@@ -22,6 +22,7 @@ declare(strict_types=1);
2222 */
2323
2424use SimpleSAML\Module\oidc\ModuleConfig;
25+ use SimpleSAML\Module\oidc\ValueAbstracts\SignatureKeyPairConfig;
2526use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
2627use SimpleSAML\OpenID\Codebooks\CredentialFormatIdentifiersEnum;
2728use SimpleSAML\OpenID\Codebooks\CredentialTypesEnum;
@@ -51,6 +52,12 @@ $config = [
5152 ModuleConfig::OPTION_PKI_PRIVATE_KEY_FILENAME => ModuleConfig::DEFAULT_PKI_PRIVATE_KEY_FILENAME,
5253 ModuleConfig::OPTION_PKI_CERTIFICATE_FILENAME => ModuleConfig::DEFAULT_PKI_CERTIFICATE_FILENAME,
5354
55+ // Token signer, with given default.
56+ // See Lcobucci\JWT\Signer algorithms in https://github.com/lcobucci/jwt/tree/master/src/Signer
57+ ModuleConfig::OPTION_TOKEN_SIGNER => \Lcobucci\JWT\Signer\Rsa\Sha256::class,
58+ // ModuleConfig::OPTION_TOKEN_SIGNER => \Lcobucci\JWT\Signer\Hmac\Sha256::class,
59+ // ModuleConfig::OPTION_TOKEN_SIGNER => \Lcobucci\JWT\Signer\Ecdsa\Sha256::class,
60+
5461 /**
5562 * (optional) Key rollover settings related to OIDC protocol. If set, this new private / public key pair will only
5663 * be published on JWKS endpoint as available, so Relying Parties can pick them up for future use. The signing
@@ -63,6 +70,39 @@ $config = [
6370// ModuleConfig::OPTION_PKI_NEW_PRIVATE_KEY_FILENAME => 'new_oidc_module.key',
6471// ModuleConfig::OPTION_PKI_NEW_CERTIFICATE_FILENAME => 'new_oidc_module.crt',
6572
73+ /**
74+ * Default protocol (Connect) signature algorithm and key-pair definition.
75+ * This algorithm and key will be used, for example, to sign ID Token JWS,
76+ * if no other algorithm is negotiated with the client.
77+ */
78+ ModuleConfig::DEFAULT_PROTOCOL_SIGNATURE_KEY_PAIR => [
79+ 'algorithm' => \SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum::RS256,
80+ 'privateKeyFilename' => ModuleConfig::DEFAULT_PKI_PRIVATE_KEY_FILENAME,
81+ 'publicKeyFilename' => ModuleConfig::DEFAULT_PKI_CERTIFICATE_FILENAME,
82+ // 'privateKeyPassword' => 'private-key-password', // Optional
83+ // 'keyId' => 'rsa-connect-signing-key-2026', // Optional
84+ ],
85+
86+ /**
87+ * Additionally supported protocol (Connect) signing algorithms and
88+ * key-pairs. These entries will be used in signing algorithm negotiation
89+ * with the client. The order in which the entries are set is important,
90+ * as the entries set first will have higher priority during negotiation.
91+ *
92+ * You can also use this config option to advertise any
93+ * (new) keys, for example, for key-rollover scenarios. Just add those
94+ * entries last.
95+ */
96+ ModuleConfig::ADDITIONAL_PROTOCOL_SIGNATURE_KEY_PAIRS => [
97+ [
98+ 'algorithm' => \SimpleSAML\OpenID\Algorithms\SignatureAlgorithmEnum::ES256,
99+ 'privateKeyFilename' => 'oidc_module_ec256.key',
100+ 'publicKeyFilename' => 'oidc_module_ec256.pub',
101+ // 'privateKeyPassword' => 'private-key-password', // Optional
102+ // 'keyId' => 'ec-connect-signing-key-01', // Optional
103+ ],
104+ ],
105+
66106 /**
67107 * Token related options.
68108 */
@@ -72,12 +112,6 @@ $config = [
72112 ModuleConfig::OPTION_TOKEN_REFRESH_TOKEN_TTL => 'P1M', // 1 month
73113 ModuleConfig::OPTION_TOKEN_ACCESS_TOKEN_TTL => 'PT1H', // 1 hour,
74114
75- // Token signer, with given default.
76- // See Lcobucci\JWT\Signer algorithms in https://github.com/lcobucci/jwt/tree/master/src/Signer
77- ModuleConfig::OPTION_TOKEN_SIGNER => \Lcobucci\JWT\Signer\Rsa\Sha256::class,
78- // ModuleConfig::OPTION_TOKEN_SIGNER => \Lcobucci\JWT\Signer\Hmac\Sha256::class,
79- // ModuleConfig::OPTION_TOKEN_SIGNER => \Lcobucci\JWT\Signer\Ecdsa\Sha256::class,
80-
81115 /**
82116 * Authentication related options.
83117 */
0 commit comments