search

Drenso / symfony-oidc

This project contains the Symfony OIDC bundle, which is directly based on https://github.com/jumbojett/OpenID-Connect-PHP
Apache License 2.0
59 stars 32 forks source link

Check for additional contraints / claims #58

Closed sebastianSchmidt86 closed 3 months ago

sebastianSchmidt86 commented 6 months ago

We need to check some additional constraints / claims. How can I extend the verifyToken function to add an additional constraint (HasClaimWithValue)?

We have to set an acr claim value and therefor we have to check if the same acr value is returned in the tokens.

bobvandevijver commented 6 months ago

There is currently no easy way to configure additional constraints that are validated during the authentication process, except for decorating the OidcJwtHelper with an extended function, which will require you to copy some code as well (which is far from convenient/future proof).

I am open for a PR which adds an optional provider (which can be added to the OidcClient configuration) that can generate additional constraints based on the token type. The result of this optional provider call can be fed into the JwtHelper verifyTokens method (which might better be placed in the OidcClient class, looks like I made a small mistake there).

bobvandevijver commented 3 months ago

This functionality has been added in v3.2.0. See https://github.com/Drenso/symfony-oidc?tab=readme-ov-file#additional-token-claim-validation for how to configure/implement it.