractConfigCommand;
 use Symfony\Component\Config\Definition\Processor;
 use Symfony\Component\Console\Attribute\AsCommand;

DependencyInjection/LexikJWTAuthenticationExtension.php

@@ -241,6 +241,14 @@ private function processWithWebTokenConfig(array $config, ContainerBuilder $cont
                     ->replaceArgument(11, $config['access_token_verification']['encryption']['allowed_content_encryption_algorithms'])
                     ->replaceArgument(12, $config['access_token_verification']['encryption']['keyset'])
                 ;
+            } else {
+                $accessTokenLoaderDefinition
+                    ->replaceArgument(8, null)
+                    ->replaceArgument(9, null)
+                    ->replaceArgument(10, null)
+                    ->replaceArgument(11, null)
+                    ->replaceArgument(12, null)
+                ;
             }
         }
     }

Resources/config/web_token_verification.xml

@@ -5,6 +5,8 @@
            xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
 
     <services>
+        <service id="lexik_jwt_authentication.web_token.clock" class="Symfony\Component\Clock\NativeClock" public="false">
+        </service>
         <service id="lexik_jwt_authentication.access_token_loader" class="Lexik\Bundle\JWTAuthenticationBundle\Services\WebToken\AccessTokenLoader" public="false">
             <argument type="service" id="Jose\Bundle\JoseFramework\Services\JWSLoaderFactory" />
             <argument type="service" id="Jose\Bundle\JoseFramework\Services\JWELoaderFactory" on-invalid="null" />
@@ -21,20 +23,23 @@
             <argument>null</argument> <!-- Encryption keyset -->
         </service>
         <service id="lexik_jwt_authentication.web_token.iat_validator" class="Jose\Component\Checker\IssuedAtChecker" public="false">
-            <argument>%lexik_jwt_authentication.clock_skew%</argument>
-            <argument>true</argument>
+            <argument key="$clock" type="service" id="lexik_jwt_authentication.web_token.clock" />
+            <argument key="$allowedTimeDrift">%lexik_jwt_authentication.clock_skew%</argument>
+            <argument key="$protectedHeaderOnly">true</argument>
             <tag name="jose.checker.claim" alias="iat_with_clock_skew" />
             <tag name="jose.checker.header" alias="iat_with_clock_skew" />
         </service>
         <service id="lexik_jwt_authentication.web_token.exp_validator" class="Jose\Component\Checker\ExpirationTimeChecker" public="false">
-            <argument>%lexik_jwt_authentication.clock_skew%</argument>
-            <argument>true</argument>
+            <argument key="$clock" type="service" id="lexik_jwt_authentication.web_token.clock" />
+            <argument key="$allowedTimeDrift">%lexik_jwt_authentication.clock_skew%</argument>
+            <argument key="$protectedHeaderOnly">true</argument>
             <tag name="jose.checker.claim" alias="exp_with_clock_skew" />
             <tag name="jose.checker.header" alias="exp_with_clock_skew" />
         </service>
         <service id="lexik_jwt_authentication.web_token.nbf_validator" class="Jose\Component\Checker\NotBeforeChecker" public="false">
-            <argument>%lexik_jwt_authentication.clock_skew%</argument>
-            <argument>true</argument>
+            <argument key="$clock" type="service" id="lexik_jwt_authentication.web_token.clock" />
+            <argument key="$allowedTimeDrift">%lexik_jwt_authentication.clock_skew%</argument>
+            <argument key="$protectedHeaderOnly">true</argument>
             <tag name="jose.checker.claim" alias="nbf_with_clock_skew" />
             <tag name="jose.checker.header" alias="nbf_with_clock_skew" />
         </service>

Services/WebToken/AccessTokenLoader.php

@@ -47,7 +47,7 @@ public function __construct(
     ) {
         $this->jwsLoader = $jwsLoaderFactory->create(['jws_compact'], $signatureAlgorithms, $jwsHeaderChecker);
         if ($jweLoaderFactory !== null && !empty($keyEncryptionAlgorithms) && !empty($contentEncryptionAlgorithms) && !empty($jweHeaderChecker)) {
-            $this->jweLoader = $jweLoaderFactory->create(['jwe_compact'], array_merge($keyEncryptionAlgorithms, $contentEncryptionAlgorithms), null, null, $jweHeaderChecker);
+            $this->jweLoader = $jweLoaderFactory->create(['jwe_compact'], array_merge($keyEncryptionAlgorithms, $contentEncryptionAlgorithms),headerCheckers: $jweHeaderChecker);
             $this->continueOnDecryptionFailure = $continueOnDecryptionFailure;
         }
         $this->signatureKeyset = JWKSet::createFromJson($signatureKeyset);

Tests/Functional/WebTokenTest.php

@@ -4,11 +4,11 @@
 
 use Jose\Component\Core\AlgorithmManager;
 use Jose\Component\Core\JWK;
+use Jose\Component\Core\Util\Base64UrlSafe;
 use Jose\Component\Encryption\Algorithm\ContentEncryption\A128GCM;
 use Jose\Component\Encryption\Algorithm\ContentEncryption\A256GCM;
 use Jose\Component\Encryption\Algorithm\KeyEncryption\A128GCMKW;
 use Jose\Component\Encryption\Algorithm\KeyEncryption\A256GCMKW;
-use Jose\Component\Encryption\Compression\CompressionMethodManager;
 use Jose\Component\Encryption\JWEBuilder;
 use Jose\Component\Encryption\Serializer\CompactSerializer as JweCompactSerializer;
 use Jose\Component\Signature\Algorithm\HS256;
@@ -20,7 +20,6 @@
 use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTInvalidEvent;
 use Lexik\Bundle\JWTAuthenticationBundle\Events;
 use Lexik\Bundle\JWTAuthenticationBundle\Response\JWTAuthenticationSuccessResponse;
-use ParagonIE\ConstantTime\Base64UrlSafe;
 use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -337,9 +336,7 @@ private function buildJWS(array $claims, array $header, JWK $signatureKey): stri
     private function buildJWE(string $payload, array $header, JWK $encryptionKey): string
     {
         $builder = new JWEBuilder(
-            new AlgorithmManager([new A256GCMKW(), new A128GCMKW()]),
-            new AlgorithmManager([new A256GCM(), new A128GCM()]),
-            new CompressionMethodManager([])
+            new AlgorithmManager([new A256GCMKW(), new A128GCMKW(), new A256GCM(), new A128GCM()]),
         );
         $jwe = $builder
             ->create()