Skip to content

[SecurityBundle] Remove deprecated OIDC token handler options algorithm and key #60929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: 8.0
Choose a base branch
from
Open

[SecurityBundle] Remove deprecated OIDC token handler options algorithm and key #60929

wants to merge 2 commits into from
+26 −121

Conversation

OskarStark
Copy link
Contributor

Q A
Branch? 8.0
Bug fix? no
New feature? no
Deprecations? no
Issues --
License MIT

@OskarStark OskarStark requested a review from chalasr as a code owner June 27, 2025 21:04
@carsonbot carsonbot added this to the 8.0 milestone Jun 27, 2025
OskarStark
OskarStark commented Jun 27, 2025
View reviewed changes
...y/Bundle/SecurityBundle/DependencyInjection/Security/AccessToken/OidcTokenHandlerFactory.php
Comment on lines +95 to +96
->ifTrue(static fn ($v) => !isset($v['algorithms']))
->thenInvalid('You must set "algorithms".')
Copy link
Contributor Author

@OskarStark OskarStark Jun 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this can be removed, right? As algorithms is marked with isRequired()

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think so yes
you might want to verify on a proto app of course

@OskarStark OskarStark force-pushed the remove-oidc-deprecated-options branch from d4eb6c2 to 3b3362f Compare June 27, 2025 21:30
@OskarStark
[SecurityBundle] Remove deprecated OIDC token handler options algorit…
3ae1f9f 
…hm and key

Remove the deprecated algorithm and key options from the OIDC token handler configuration,
use algorithms and keyset instead.

- Add CHANGELOG entry
- Add UPGRADE-8.0.md entry with before/after examples
- Remove legacy test for deprecated options
- No need to remove symfony/deprecation-contracts (not present)
@OskarStark OskarStark force-pushed the remove-oidc-deprecated-options branch from 3b3362f to 3ae1f9f Compare June 27, 2025 21:32
nicolas-grekas
nicolas-grekas reviewed Jun 27, 2025
View reviewed changes
nicolas-grekas
nicolas-grekas reviewed Jun 28, 2025
View reviewed changes
UPGRADE-8.0.md
Comment on lines +339 to +350
# config/packages/security.yaml
security:
firewalls:
main:
access_token:
token_handler:
oidc:
- algorithm: 'RS256'
- key: 'https://example.com/.well-known/jwks.json'
+ algorithms: ['RS256']
+ keyset: 'https://example.com/.well-known/jwks.json'
```
Copy link
Member

@nicolas-grekas nicolas-grekas Jun 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in a diff, non modified lines must start with an extra space (instead of a + / - for changed lines):

Suggested change
# config/packages/security.yaml
security:
firewalls:
main:
access_token:
token_handler:
oidc:
- algorithm: 'RS256'
- key: 'https://example.com/.well-known/jwks.json'
+ algorithms: ['RS256']
+ keyset: 'https://example.com/.well-known/jwks.json'
```
# config/packages/security.yaml
security:
firewalls:
main:
access_token:
token_handler:
oidc:
- algorithm: 'RS256'
- key: 'https://example.com/.well-known/jwks.json'
+ algorithms: ['RS256']
+ keyset: 'https://example.com/.well-known/jwks.json'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas left review comments

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
SecurityBundle Status: Needs Review
Projects
None yet
Milestone
8.0
Development

Successfully merging this pull request may close these issues.
3 participants
@OskarStark @nicolas-grekas @carsonbot
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy