Skip to content
Snippets Groups Projects
Commit f130545d authored by Sigmund Augdal's avatar Sigmund Augdal
Browse files

Use firebase/php-jwt to verify id token signatures and expiry

parent 8b3e3cc9
No related branches found
No related tags found
No related merge requests found
......@@ -4,8 +4,54 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically"
],
"content-hash": "40d013c07436af245bd2ab924546078e",
"content-hash": "58b5c766eb8f08fa174ea991f319e15d",
"packages": [
{
"name": "firebase/php-jwt",
"version": "v5.0.0",
"source": {
"type": "git",
"url": "https://github.com/firebase/php-jwt.git",
"reference": "9984a4d3a32ae7673d6971ea00bae9d0a1abba0e"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/firebase/php-jwt/zipball/9984a4d3a32ae7673d6971ea00bae9d0a1abba0e",
"reference": "9984a4d3a32ae7673d6971ea00bae9d0a1abba0e",
"shasum": ""
},
"require": {
"php": ">=5.3.0"
},
"require-dev": {
"phpunit/phpunit": " 4.8.35"
},
"type": "library",
"autoload": {
"psr-4": {
"Firebase\\JWT\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"BSD-3-Clause"
],
"authors": [
{
"name": "Neuman Vong",
"role": "Developer",
"email": "neuman+pear@twilio.com"
},
{
"name": "Anant Narayanan",
"role": "Developer",
"email": "anant@php.net"
}
],
"description": "A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.",
"homepage": "https://github.com/firebase/php-jwt",
"time": "2017-06-27T22:17:23+00:00"
},
{
"name": "gettext/gettext",
"version": "v4.6.3",
......
......@@ -2,6 +2,7 @@
namespace SimpleSAML\Module\authoauth2\Auth\Source;
use Firebase\JWT;
use League\OAuth2\Client\Provider\AbstractProvider;
use League\OAuth2\Client\Token\AccessToken;
use SimpleSAML\Auth;
......@@ -55,6 +56,18 @@ class OpenIDConnect extends \SimpleSAML\Module\authoauth2\Auth\Source\OAuth2
* @return array associative array of claims decoded from the id token
*/
protected function verifyIdToken($id_token) {
$keys = $this->config->getArray('keys', null);
if ($keys) {
try {
JWT\JWT::decode($id_token, $keys, ['RS256']);
} catch (\UnexpectedValueException $e) {
$e2 = new \SimpleSAML\Error\AuthSource(
$this->getAuthId(),
"ID token validation failed: " . $e->getMessage()
);
\SimpleSAML\Auth\State::throwException($state, $e2);
}
}
$id_token_claims = $this->extraIdTokenAttributes($id_token);
if ($id_token_claims['aud'] !== $this->config->getString('clientId')) {
$e = new \SimpleSAML\Error\AuthSource($this->getAuthId(), "ID token has incorrect audience");
......
......@@ -57,7 +57,23 @@ SNIP1;
if (isset($conf->end_session_endpoint)) {
echo " 'urlEndSession' => '$conf->end_session_endpoint',\n";
}
$jwksData = file_get_contents($conf->jwks_uri);
if (!$jwksData) {
echo "Failed to get jwks data from $conf->jwks_uri\n";
exit;
}
$jwks = json_decode($jwksData, true);
if (!$jwks) {
echo "Failed to json decode jwks data: " . $jwksData;
exit;
}
$keys = [];
foreach ($jwks['keys'] as $key) {
$kid = $key['kid'];
$x5c = $key['x5c'];
$keys[$kid] = "-----BEGIN CERTIFICATE-----\n" . $x5c[0] . "\n-----END CERTIFICATE-----";
}
echo " 'keys' => " . var_export($keys, true);
echo <<<SNIP2
),
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment