/**
* @param array $payload
*
* @return string
*/
private function sign(array $payload)
{
$payload = array_merge($payload, $this->getAdditionalPayload());
$headers = $this->getSignatureHeaders();
$signature_key = $this->signature_jwkset->getKey(0);
if ($signature_key->has('kid')) {
$headers['kid'] = $signature_key->get('kid');
}
return $this->jwt_creator->sign($payload, $headers, $signature_key);
}
/**
* @param array $claims
* @param \OAuth2\Client\ClientInterface $client
*
* @return string
*/
private function signAndEncrypt($claims, ClientInterface $client)
{
$signature_key = $this->signature_key_set->getKey(0);
Assertion::notNull($signature_key, 'Unable to find a key to sign the userinfo response. Please verify the selected key set contains suitable keys.');
$jwt = $this->getJWTCreator()->sign($claims, ['typ' => 'JWT', 'alg' => $this->signature_algorithm], $signature_key);
if ($client->hasPublicKeySet() && $client->has('id_token_encrypted_response_alg') && $client->has('id_token_encrypted_response_enc')) {
$key_set = $client->getPublicKeySet();
$key = $key_set->selectKey('enc');
if (null !== $key) {
$jwt = $this->getJWTCreator()->encrypt($jwt, ['alg' => $client->get('id_token_encrypted_response_alg'), 'enc' => $client->get('id_token_encrypted_response_enc')], $key);
}
}
return $jwt;
}
/**
* {@inheritdoc}
*/
public function populateAccessToken(AccessTokenInterface &$access_token, ClientInterface $client, ResourceOwnerInterface $resource_owner, RefreshTokenInterface $refresh_token = null, ClientInterface $resource_server = null)
{
$payload = $this->preparePayload($access_token, $resource_server);
$signature_header = $this->prepareSignatureHeader();
$signature_key = $this->signature_key_set->getKey(0);
Assertion::notNull($signature_key, 'Unable to find a key to sign the Access Token. Please verify the selected key set contains suitable keys.');
$encryption_key = $this->key_encryption_key_set->getKey(0);
Assertion::notNull($signature_key, 'Unable to find a key to encrypt the Access Token. Please verify the selected key set contains suitable keys.');
$jwt = $this->getJWTCreator()->sign($payload, $signature_header, $signature_key);
$encryption_header = $this->prepareEncryptionHeader($client, $resource_server);
$recipient_key = $encryption_key;
$jwt = $this->getJWTCreator()->encrypt($jwt, $encryption_header, $recipient_key);
$access_token->setToken($jwt);
}
/**
* {@inheritdoc}
*/
public function createIdToken(ClientInterface $client, UserAccountInterface $user_account, $redirect_uri, $claims_locales, array $request_claims, array $scope, array $id_token_claims = [], AccessTokenInterface $access_token = null, AuthCodeInterface $auth_code = null)
{
$id_token = $this->createEmptyIdToken();
$exp = null !== $access_token ? $access_token->getExpiresAt() : time() + $this->getLifetime($client);
$claims = array_merge($this->getUserinfo()->getUserinfo($client, $user_account, $redirect_uri, $claims_locales, $request_claims, $scope), ['jti' => Base64Url::encode(random_bytes(25)), 'iss' => $this->getIssuer(), 'aud' => [$client->getPublicId(), $this->getIssuer()], 'iat' => time(), 'nbf' => time(), 'exp' => $exp]);
foreach (['at_hash' => $access_token, 'c_hash' => $auth_code] as $key => $token) {
if (null !== $token) {
$claims[$key] = $this->getHash($token->getToken());
}
}
foreach (['last_login_at' => 'auth_time', 'amr' => 'amr', 'acr' => 'acr'] as $claim => $key) {
if ($user_account->has($claim)) {
$claims[$key] = $user_account->get($claim);
}
}
$headers = ['typ' => 'JWT', 'alg' => $this->getSignatureAlgorithm()];
$signature_key = $this->signature_key_set->selectKey('sig', $this->getSignatureAlgorithm());
Assertion::notNull($signature_key, 'Unable to find a key to sign the ID Token. Please verify the selected key set contains suitable keys.');
if ($signature_key->has('kid')) {
$headers['kid'] = $signature_key->get('kid');
}
if (!empty($id_token_claims)) {
$claims = array_merge($claims, $id_token_claims);
}
$jwt = $this->jwt_creator->sign($claims, $headers, $signature_key);
if ($client->hasPublicKeySet() && $client->has('id_token_encrypted_response_alg') && $client->has('id_token_encrypted_response_enc')) {
$key_set = $client->getPublicKeySet();
$key = $key_set->selectKey('enc');
if (null !== $key) {
$headers = ['typ' => 'JWT', 'jti' => Base64Url::encode(random_bytes(25)), 'alg' => $client->get('id_token_encrypted_response_alg'), 'enc' => $client->get('id_token_encrypted_response_enc')];
$jwt = $this->jwt_creator->encrypt($jwt, $headers, $key);
}
}
$id_token->setToken($jwt);
$id_token->setExpiresAt($exp);
$id_token->setClientPublicId($client->getPublicId());
$id_token->setResourceOwnerPublicId($user_account->getUserPublicId());
return $id_token;
}
/**
* {@inheritdoc}
*/
public function enableEncryptedRequestObjectSupport(JWKSetInterface $key_encryption_key_set, $require_encryption)
{
Assertion::boolean($require_encryption);
Assertion::true($this->isRequestObjectSupportEnabled(), 'Request object support must be enabled first.');
Assertion::greaterThan($key_encryption_key_set->countKeys(), 0, 'The encryption key set must have at least one key.');
$this->require_encryption = $require_encryption;
$this->key_encryption_key_set = $key_encryption_key_set;
}
/**
* @param \Jose\Object\JWKSetInterface $jwk_set
*/
private function checkJWKSet(Object\JWKSetInterface $jwk_set)
{
Assertion::greaterThan($jwk_set->countKeys(), 0, 'There is no key in the key set.');
}
/**
* {@inheritdoc}
*/
public static function createFromKeySet(JWKSetInterface $jwk_set, $key_index)
{
Assertion::integer($key_index);
return $jwk_set->getKey($key_index);
}
/**
* @return \Symfony\Component\HttpFoundation\Response
*/
public function pemAction()
{
return new Response(json_encode($this->jwkset->toPEM()), Response::HTTP_OK, ['content-type' => 'application/json']);
}
/**
* {@inheritdoc}
*/
public function addKey(JWKInterface $key)
{
$this->jwkset->addKey($key);
}
