auth0 · joshcanhelp · Dec 2, 2019 · Nov 23, 2019 · Nov 25, 2019 · Nov 25, 2019
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -36,11 +36,8 @@ commands:
   run-formatting:
     steps:
       - run:
-          name: Running Linter and Formatting
+          name: Run i18n check and PHP compatibility
           command: |
-            composer phpcbf
-            composer phpcbf-tests
-            composer phpcs-tests
             composer phpcs-i18n
             composer compat
   run-tests:
@@ -55,7 +52,7 @@ commands:
 jobs:
   php_7:
     docker:
-      - image: circleci/php:7.1
+      - image: circleci/php:7.0
       - image: circleci/mysql:5.6
         environment:
           MYSQL_ALLOW_EMPTY_PASSWORD: true

diff --git a/WP_Auth0.php b/WP_Auth0.php
@@ -30,6 +30,7 @@
 
 define( 'WPA0_LANG', 'wp-auth0' ); // deprecated; do not use for translations
 
+require_once 'vendor/autoload.php';
 require_once 'functions.php';
 
 /*
@@ -434,16 +435,6 @@ public static function uninstall() {
 	private function autoloader( $class ) {
 		$source_dir = WPA0_PLUGIN_DIR . 'lib/';
 
-		// Catch non-name-spaced classes that still need auto-loading.
-		switch ( $class ) {
-			case 'JWT':
-			case 'BeforeValidException':
-			case 'ExpiredException':
-			case 'SignatureInvalidException':
-				require_once $source_dir . 'php-jwt/' . $class . '.php';
-				return true;
-		}
-
 		// Anything that's not part of the above and not name-spaced can be skipped.
 		if ( 0 !== strpos( $class, 'WP_Auth0' ) ) {
 			return false;
@@ -457,6 +448,7 @@ private function autoloader( $class ) {
 			$source_dir . 'profile/',
 			$source_dir . 'wizard/',
 			$source_dir . 'initial-setup/',
+			$source_dir . 'token-verifier/',
 		];
 
 		foreach ( $paths as $path ) {

diff --git a/composer.json b/composer.json
@@ -4,7 +4,8 @@
     "homepage": "https://auth0.com/wordpress",
     "license": "GPLv2",
     "require": {
-        "php": "^7.0"
+        "php": "^7.0",
+        "lcobucci/jwt": "^3.3.0"
     },
     "require-dev": {
         "dealerdirect/phpcodesniffer-composer-installer": "^0.5",

diff --git a/functions.php b/functions.php
@@ -16,7 +16,7 @@
  */
 function wp_auth0_generate_token() {
 	$token = WP_Auth0_Nonce_Handler::get_instance()->generate_unique( 64 );
-	return JWT::urlsafeB64Encode( $token );
+	return wp_auth0_url_base64_encode( $token );
 }
 
 /**
@@ -117,6 +117,33 @@ function wp_auth0_can_show_wp_login_form() {
 	return false;
 }
 
+/**
+ * @param $input
+ *
+ * @return mixed
+ *
+ * @see https://github.com/firebase/php-jwt/blob/v5.0.0/src/JWT.php#L337
+ */
+function wp_auth0_url_base64_encode( $input ) {
+	return str_replace( '=', '', strtr( base64_encode( $input ), '+/', '-_' ) );
+}
+
+/**
+ * @param $input
+ *
+ * @return bool|string
+ *
+ * @see https://github.com/firebase/php-jwt/blob/v5.0.0/src/JWT.php#L320
+ */
+function wp_auth0_url_base64_decode( $input ) {
+	$remainder = strlen( $input ) % 4;
+	if ( $remainder ) {
+		$padlen = 4 - $remainder;
+		$input .= str_repeat( '=', $padlen );
+	}
+	return base64_decode( strtr( $input, '-_', '+/' ) );
+}
+
 if ( ! function_exists( 'get_auth0userinfo' ) ) {
 	/**
 	 * Get the Auth0 profile from the database, if one exists.

diff --git a/lib/WP_Auth0_Api_Client.php b/lib/WP_Auth0_Api_Client.php
@@ -446,68 +446,6 @@ public static function ConsentRequiredScopes() {
 		];
 	}
 
-	/**
-	 * Convert a certificate to PEM format.
-	 *
-	 * @param string $cert - Certificate, like from .well-known/jwks.json.
-	 *
-	 * @return string
-	 */
-	protected static function convertCertToPem( $cert ) {
-		return '-----BEGIN CERTIFICATE-----' . PHP_EOL
-			   . chunk_split( $cert, 64, PHP_EOL )
-			   . '-----END CERTIFICATE-----' . PHP_EOL;
-	}
-
-	/**
-	 * Get and cache a JWKS.
-	 *
-	 * @param string $domain - Issuer domain.
-	 *
-	 * @return array|bool|mixed
-	 */
-	public static function JWKfetch( $domain ) {
-
-		$a0_options = WP_Auth0_Options::Instance();
-
-		$endpoint = "https://$domain/.well-known/jwks.json";
-
-		if ( false === ( $secret = get_transient( WPA0_JWKS_CACHE_TRANSIENT_NAME ) ) ) {
-
-			$secret = [];
-
-			$response = wp_remote_get( $endpoint, [] );
-
-			if ( $response instanceof WP_Error ) {
-				WP_Auth0_ErrorManager::insert_auth0_error( __METHOD__, $response );
-				error_log( $response->get_error_message() );
-				return false;
-			}
-
-			if ( $response['response']['code'] != 200 ) {
-				WP_Auth0_ErrorManager::insert_auth0_error( __METHOD__, $response['body'] );
-				error_log( $response['body'] );
-				return false;
-			}
-
-			if ( $response['response']['code'] >= 300 ) {
-				return false;
-			}
-
-			$jwks = json_decode( $response['body'], true );
-
-			foreach ( $jwks['keys'] as $key ) {
-				$secret[ $key['kid'] ] = self::convertCertToPem( $key['x5c'][0] );
-			}
-
-			if ( $cache_expiration = $a0_options->get( 'cache_expiration' ) ) {
-				set_transient( WPA0_JWKS_CACHE_TRANSIENT_NAME, $secret, $cache_expiration * MINUTE_IN_SECONDS );
-			}
-		}
-
-		return $secret;
-	}
-
 	/**
 	 * Return the grant types needed for new clients.
 	 *

diff --git a/lib/WP_Auth0_Id_Token_Validator.php b/lib/WP_Auth0_Id_Token_Validator.php
diff --git a/lib/WP_Auth0_LoginManager.php b/lib/WP_Auth0_LoginManager.php
@@ -78,10 +78,7 @@ public function login_auto() {
 		$auth_params = self::get_authorize_params( $connection );
 
 		WP_Auth0_State_Handler::get_instance()->set_cookie( $auth_params['state'] );
-
-		if ( isset( $auth_params['nonce'] ) ) {
-			WP_Auth0_Nonce_Handler::get_instance()->set_cookie();
-		}
+		WP_Auth0_Nonce_Handler::get_instance()->set_cookie( $auth_params['nonce'] );
 
 		$auth_url = self::build_authorize_url( $auth_params );
 		wp_redirect( $auth_url );
@@ -174,8 +171,7 @@ public function redirect_login() {
 		$refresh_token = isset( $data->refresh_token ) ? $data->refresh_token : null;
 
 		// Decode the incoming ID token for the Auth0 user.
-		$jwt_verifier  = new WP_Auth0_Id_Token_Validator( $id_token, $this->a0_options );
-		$decoded_token = $jwt_verifier->decode();
+		$decoded_token = $this->decode_id_token( $id_token );
 
 		// Attempt to authenticate with the Management API, if allowed.
 		$userinfo = null;
@@ -232,8 +228,7 @@ public function implicit_login() {
 		$id_token_param = ! empty( $_POST['id_token'] ) ? $_POST['id_token'] : $_POST['token'];
 		$id_token       = sanitize_text_field( wp_unslash( $id_token_param ) );
 
-		$jwt_verifier  = new WP_Auth0_Id_Token_Validator( $id_token, $this->a0_options );
-		$decoded_token = $jwt_verifier->decode( true );
+		$decoded_token = $this->decode_id_token( $id_token );
 		$decoded_token = $this->clean_id_token( $decoded_token );
 
 		if ( $this->login_user( $decoded_token, $id_token ) ) {
@@ -460,24 +455,18 @@ public static function get_authorize_params( $connection = null, $redirect_to =
 		$opts         = WP_Auth0_Options::Instance();
 		$lock_options = new WP_Auth0_Lock10_Options();
 		$is_implicit  = (bool) $opts->get( 'auth0_implicit_workflow', false );
-		$nonce        = WP_Auth0_Nonce_Handler::get_instance()->get_unique();
 
 		$params = [
+			'connection'    => $connection,
 			'client_id'     => $opts->get( 'client_id' ),
 			'scope'         => self::get_userinfo_scope( 'authorize_url' ),
+			'nonce'         => WP_Auth0_Nonce_Handler::get_instance()->get_unique(),
+			'max_age'       => absint( apply_filters( 'auth0_jwt_max_age', null ) ),
 			'response_type' => $is_implicit ? 'id_token' : 'code',
 			'response_mode' => $is_implicit ? 'form_post' : 'query',
 			'redirect_uri'  => $is_implicit ? $lock_options->get_implicit_callback_url() : $opts->get_wp_auth0_url(),
 		];
 
-		if ( $is_implicit ) {
-			$params['nonce'] = $nonce;
-		}
-
-		if ( ! empty( $connection ) ) {
-			$params['connection'] = $connection;
-		}
-
 		// Where should the user be redirected after logging in?
 		if ( empty( $redirect_to ) ) {
 			$redirect_to = empty( $_GET['redirect_to'] )
@@ -498,7 +487,7 @@ public static function get_authorize_params( $connection = null, $redirect_to =
 			$filtered_params['state'] = base64_encode( json_encode( $filtered_state ) );
 		}
 
-		return $filtered_params;
+		return array_filter( $filtered_params );
 	}
 
 	/**
@@ -573,6 +562,33 @@ protected function die_on_login( $msg = '', $code = 0 ) {
 		wp_die( $html );
 	}
 
+	/**
+	 * @param $id_token
+	 * @return object
+	 * @throws WP_Auth0_InvalidIdTokenException
+	 */
+	private function decode_id_token( $id_token ) {
+		$expectedIss = 'https://' . $this->a0_options->get( 'domain' ) . '/';
+		$expectedAlg = $this->a0_options->get( 'client_signing_algorithm' );
+		if ( 'RS256' === $expectedAlg ) {
+			$jwks        = ( new WP_Auth0_JwksFetcher() )->getKeys();
+			$sigVerifier = new WP_Auth0_AsymmetricVerifier( $jwks );
+		} elseif ( 'HS256' === $expectedAlg ) {
+			$sigVerifier = new WP_Auth0_SymmetricVerifier( $this->a0_options->get( 'client_secret' ) );
+		} else {
+			throw new WP_Auth0_InvalidIdTokenException( 'Signing algorithm of "' . $expectedAlg . '" is not supported.' );
+		}
+
+		$verifierOptions = [
+			'nonce'   => WP_Auth0_Nonce_Handler::get_instance()->get_once(),
+			'leeway'  => absint( apply_filters( 'auth0_jwt_leeway', null ) ),
+			'max_age' => absint( apply_filters( 'auth0_jwt_max_age', null ) ),
+		];
+
+		$idTokenVerifier = new WP_Auth0_IdTokenVerifier( $expectedIss, $this->a0_options->get( 'client_id' ), $sigVerifier );
+		return (object) $idTokenVerifier->verify( $id_token, $verifierOptions );
+	}
+
 	/**
 	 * Remove unnecessary ID token properties.
 	 *