Merge pull request #308 from jumbojett/feat/support-header-jwk

feat: verify JWT using JWK header
jumbojett · Jul 13, 2022 · e77e20f · e77e20f
2 parents 6dbd282 + ca7429b
commit e77e20f
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [unreleased]
+
+### Added
+
+* Support for Self-Contained JWTs. #308
+* Support for RFC8693 Token Exchange Request. #275
+
+### Fixed
+
+* PHP 5.4 compatibility. #304
+* Use session_status(). #306
+
 ## [0.9.6]
 
 ### Added

diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -1051,14 +1051,11 @@ public function verifyJWTsignature($jwt) {
         if (null === $header || !\is_object($header)) {
             throw new OpenIDConnectClientException('Error decoding JSON from token header');
         }
-        $payload = implode('.', $parts);
-        $jwks = json_decode($this->fetchURL($this->getProviderConfigValue('jwks_uri')));
-        if ($jwks === NULL) {
-            throw new OpenIDConnectClientException('Error decoding JSON from jwks_uri');
-        }
         if (!isset($header->alg)) {
             throw new OpenIDConnectClientException('Error missing signature type in token header');
         }
+
+        $payload = implode('.', $parts);
         switch ($header->alg) {
             case 'RS256':
             case 'PS256':
@@ -1067,8 +1064,18 @@ public function verifyJWTsignature($jwt) {
                 $hashtype = 'sha' . substr($header->alg, 2);
                 $signatureType = $header->alg === 'PS256' ? 'PSS' : '';
 
+                if (isset($header->jwk)) {
+                    $jwk = $header->jwk;
+                } else {
+                    $jwks = json_decode($this->fetchURL($this->getProviderConfigValue('jwks_uri')));
+                    if ($jwks === NULL) {
+                        throw new OpenIDConnectClientException('Error decoding JSON from jwks_uri');
+                    }
+                    $jwk = $this->getKeyForHeader($jwks->keys, $header);
+                }
+
                 $verified = $this->verifyRSAJWTsignature($hashtype,
-                    $this->getKeyForHeader($jwks->keys, $header),
+                    $jwk,
                     $payload, $signature, $signatureType);
                 break;
             case 'HS256':