Simplify Web-Token integration and adjust CI for compatibility with updated packages

Spomky · Spomky · commit 85376d0cc133 · 2025-07-17T21:25:35.000+02:00
diff --git a/.github/workflows/web-token-ci.yml b/.github/workflows/web-token-ci.yml
@@ -51,7 +51,7 @@ jobs:
 
             - name: "Require web-token/*"
               run: |
-                  composer require --dev --no-update web-token/jwt-bundle:"^3.3.3"
+                  composer require --dev --no-update web-token/jwt-bundle:"^3.3.3|^4.0"
                   composer require --dev --no-update spomky-labs/aes-key-wrap:"^7.0"
 
             - name: "Install dependencies"
diff --git a/Command/EnableEncryptionConfigCommand.php b/Command/EnableEncryptionConfigCommand.php
@@ -8,6 +8,7 @@
 use Jose\Component\Core\AlgorithmManagerFactory;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\JWKSet;
+use Jose\Component\Core\Util\Base64UrlSafe;
 use Jose\Component\Encryption\Algorithm\ContentEncryptionAlgorithm;
 use Jose\Component\Encryption\Algorithm\KeyEncryptionAlgorithm;
 use Jose\Component\Encryption\JWEBuilder;
@@ -16,7 +17,6 @@
 use Jose\Component\Signature\JWSBuilder;
 use Jose\Component\Signature\JWSLoader;
 use Lexik\Bundle\JWTAuthenticationBundle\Services\KeyLoader\KeyLoaderInterface;
-use ParagonIE\ConstantTime\Base64UrlSafe;
 use Symfony\Bundle\FrameworkBundle\Command\AbstractConfigCommand;
 use Symfony\Component\Config\Definition\Processor;
 use Symfony\Component\Console\Attribute\AsCommand;
diff --git a/Command/MigrateConfigCommand.php b/Command/MigrateConfigCommand.php
@@ -6,11 +6,11 @@
 use Jose\Component\Checker\ClaimCheckerManager;
 use Jose\Component\Core\JWK;
 use Jose\Component\Core\JWKSet;
+use Jose\Component\Core\Util\Base64UrlSafe;
 use Jose\Component\KeyManagement\JWKFactory;
 use Jose\Component\Signature\JWSBuilder;
 use Jose\Component\Signature\JWSLoader;
 use Lexik\Bundle\JWTAuthenticationBundle\Services\KeyLoader\KeyLoaderInterface;
-use ParagonIE\ConstantTime\Base64UrlSafe;
 use Symfony\Bundle\FrameworkBundle\Command\AbstractConfigCommand;
 use Symfony\Component\Config\Definition\Processor;
 use Symfony\Component\Console\Attribute\AsCommand;
diff --git a/DependencyInjection/LexikJWTAuthenticationExtension.php b/DependencyInjection/LexikJWTAuthenticationExtension.php
@@ -241,6 +241,14 @@ private function processWithWebTokenConfig(array $config, ContainerBuilder $cont
                     ->replaceArgument(11, $config['access_token_verification']['encryption']['allowed_content_encryption_algorithms'])
                     ->replaceArgument(12, $config['access_token_verification']['encryption']['keyset'])
                 ;
+            } else {
+                $accessTokenLoaderDefinition
+                    ->replaceArgument(8, null)
+                    ->replaceArgument(9, null)
+                    ->replaceArgument(10, null)
+                    ->replaceArgument(11, null)
+                    ->replaceArgument(12, null)
+                ;
             }
         }
     }
diff --git a/Resources/config/web_token_verification.xml b/Resources/config/web_token_verification.xml
@@ -5,6 +5,9 @@
            xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
 
     <services>
+        <service id="lexik_jwt_authentication.web_token.clock" class="Lcobucci\Clock\SystemClock" public="false">
+            <factory class="Lcobucci\Clock\SystemClock" method="fromUTC" />
+        </service>
         <service id="lexik_jwt_authentication.access_token_loader" class="Lexik\Bundle\JWTAuthenticationBundle\Services\WebToken\AccessTokenLoader" public="false">
             <argument type="service" id="Jose\Bundle\JoseFramework\Services\JWSLoaderFactory" />
             <argument type="service" id="Jose\Bundle\JoseFramework\Services\JWELoaderFactory" on-invalid="null" />
@@ -21,18 +24,21 @@
             <argument>null</argument> <!-- Encryption keyset -->
         </service>
         <service id="lexik_jwt_authentication.web_token.iat_validator" class="Jose\Component\Checker\IssuedAtChecker" public="false">
+            <argument type="service">lexik_jwt_authentication.web_token.clock</argument>
             <argument>%lexik_jwt_authentication.clock_skew%</argument>
             <argument>true</argument>
             <tag name="jose.checker.claim" alias="iat_with_clock_skew" />
             <tag name="jose.checker.header" alias="iat_with_clock_skew" />
         </service>
         <service id="lexik_jwt_authentication.web_token.exp_validator" class="Jose\Component\Checker\ExpirationTimeChecker" public="false">
+            <argument type="service">lexik_jwt_authentication.web_token.clock</argument>
             <argument>%lexik_jwt_authentication.clock_skew%</argument>
             <argument>true</argument>
             <tag name="jose.checker.claim" alias="exp_with_clock_skew" />
             <tag name="jose.checker.header" alias="exp_with_clock_skew" />
         </service>
         <service id="lexik_jwt_authentication.web_token.nbf_validator" class="Jose\Component\Checker\NotBeforeChecker" public="false">
+            <argument type="service">lexik_jwt_authentication.web_token.clock</argument>
             <argument>%lexik_jwt_authentication.clock_skew%</argument>
             <argument>true</argument>
             <tag name="jose.checker.claim" alias="nbf_with_clock_skew" />
diff --git a/Services/WebToken/AccessTokenLoader.php b/Services/WebToken/AccessTokenLoader.php
@@ -47,7 +47,7 @@ public function __construct(
     ) {
         $this->jwsLoader = $jwsLoaderFactory->create(['jws_compact'], $signatureAlgorithms, $jwsHeaderChecker);
         if ($jweLoaderFactory !== null && !empty($keyEncryptionAlgorithms) && !empty($contentEncryptionAlgorithms) && !empty($jweHeaderChecker)) {
-            $this->jweLoader = $jweLoaderFactory->create(['jwe_compact'], array_merge($keyEncryptionAlgorithms, $contentEncryptionAlgorithms), null, null, $jweHeaderChecker);
+            $this->jweLoader = $jweLoaderFactory->create(['jwe_compact'], array_merge($keyEncryptionAlgorithms, $contentEncryptionAlgorithms), $jweHeaderChecker);
             $this->continueOnDecryptionFailure = $continueOnDecryptionFailure;
         }
         $this->signatureKeyset = JWKSet::createFromJson($signatureKeyset);
diff --git a/Tests/Functional/WebTokenTest.php b/Tests/Functional/WebTokenTest.php
@@ -4,11 +4,11 @@
 
 use Jose\Component\Core\AlgorithmManager;
 use Jose\Component\Core\JWK;
+use Jose\Component\Core\Util\Base64UrlSafe;
 use Jose\Component\Encryption\Algorithm\ContentEncryption\A128GCM;
 use Jose\Component\Encryption\Algorithm\ContentEncryption\A256GCM;
 use Jose\Component\Encryption\Algorithm\KeyEncryption\A128GCMKW;
 use Jose\Component\Encryption\Algorithm\KeyEncryption\A256GCMKW;
-use Jose\Component\Encryption\Compression\CompressionMethodManager;
 use Jose\Component\Encryption\JWEBuilder;
 use Jose\Component\Encryption\Serializer\CompactSerializer as JweCompactSerializer;
 use Jose\Component\Signature\Algorithm\HS256;
@@ -20,7 +20,6 @@
 use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTInvalidEvent;
 use Lexik\Bundle\JWTAuthenticationBundle\Events;
 use Lexik\Bundle\JWTAuthenticationBundle\Response\JWTAuthenticationSuccessResponse;
-use ParagonIE\ConstantTime\Base64UrlSafe;
 use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -337,9 +336,7 @@ private function buildJWS(array $claims, array $header, JWK $signatureKey): stri
     private function buildJWE(string $payload, array $header, JWK $encryptionKey): string
     {
         $builder = new JWEBuilder(
-            new AlgorithmManager([new A256GCMKW(), new A128GCMKW()]),
-            new AlgorithmManager([new A256GCM(), new A128GCM()]),
-            new CompressionMethodManager([])
+            new AlgorithmManager([new A256GCMKW(), new A128GCMKW(), new A256GCM(), new A128GCM()]),
         );
         $jwe = $builder
             ->create()

Original file line number	Diff line number	Diff line change
`@@ -241,6 +241,14 @@ private function processWithWebTokenConfig(array $config, ContainerBuilder $cont`
`241`	`241`	`->replaceArgument(11, $config['access_token_verification']['encryption']['allowed_content_encryption_algorithms'])`
`242`	`242`	`->replaceArgument(12, $config['access_token_verification']['encryption']['keyset'])`
`243`	`243`	`;`
	`244`	`+ } else {`
	`245`	`+ $accessTokenLoaderDefinition`
	`246`	`+ ->replaceArgument(8, null)`
	`247`	`+ ->replaceArgument(9, null)`
	`248`	`+ ->replaceArgument(10, null)`
	`249`	`+ ->replaceArgument(11, null)`
	`250`	`+ ->replaceArgument(12, null)`
	`251`	`+ ;`
`244`	`252`	`}`
`245`	`253`	`}`
`246`	`254`	`}`
Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ public function __construct(`
`47`	`47`	`) {`
`48`	`48`	`$this->jwsLoader = $jwsLoaderFactory->create(['jws_compact'], $signatureAlgorithms, $jwsHeaderChecker);`
`49`	`49`	`if ($jweLoaderFactory !== null && !empty($keyEncryptionAlgorithms) && !empty($contentEncryptionAlgorithms) && !empty($jweHeaderChecker)) {`
`50`		`- $this->jweLoader = $jweLoaderFactory->create(['jwe_compact'], array_merge($keyEncryptionAlgorithms, $contentEncryptionAlgorithms), null, null, $jweHeaderChecker);`
	`50`	`+ $this->jweLoader = $jweLoaderFactory->create(['jwe_compact'], array_merge($keyEncryptionAlgorithms, $contentEncryptionAlgorithms), $jweHeaderChecker);`
`51`	`51`	`$this->continueOnDecryptionFailure = $continueOnDecryptionFailure;`
`52`	`52`	`}`
`53`	`53`	`$this->signatureKeyset = JWKSet::createFromJson($signatureKeyset);`