public function sign(Request $request, ApiKey $apiKey)
{
date_default_timezone_set(self::TIME_ZONE);
$date = new \DateTime();
$timeStamp = $date->format(self::TIMESTAMP_FORMAT);
$dateStamp = $date->format(self::DATE_FORMAT);
$nonce = UUID::generate(UUID::UUID_RANDOM, UUID::FMT_STRING);
$parsedUrl = parse_url($request->getResourceUrl());
// SAuthc1 requires that we sign the Host header so we
// have to have it in the request by the time we sign.
$hostHeader = $parsedUrl['host'];
if (!RequestUtils::isDefaultPort($parsedUrl)) {
$hostHeader .= ':' . $parsedUrl['port'];
}
$requestHeaders = $request->getHeaders();
unset($requestHeaders[self::STORMPATH_DATE_HEADER]);
unset($requestHeaders[self::AUTHORIZATION_HEADER]);
$requestHeaders[self::HOST_HEADER] = $hostHeader;
$requestHeaders[self::STORMPATH_DATE_HEADER] = $timeStamp;
$request->setHeaders($requestHeaders);
$method = $request->getMethod();
$canonicalResourcePath = $this->canonicalizeResourcePath($parsedUrl['path']);
$canonicalQueryString = $this->canonicalizeQueryString($request);
$canonicalHeaderString = $this->canonicalizeHeaders($request);
$signedHeadersString = $this->getSignedHeaders($request);
$requestPayloadHashHex = $this->toHex($this->hashText($this->getRequestPayload($request)));
$canonicalRequest = $method . self::NL . $canonicalResourcePath . self::NL . $canonicalQueryString . self::NL . $canonicalHeaderString . self::NL . $signedHeadersString . self::NL . $requestPayloadHashHex;
$id = $apiKey->getId() . '/' . $dateStamp . '/' . $nonce . '/' . self::ID_TERMINATOR;
$canonicalRequestHashHex = $this->toHex($this->hashText($canonicalRequest));
$stringToSign = self::ALGORITHM . self::NL . $timeStamp . self::NL . $id . self::NL . $canonicalRequestHashHex;
// SAuthc1 uses a series of derived keys, formed by hashing different pieces of data
$kSecret = $this->toUTF8(self::AUTHENTICATION_SCHEME . $apiKey->getSecret());
$kDate = $this->internalSign($dateStamp, $kSecret, self::DEFAULT_ALGORITHM);
$kNonce = $this->internalSign($nonce, $kDate, self::DEFAULT_ALGORITHM);
$kSigning = $this->internalSign(self::ID_TERMINATOR, $kNonce, self::DEFAULT_ALGORITHM);
$signature = $this->internalSign($this->toUTF8($stringToSign), $kSigning, self::DEFAULT_ALGORITHM);
$signatureHex = $this->toHex($signature);
$authorizationHeader = self::AUTHENTICATION_SCHEME . ' ' . $this->createNameValuePair(self::SAUTHC1_ID, $id) . ', ' . $this->createNameValuePair(self::SAUTHC1_SIGNED_HEADERS, $signedHeadersString) . ', ' . $this->createNameValuePair(self::SAUTHC1_SIGNATURE, $signatureHex);
$requestHeaders[self::AUTHORIZATION_HEADER] = $authorizationHeader;
$request->setHeaders($requestHeaders);
}
public static function generateNonce()
{
return UUID::v4();
}
/**
* Generate the url for ID Site.
*
* @param array $options
* @return string
* @throws InvalidCallbackUriException
*/
public function createIdSiteUrl(array $options = array())
{
if (!isset($options['callbackUri'])) {
throw new InvalidCallbackUriException('Please provide a \'callbackUri\' in the $options array.');
}
$p = parse_url($this->href);
$base = $p['scheme'] . '://' . $p['host'];
$apiId = $this->getDataStore()->getApiKey()->getId();
$apiSecret = $this->getDataStore()->getApiKey()->getSecret();
$token = array('jti' => UUID::v4(), 'iat' => microtime(true), 'iss' => $apiId, 'sub' => $this->href, 'state' => isset($options['state']) ? $options['state'] : '', 'path' => isset($options['path']) ? $options['path'] : '/', 'cb_uri' => $options['callbackUri']);
if (isset($options['organizationNameKey'])) {
$token['onk'] = $options['organizationNameKey'];
}
if (isset($options['showOrganizationField'])) {
$token['sof'] = true;
}
if (isset($options['useSubDomain'])) {
$token['usd'] = true;
}
$jwt = JWT::encode($token, $apiSecret);
$redirectUrl = $base . "/sso";
if (isset($options['logout'])) {
$redirectUrl .= "/logout";
}
return $redirectUrl . "?jwtRequest={$jwt}";
}
protected function generateResponseUrl()
{
$jwt = array();
$jwt['iss'] = 'https://stormpath.com';
$jwt['sub'] = self::$account->href;
$jwt['aud'] = UUID::v4();
$jwt['exp'] = time() + 60;
$jwt['iat'] = time();
$jwt['jti'] = UUID::v4();
$jwt['irt'] = UUID::v4();
$jwt['state'] = "";
$jwt['isNewSub'] = false;
$jwt['status'] = "AUTHENTICATED";
$apiSecret = Client::getInstance()->getDataStore()->getApiKey()->getSecret();
$token = JWT::encode($jwt, $apiSecret);
return 'https://stormpath.com?jwtResponse=' . $token;
}
