From 1a468a40175e6d3366328678309623985ca2b150 Mon Sep 17 00:00:00 2001
From: Rick Lambrechts <rick@rl-webdiensten.nl>
Date: Tue, 23 Apr 2024 11:16:21 +0200
Subject: [PATCH] fix: Removed duplicate check on jwks_uri and only check if
 jwks_uri exists when needed (#373)

* Removed duplicate check on jwks_uri

* Update CHANGELOG

* Only check jwks_uri when needed

* Update changelog
---
 CHANGELOG.md                |  1 +
 src/OpenIDConnectClient.php | 17 +++++++----------
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 93149158..4055711f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added dependabot for GitHub Actions #407
 - Cast `$_SERVER['SERVER_PORT']` to integer to prevent adding 80 or 443 port to redirect URL. #403
 - Check subject when verifying JWT #406
+- Removed duplicate check on jwks_uri and only check if jwks_uri exists when needed #373
 
 ## [1.0.0] - 2023-12-13
 
diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
index abb37d8e..adabf80c 100644
--- a/src/OpenIDConnectClient.php
+++ b/src/OpenIDConnectClient.php
@@ -469,12 +469,7 @@ public function verifyLogoutToken(): bool
             $claims = $this->decodeJWT($logout_token, 1);
 
             // Verify the signature
-            if (!$this->getProviderConfigValue('jwks_uri')) {
-                throw new OpenIDConnectClientException('Back-channel logout: Unable to verify signature due to no jwks_uri being defined');
-            }
-            if (!$this->verifyJWTSignature($logout_token)) {
-                throw new OpenIDConnectClientException('Back-channel logout: Unable to verify JWT signature');
-            }
+            $this->verifySignatures($logout_token);
 
             // Verify Logout Token Claims
             if ($this->verifyLogoutTokenClaims($claims)) {
@@ -1134,7 +1129,12 @@ public function verifyJWTSignature(string $jwt): bool
                     $jwk = $header->jwk;
                     $this->verifyJWKHeader($jwk);
                 } else {
-                    $jwks = json_decode($this->fetchURL($this->getProviderConfigValue('jwks_uri')), false);
+                    $jwksUri = $this->getProviderConfigValue('jwks_uri');
+                    if (!$jwksUri) {
+                        throw new OpenIDConnectClientException ('Unable to verify signature due to no jwks_uri being defined');
+                    }
+
+                    $jwks = json_decode($this->fetchURL($jwksUri), false);
                     if ($jwks === NULL) {
                         throw new OpenIDConnectClientException('Error decoding JSON from jwks_uri');
                     }
@@ -1164,9 +1164,6 @@ public function verifyJWTSignature(string $jwt): bool
      */
     public function verifySignatures(string $jwt)
     {
-        if (!$this->getProviderConfigValue('jwks_uri')) {
-            throw new OpenIDConnectClientException ('Unable to verify signature due to no jwks_uri being defined');
-        }
         if (!$this->verifyJWTSignature($jwt)) {
             throw new OpenIDConnectClientException ('Unable to verify signature');
         }