[Security] Set OIDC JWKS cache TTL from provider headers #62369

Ali-HENDA · 2025-11-12T21:16:49Z

Q	A
Branch?	7.4
Bug fix?	yes
New feature?	no
Deprecations?	no
Issues	Fix #62340
License	MIT

This PR aligns the OIDC JWKS discovery cache with OpenID Connect best practices by making it dynamic and respecting provider cache headers.

Before

The JWKS was cached with a fixed lifetime, ignoring the OIDC provider’s cache policy.

After

The cache TTL is now automatically determined from the provider response:
- Prefer Cache-Control: max-age
- Fallback to Expires
- When multiple providers are configured, the lowest TTL is applied.

src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php

nicolas-grekas

I'd consider this as a bugfix for 7.4

src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php

nicolas-grekas · 2025-11-14T09:59:37Z

Thank you @Ali-HENDA.

stof · 2025-11-19T15:04:22Z

src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php

+     * The cache entry lifetime is automatically adjusted based on the lowest TTL
+     * advertised by the providers (via "Cache-Control: max-age" or "Expires" headers).
+     *
+     * @internal this method is public to enable async offline cache population


Where is this method called publicly ?

Because per PR #30572, async recomputation via Messenger only works with callables of the form [$service, 'publicMethod'], so the callback must be public.

stof · 2025-11-19T15:07:07Z

src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php

+            }
+
+            $jwkSetResponses = [];
+            foreach ($client->stream($configResponses) as $response => $chunk) {


This is broken IMO:

$client might be undefined (if the loop is empty)

if the clients are different, there is no guarantee that calling stream will work. Responses must be streamed with the client that created them.

After checking, this issue was already present before my patch. I didn't notice it when working on the cache handling. You're absolutely right to point it out.

@Ali-HENDA up to send a PR fixing this?

Sure, I’ll open a PR for this.

jdreesen · 2025-11-19T15:38:42Z

src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php

+        $this->assertSame('user-cache-control', $handler->getUserBadgeFrom($token)->getUserIdentifier());
+        $this->assertSame(2, $requestCount);
+        $this->assertSame('user-cache-control', $handler->getUserBadgeFrom($token)->getUserIdentifier());
+        $this->assertSame(2, $requestCount);


Why are these lines duplicated?

And does this test actually test that the cache-control header is used as cache TTL?

The lines are duplicated because the first call fills the cache (2 requests) and the second call verifies that the cached JWKS is reused (request count stays at 2). The TTL is tested implicitly: since the second call happens
within the max-age window, it must be a cache hit.

jdreesen · 2025-11-19T15:38:53Z

src/Symfony/Component/Security/Http/Tests/AccessToken/Oidc/OidcTokenHandlerTest.php

+        $this->assertSame('user-expires', $handler->getUserBadgeFrom($token)->getUserIdentifier());
+        $this->assertSame(2, $requestCount);
+        $this->assertSame('user-expires', $handler->getUserBadgeFrom($token)->getUserIdentifier());
+        $this->assertSame(2, $requestCount);


Same reason as above

…nt instances are used (Ali-HENDA) This PR was merged into the 7.4 branch. Discussion ---------- [Security][Http] Fix OIDC discovery when multiple HttpClient instances are used | Q | A | ------------- | --- | Branch? | 7.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix | License | MIT This PR fixes an issue in the OIDC JWKS discovery logic revealed in the discussion of #62369. $client->stream() was used incorrectly: $client could be undefined, and responses must be streamed using the same client instance that created them, which breaks when multiple HttpClientInterface instances are configured. The logic now performs sequential discovery per client, avoiding cross-client streaming and ensuring correctness. This PR also hardens the "use" check ($key['use'] ?? null). Commits ------- 7a885d2 [Security] Fix OIDC discovery when using multiple HttpClient instances

Ali-HENDA requested a review from chalasr as a code owner November 12, 2025 21:16

carsonbot added Status: Needs Review Feature Security labels Nov 12, 2025

carsonbot added this to the 7.4 milestone Nov 12, 2025

nicolas-grekas reviewed Nov 12, 2025

View reviewed changes