Skip to content

[Security][Http] Fix OIDC discovery when multiple HttpClient instances are used #62495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicolas-grekas merged 1 commit into from
Dec 5, 2025
Merged

[Security][Http] Fix OIDC discovery when multiple HttpClient instances are used #62495

nicolas-grekas merged 1 commit into from
Dec 5, 2025
+100 −13

Conversation

@Ali-HENDA
Copy link
Contributor

@Ali-HENDA Ali-HENDA commented Nov 24, 2025

Q A
Branch? 7.4
Bug fix? yes
New feature? no
Deprecations? no
Issues Fix
License MIT

This PR fixes an issue in the OIDC JWKS discovery logic revealed in the discussion of #62369.
$client->stream() was used incorrectly:
$client could be undefined, and responses must be streamed using the same client instance that created them, which breaks when multiple HttpClientInterface instances are configured.
The logic now performs sequential discovery per client, avoiding cross-client streaming and ensuring correctness.

This PR also hardens the "use" check ($key['use'] ?? null).

@Ali-HENDA Ali-HENDA requested a review from chalasr as a code owner November 24, 2025 09:48
@carsonbot carsonbot added this to the 7.4 milestone Nov 24, 2025
@Ali-HENDA Ali-HENDA force-pushed the fix/oidc-jwks-streaming branch from ae5e619 to 561d8b4 Compare November 24, 2025 09:55
@Ali-HENDA Ali-HENDA force-pushed the fix/oidc-jwks-streaming branch from 561d8b4 to 7c7b38b Compare November 24, 2025 15:41
@Ali-HENDA Ali-HENDA force-pushed the fix/oidc-jwks-streaming branch from 7c7b38b to 7a885d2 Compare November 24, 2025 15:47
@nicolas-grekas
Copy link
Member

nicolas-grekas commented Dec 5, 2025

Thank you @Ali-HENDA.

@nicolas-grekas nicolas-grekas merged commit ea169db into symfony:7.4 Dec 5, 2025
12 checks passed
This was referenced Dec 7, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stof stof stof left review comments

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees

No one assigned

Labels

Bug Security Status: Needs Review

Projects

None yet

Milestone

7.4

Development

Successfully merging this pull request may close these issues.

4 participants

@Ali-HENDA @nicolas-grekas @stof @carsonbot