Esempio n. 1
0
 /**
  * Verifies the id token, returns the verified token contents.
  *
  * @param $jwt string the token
  * @param $certs array of certificates
  * @param $required_audience string the expected consumer of the token
  * @param [$issuer] the expected issues, defaults to Google
  * @param [$max_expiry] the max lifetime of a token, defaults to MAX_TOKEN_LIFETIME_SECS
  * @throws W3TCG_Google_Auth_Exception
  * @return mixed token information if valid, false if not
  */
 public function verifySignedJwtWithCerts($jwt, $certs, $required_audience, $issuer = null, $max_expiry = null)
 {
     if (!$max_expiry) {
         // Set the maximum time we will accept a token for.
         $max_expiry = self::MAX_TOKEN_LIFETIME_SECS;
     }
     $segments = explode(".", $jwt);
     if (count($segments) != 3) {
         throw new W3TCG_Google_Auth_Exception("Wrong number of segments in token: {$jwt}");
     }
     $signed = $segments[0] . "." . $segments[1];
     $signature = W3TCG_Google_Utils::urlSafeB64Decode($segments[2]);
     // Parse envelope.
     $envelope = json_decode(W3TCG_Google_Utils::urlSafeB64Decode($segments[0]), true);
     if (!$envelope) {
         throw new W3TCG_Google_Auth_Exception("Can't parse token envelope: " . $segments[0]);
     }
     // Parse token
     $json_body = W3TCG_Google_Utils::urlSafeB64Decode($segments[1]);
     $payload = json_decode($json_body, true);
     if (!$payload) {
         throw new W3TCG_Google_Auth_Exception("Can't parse token payload: " . $segments[1]);
     }
     // Check signature
     $verified = false;
     foreach ($certs as $keyName => $pem) {
         $public_key = new W3TCG_Google_Verifier_Pem($pem);
         if ($public_key->verify($signed, $signature)) {
             $verified = true;
             break;
         }
     }
     if (!$verified) {
         throw new W3TCG_Google_Auth_Exception("Invalid token signature: {$jwt}");
     }
     // Check issued-at timestamp
     $iat = 0;
     if (array_key_exists("iat", $payload)) {
         $iat = $payload["iat"];
     }
     if (!$iat) {
         throw new W3TCG_Google_Auth_Exception("No issue time in token: {$json_body}");
     }
     $earliest = $iat - self::CLOCK_SKEW_SECS;
     // Check expiration timestamp
     $now = time();
     $exp = 0;
     if (array_key_exists("exp", $payload)) {
         $exp = $payload["exp"];
     }
     if (!$exp) {
         throw new W3TCG_Google_Auth_Exception("No expiration time in token: {$json_body}");
     }
     if ($exp >= $now + $max_expiry) {
         throw new W3TCG_Google_Auth_Exception(sprintf("Expiration time too far in future: %s", $json_body));
     }
     $latest = $exp + self::CLOCK_SKEW_SECS;
     if ($now < $earliest) {
         throw new W3TCG_Google_Auth_Exception(sprintf("Token used too early, %s < %s: %s", $now, $earliest, $json_body));
     }
     if ($now > $latest) {
         throw new W3TCG_Google_Auth_Exception(sprintf("Token used too late, %s > %s: %s", $now, $latest, $json_body));
     }
     $iss = $payload['iss'];
     if ($issuer && $iss != $issuer) {
         throw new W3TCG_Google_Auth_Exception(sprintf("Invalid issuer, %s != %s: %s", $iss, $issuer, $json_body));
     }
     // Check audience
     $aud = $payload["aud"];
     if ($aud != $required_audience) {
         throw new W3TCG_Google_Auth_Exception(sprintf("Wrong recipient, %s != %s:", $aud, $required_audience, $json_body));
     }
     // All good.
     return new W3TCG_Google_Auth_LoginTicket($envelope, $payload);
 }