Introduce client param id_token_signed_response_alg

Author: cicnavi

docker/conformance.sql

@@ -14,6 +14,22 @@ INSERT INTO oidc_migration_versions VALUES('20210916153400');
 INSERT INTO oidc_migration_versions VALUES('20210916173400');
 INSERT INTO oidc_migration_versions VALUES('20240603141400');
 INSERT INTO oidc_migration_versions VALUES('20240605145700');
+INSERT INTO oidc_migration_versions VALUES('20240820132400');
+INSERT INTO oidc_migration_versions VALUES('20240828153300');
+INSERT INTO oidc_migration_versions VALUES('20240830153300');
+INSERT INTO oidc_migration_versions VALUES('20240902120000');
+INSERT INTO oidc_migration_versions VALUES('20240905120000');
+INSERT INTO oidc_migration_versions VALUES('20240906120000');
+INSERT INTO oidc_migration_versions VALUES('20250818163000');
+INSERT INTO oidc_migration_versions VALUES('20250908163000');
+INSERT INTO oidc_migration_versions VALUES('20250912163000');
+INSERT INTO oidc_migration_versions VALUES('20250913163000');
+INSERT INTO oidc_migration_versions VALUES('20250915163000');
+INSERT INTO oidc_migration_versions VALUES('20250916163000');
+INSERT INTO oidc_migration_versions VALUES('20250917163000');
+INSERT INTO oidc_migration_versions VALUES('20251021000001');
+INSERT INTO oidc_migration_versions VALUES('20251021000002');
+INSERT INTO oidc_migration_versions VALUES('20260109000001');
 CREATE TABLE oidc_user (
             id VARCHAR(191) PRIMARY KEY NOT NULL,
             claims TEXT,
@@ -44,15 +60,16 @@ CREATE TABLE oidc_client (
             created_at TIMESTAMP NULL DEFAULT NULL,
             expires_at TIMESTAMP NULL DEFAULT NULL,
             is_federated BOOLEAN NOT NULL DEFAULT false,
-            is_generic BOOLEAN NOT NULL DEFAULT false
+            is_generic BOOLEAN NOT NULL DEFAULT false,
+            extra_metadata TEXT NULL
 );
 -- Used 'httpd' host for back-channel logout url (https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout)
 -- since this is the hostname of conformance server while running in container environment
-INSERT INTO oidc_client VALUES('_55a99a1d298da921cb27d700d4604352e51171ebc4','_8967dd97d07cc59db7055e84ac00e79005157c1132','Conformance Client 1',replace('Client 1 for Conformance Testing  https://openid.net/certification/connect_op_testing/\n','\n',char(10)),'example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone","offline_access"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
-INSERT INTO oidc_client VALUES('_34efb61060172a11d62101bc804db789f8f9100b0e','_91a4607a1c10ba801268929b961b3f6c067ff82d21','Conformance Client 2','','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","offline_access"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
-INSERT INTO oidc_client VALUES('_0afb7d18e54b2de8205a93e38ca119e62ee321d031','_944e73bbeec7850d32b68f1b5c780562c955967e4e','Conformance Client 3','Client for client_secret_post','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
-INSERT INTO oidc_client VALUES('_8957eda35234902ba8343c0cdacac040310f17dfca','_322d16999f9da8b5abc9e9c0c08e853f60f4dc4804','RP-Initiated Logout Client','Client for testing RP-Initiated Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]',NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
-INSERT INTO oidc_client VALUES('_9fe2f7589ece1b71f5ef75a91847d71bc5125ec2a6','_3c0beb20194179c01d7796c6836f62801e9ed4b368','Back-Channel Logout Client','Client for testing Back-Channel Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false);
+INSERT INTO oidc_client VALUES('_55a99a1d298da921cb27d700d4604352e51171ebc4','_8967dd97d07cc59db7055e84ac00e79005157c1132','Conformance Client 1',replace('Client 1 for Conformance Testing  https://openid.net/certification/connect_op_testing/\n','\n',char(10)),'example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone","offline_access"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
+INSERT INTO oidc_client VALUES('_34efb61060172a11d62101bc804db789f8f9100b0e','_91a4607a1c10ba801268929b961b3f6c067ff82d21','Conformance Client 2','','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","offline_access"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
+INSERT INTO oidc_client VALUES('_0afb7d18e54b2de8205a93e38ca119e62ee321d031','_944e73bbeec7850d32b68f1b5c780562c955967e4e','Conformance Client 3','Client for client_secret_post','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email"]',1,1,NULL,NULL,NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
+INSERT INTO oidc_client VALUES('_8957eda35234902ba8343c0cdacac040310f17dfca','_322d16999f9da8b5abc9e9c0c08e853f60f4dc4804','RP-Initiated Logout Client','Client for testing RP-Initiated Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]',NULL,NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
+INSERT INTO oidc_client VALUES('_9fe2f7589ece1b71f5ef75a91847d71bc5125ec2a6','_3c0beb20194179c01d7796c6836f62801e9ed4b368','Back-Channel Logout Client','Client for testing Back-Channel Logout','example-userpass','["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/callback","https:\/\/www.certification.openid.net\/test\/a\/simplesamlphp-module-oidc\/callback"]','["openid","profile","email","address","phone"]',1,1,NULL,'["https:\/\/localhost.emobix.co.uk:8443\/test\/a\/simplesamlphp-module-oidc\/post_logout_redirect"]','https://httpd:8443/test/a/simplesamlphp-module-oidc/backchannel_logout',NULL,NULL, NULL, NULL, NULL, NULL, 'manual', NULL, NULL, NULL, false, false, NULL);
 CREATE TABLE oidc_access_token (
             id VARCHAR(191) PRIMARY KEY NOT NULL,
             scopes TEXT,

docs/6-oidc-upgrade.md

@@ -7,13 +7,16 @@ apply those relevant to your deployment.
 
 New features:
 
+- Clients can now be configured with new properties:
+  - ID Token Signing Algorithm (id_token_signed_response_alg)
 - Initial support for OpenID for Verifiable Credential Issuance
 (OpenID4VCI). Note that the implementation is experimental. You should not use
-it in production yet. 
+it in production.
 
 New configuration options:
 
-- Several new options regarding support for OpenID4VCI.
+- Several new options are available in module config file regarding support for
+OpenID4VCI.
 
 Major impact changes:
 

src/Controllers/Admin/ClientController.php

@@ -25,6 +25,7 @@
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Services\SessionMessagesService;
 use SimpleSAML\Module\oidc\Utils\Routes;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -118,7 +119,7 @@ public function resetSecret(Request $request): Response
         $this->clientRepository->update($client, $authedUserId);
 
         $message = Translate::noop('Client secret has been reset.');
-        $this->logger->info($message, $client->getState());
+        $this->logger->info($message, [ParametersEnum::ClientId->value => $client->getIdentifier()]);
         $this->sessionMessagesService->addMessage($message);
 
         return $this->routes->newRedirectResponseToModuleUrl(
@@ -181,14 +182,14 @@ public function add(): Response
 
             if ($this->clientRepository->findById($client->getIdentifier())) {
                 $message = Translate::noop('Client with generated ID already exists.');
-                $this->logger->warning($message, $client->getState());
+                $this->logger->warning($message, [ParametersEnum::ClientId->value => $client->getIdentifier()]);
                 $this->sessionMessagesService->addMessage($message);
             } elseif (
                 ($entityIdentifier = $client->getEntityIdentifier()) &&
                 $this->clientRepository->findByEntityIdentifier($entityIdentifier)
             ) {
                 $message = Translate::noop('Client with given entity identifier already exists.');
-                $this->logger->warning($message, $client->getState());
+                $this->logger->warning($message, [ParametersEnum::ClientId->value => $client->getIdentifier()]);
                 $this->sessionMessagesService->addMessage($message);
             } else {
                 $this->clientRepository->add($client);
@@ -199,7 +200,7 @@ public function add(): Response
                 /** @var string[] $allowedOrigins */
                 $this->allowedOriginRepository->set($client->getIdentifier(), $allowedOrigins);
                 $message = Translate::noop('Client has been added.');
-                $this->logger->info($message, $client->getState());
+                $this->logger->info($message, [ParametersEnum::ClientId->value => $client->getIdentifier()]);
                 $this->sessionMessagesService->addMessage($message);
 
                 return $this->routes->newRedirectResponseToModuleUrl(
@@ -238,6 +239,9 @@ public function edit(Request $request): Response
 
         $clientData = $originalClient->toArray();
         $clientData['allowed_origin'] = $clientAllowedOrigins;
+
+        // Handle extra metadata
+
         $form->setDefaults($clientData);
 
         if ($form->isSuccess()) {
@@ -252,6 +256,7 @@ public function edit(Request $request): Response
                 $originalClient->getCreatedAt(),
                 $originalClient->getExpiresAt(),
                 $originalClient->getOwner(),
+                $originalClient->isGeneric(),
             );
 
             // We have to make sure that the Entity Identifier is unique.
@@ -311,6 +316,7 @@ protected function buildClientEntityFromFormData(
         ?\DateTimeImmutable $createdAt = null,
         ?\DateTimeImmutable $expiresAt = null,
         ?string $owner = null,
+        bool $isGeneric = false,
     ): ClientEntityInterface {
         /** @var array $data */
         $data = $form->getValues('array');
@@ -344,6 +350,15 @@ protected function buildClientEntityFromFormData(
         null : (string)$data[ClientEntity::KEY_SIGNED_JWKS_URI];
         $isFederated = (bool)$data[ClientEntity::KEY_IS_FEDERATED];
 
+        $idTokenSignedResponseAlg = isset($data[ClaimsEnum::IdTokenSignedResponseAlg->value]) &&
+        is_string($data[ClaimsEnum::IdTokenSignedResponseAlg->value]) ?
+        $data[ClaimsEnum::IdTokenSignedResponseAlg->value] :
+        null;
+
+        $extraMetadata = [
+            ClaimsEnum::IdTokenSignedResponseAlg->value => $idTokenSignedResponseAlg,
+        ];
+
         return $this->clientEntityFactory->fromData(
             $identifier,
             $secret,
@@ -368,6 +383,8 @@ protected function buildClientEntityFromFormData(
             $createdAt,
             $expiresAt,
             $isFederated,
+            $isGeneric,
+            $extraMetadata,
         );
     }
 }

src/Entities/ClientEntity.php

@@ -21,6 +21,7 @@
 use League\OAuth2\Server\Entities\Traits\EntityTrait;
 use SimpleSAML\Module\oidc\Codebooks\RegistrationTypeEnum;
 use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\ClientRegistrationTypesEnum;
 
 class ClientEntity implements ClientEntityInterface
@@ -52,6 +53,7 @@ class ClientEntity implements ClientEntityInterface
     public const KEY_EXPIRES_AT = 'expires_at';
     public const KEY_IS_FEDERATED = 'is_federated';
     public const KEY_IS_GENERIC = 'is_generic';
+    public const KEY_EXTRA_METADATA = 'extra_metadata';
 
     private string $secret;
 
@@ -95,6 +97,7 @@ class ClientEntity implements ClientEntityInterface
     private ?DateTimeImmutable $expiresAt;
     private bool $isFederated;
     private bool $isGeneric;
+    private ?array $extraMetadata;
 
     /**
      * @param string[] $redirectUri
@@ -129,6 +132,7 @@ public function __construct(
         ?DateTimeImmutable $expiresAt = null,
         bool $isFederated = false,
         bool $isGeneric = false,
+        ?array $extraMetadata = null,
     ) {
         $this->identifier = $identifier;
         $this->secret = $secret;
@@ -154,6 +158,7 @@ public function __construct(
         $this->expiresAt = $expiresAt;
         $this->isFederated = $isFederated;
         $this->isGeneric = $isGeneric;
+        $this->extraMetadata = $extraMetadata;
     }
 
     /**
@@ -193,6 +198,9 @@ public function getState(): array
             self::KEY_EXPIRES_AT => $this->getExpiresAt()?->format('Y-m-d H:i:s'),
             self::KEY_IS_FEDERATED => $this->isFederated(),
             self::KEY_IS_GENERIC => $this->isGeneric(),
+            self::KEY_EXTRA_METADATA => is_null($this->extraMetadata) ?
+                null :
+                json_encode($this->extraMetadata, JSON_THROW_ON_ERROR),
         ];
     }
 
@@ -223,6 +231,9 @@ public function toArray(): array
             self::KEY_EXPIRES_AT => $this->expiresAt,
             self::KEY_IS_FEDERATED => $this->isFederated,
             self::KEY_IS_GENERIC => $this->isGeneric,
+
+            // Extra metadata
+            ClaimsEnum::IdTokenSignedResponseAlg->value => $this->getIdTokenSignedResponseAlg(),
         ];
     }
 
@@ -366,4 +377,24 @@ public function isGeneric(): bool
     {
         return $this->isGeneric;
     }
+
+    public function getExtraMetadata(): array
+    {
+        return $this->extraMetadata ?? [];
+    }
+
+    public function getIdTokenSignedResponseAlg(): ?string
+    {
+        if (!is_array($this->extraMetadata)) {
+            return null;
+        }
+
+        $idTokenSignedResponseAlg = $this->extraMetadata['id_token_signed_response_alg'] ?? null;
+
+        if (!is_string($idTokenSignedResponseAlg)) {
+            return null;
+        }
+
+        return $idTokenSignedResponseAlg;
+    }
 }

src/Entities/Interfaces/ClientEntityInterface.php

@@ -80,4 +80,7 @@ public function getExpiresAt(): ?DateTimeImmutable;
     public function isExpired(): bool;
     public function isFederated(): bool;
     public function isGeneric(): bool;
+
+    public function getExtraMetadata(): array;
+    public function getIdTokenSignedResponseAlg(): ?string;
 }

src/Factories/Entities/ClientEntityFactory.php

@@ -67,6 +67,7 @@ public function fromData(
         ?DateTimeImmutable $expiresAt = null,
         bool $isFederated = false,
         bool $isGeneric = false,
+        ?array $extraMetadata = null,
     ): ClientEntityInterface {
         return new ClientEntity(
             $id,
@@ -93,6 +94,7 @@ public function fromData(
             $expiresAt,
             $isFederated,
             $isGeneric,
+            $extraMetadata,
         );
     }
 
@@ -196,6 +198,20 @@ public function fromRegistrationData(
         $isFederated = $existingClient?->isFederated() ?? false;
         $isGeneric = $existingClient?->isGeneric() ?? false;
 
+        $extraMetadata = $existingClient?->getExtraMetadata() ?? [];
+
+        // Handle any other supported client metadata as extra metadata.
+        // id_token_signed_response_alg
+        $idTokenSignedResponseAlg = isset($metadata[ClaimsEnum::IdTokenSignedResponseAlg->value]) &&
+        is_string($metadata[ClaimsEnum::IdTokenSignedResponseAlg->value]) ?
+        $metadata[ClaimsEnum::IdTokenSignedResponseAlg->value] :
+        $existingClient?->getIdTokenSignedResponseAlg();
+
+        // TODO mivanci Check if id_token_signed_response_alg is supported.
+
+        $extraMetadata[ClaimsEnum::IdTokenSignedResponseAlg->value] = $idTokenSignedResponseAlg;
+
+
         return $this->fromData(
             $id,
             $secret,
@@ -221,6 +237,7 @@ public function fromRegistrationData(
             $expiresAt,
             $isFederated,
             $isGeneric,
+            $extraMetadata,
         );
     }
 
@@ -361,6 +378,11 @@ public function fromState(array $state): ClientEntityInterface
         $isFederated = (bool)$state[ClientEntity::KEY_IS_FEDERATED];
         $isGeneric = (bool)$state[ClientEntity::KEY_IS_GENERIC];
 
+        /** @var ?mixed[] $extraMetadata */
+        $extraMetadata = empty($state[ClientEntity::KEY_EXTRA_METADATA]) ?
+        null :
+        json_decode((string)$state[ClientEntity::KEY_EXTRA_METADATA], true, 512, JSON_THROW_ON_ERROR);
+
         return $this->fromData(
             $id,
             $secret,
@@ -386,6 +408,7 @@ public function fromState(array $state): ClientEntityInterface
             $expiresAt,
             $isFederated,
             $isGeneric,
+            $extraMetadata,
         );
     }
 

src/Forms/ClientForm.php

@@ -22,6 +22,7 @@
 use SimpleSAML\Module\oidc\Forms\Controls\CsrfProtection;
 use SimpleSAML\Module\oidc\Helpers;
 use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\ClientRegistrationTypesEnum;
 use Traversable;
 
@@ -278,6 +279,10 @@ public function getValues(string|object|bool|null $returnType = null, ?array $co
         $signedJwksUri = trim((string)$values['signed_jwks_uri']);
         $values['signed_jwks_uri'] = empty($signedJwksUri) ? null : $signedJwksUri;
 
+        $idTokenSignedResponseAlg = trim((string)$values[ClaimsEnum::IdTokenSignedResponseAlg->value]);
+        $values[ClaimsEnum::IdTokenSignedResponseAlg->value] = empty($idTokenSignedResponseAlg) ?
+        null : $idTokenSignedResponseAlg;
+
         return $values;
     }
 
@@ -414,6 +419,12 @@ protected function buildForm(): void
 
         $this->addCheckbox('is_federated', '{oidc:client:is_federated}')
             ->setHtmlAttribute('class', 'full-width');
+
+        // TODO mivanci Properly fetch the list of supported algos
+        $this->addSelect('id_token_signed_response_alg', Translate::noop('ID Token Signing Algorithm'))
+            ->setHtmlAttribute('class', 'full-width')
+            ->setItems(['RS256'], false)
+            ->setPrompt(Translate::noop('-'));
     }
 
     /**