From ca7429b218d5f043cc440dcd98fc27e4e0f1e418 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Tue, 5 Jul 2022 08:55:57 +0200 Subject: [PATCH] feat: verify JWT using JWK header --- CHANGELOG.md | 12 ++++++++++++ src/OpenIDConnectClient.php | 19 +++++++++++++------ 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 836f26d2..2e152976 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## [unreleased] + +### Added + +* Support for Self-Contained JWTs. #308 +* Support for RFC8693 Token Exchange Request. #275 + +### Fixed + +* PHP 5.4 compatibility. #304 +* Use session_status(). #306 + ## [0.9.6] ### Added diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 12f63c17..6fd6d117 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1051,14 +1051,11 @@ public function verifyJWTsignature($jwt) { if (null === $header || !\is_object($header)) { throw new OpenIDConnectClientException('Error decoding JSON from token header'); } - $payload = implode('.', $parts); - $jwks = json_decode($this->fetchURL($this->getProviderConfigValue('jwks_uri'))); - if ($jwks === NULL) { - throw new OpenIDConnectClientException('Error decoding JSON from jwks_uri'); - } if (!isset($header->alg)) { throw new OpenIDConnectClientException('Error missing signature type in token header'); } + + $payload = implode('.', $parts); switch ($header->alg) { case 'RS256': case 'PS256': @@ -1067,8 +1064,18 @@ public function verifyJWTsignature($jwt) { $hashtype = 'sha' . substr($header->alg, 2); $signatureType = $header->alg === 'PS256' ? 'PSS' : ''; + if (isset($header->jwk)) { + $jwk = $header->jwk; + } else { + $jwks = json_decode($this->fetchURL($this->getProviderConfigValue('jwks_uri'))); + if ($jwks === NULL) { + throw new OpenIDConnectClientException('Error decoding JSON from jwks_uri'); + } + $jwk = $this->getKeyForHeader($jwks->keys, $header); + } + $verified = $this->verifyRSAJWTsignature($hashtype, - $this->getKeyForHeader($jwks->keys, $header), + $jwk, $payload, $signature, $signatureType); break; case 'HS256':