fix: Removed duplicate check on jwks_uri and only check if jwks_uri e…

…xists when needed (#373) * Removed duplicate check on jwks_uri * Update CHANGELOG * Only check jwks_uri when needed * Update changelog
jumbojett · Apr 23, 2024 · 1a468a4 · 1a468a4
1 parent 0c8f54d
commit 1a468a4
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added dependabot for GitHub Actions #407
 - Cast `$_SERVER['SERVER_PORT']` to integer to prevent adding 80 or 443 port to redirect URL. #403
 - Check subject when verifying JWT #406
+- Removed duplicate check on jwks_uri and only check if jwks_uri exists when needed #373
 
 ## [1.0.0] - 2023-12-13
 

diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -469,12 +469,7 @@ public function verifyLogoutToken(): bool
             $claims = $this->decodeJWT($logout_token, 1);
 
             // Verify the signature
-            if (!$this->getProviderConfigValue('jwks_uri')) {
-                throw new OpenIDConnectClientException('Back-channel logout: Unable to verify signature due to no jwks_uri being defined');
-            }
-            if (!$this->verifyJWTSignature($logout_token)) {
-                throw new OpenIDConnectClientException('Back-channel logout: Unable to verify JWT signature');
-            }
+            $this->verifySignatures($logout_token);
 
             // Verify Logout Token Claims
             if ($this->verifyLogoutTokenClaims($claims)) {
@@ -1134,7 +1129,12 @@ public function verifyJWTSignature(string $jwt): bool
                     $jwk = $header->jwk;
                     $this->verifyJWKHeader($jwk);
                 } else {
-                    $jwks = json_decode($this->fetchURL($this->getProviderConfigValue('jwks_uri')), false);
+                    $jwksUri = $this->getProviderConfigValue('jwks_uri');
+                    if (!$jwksUri) {
+                        throw new OpenIDConnectClientException ('Unable to verify signature due to no jwks_uri being defined');
+                    }
+
+                    $jwks = json_decode($this->fetchURL($jwksUri), false);
                     if ($jwks === NULL) {
                         throw new OpenIDConnectClientException('Error decoding JSON from jwks_uri');
                     }
@@ -1164,9 +1164,6 @@ public function verifyJWTSignature(string $jwt): bool
      */
     public function verifySignatures(string $jwt)
     {
-        if (!$this->getProviderConfigValue('jwks_uri')) {
-            throw new OpenIDConnectClientException ('Unable to verify signature due to no jwks_uri being defined');
-        }
         if (!$this->verifyJWTSignature($jwt)) {
             throw new OpenIDConnectClientException ('Unable to verify signature');
         }