/** * {@inheritdoc} */ public function createIdToken(ClientInterface $client, UserAccountInterface $user_account, $redirect_uri, $claims_locales, array $request_claims, array $scope, array $id_token_claims = [], AccessTokenInterface $access_token = null, AuthCodeInterface $auth_code = null) { $id_token = $this->createEmptyIdToken(); $exp = null !== $access_token ? $access_token->getExpiresAt() : time() + $this->getLifetime($client); $claims = array_merge($this->getUserinfo()->getUserinfo($client, $user_account, $redirect_uri, $claims_locales, $request_claims, $scope), ['jti' => Base64Url::encode(random_bytes(25)), 'iss' => $this->getIssuer(), 'aud' => [$client->getPublicId(), $this->getIssuer()], 'iat' => time(), 'nbf' => time(), 'exp' => $exp]); foreach (['at_hash' => $access_token, 'c_hash' => $auth_code] as $key => $token) { if (null !== $token) { $claims[$key] = $this->getHash($token->getToken()); } } foreach (['last_login_at' => 'auth_time', 'amr' => 'amr', 'acr' => 'acr'] as $claim => $key) { if ($user_account->has($claim)) { $claims[$key] = $user_account->get($claim); } } $headers = ['typ' => 'JWT', 'alg' => $this->getSignatureAlgorithm()]; $signature_key = $this->signature_key_set->selectKey('sig', $this->getSignatureAlgorithm()); Assertion::notNull($signature_key, 'Unable to find a key to sign the ID Token. Please verify the selected key set contains suitable keys.'); if ($signature_key->has('kid')) { $headers['kid'] = $signature_key->get('kid'); } if (!empty($id_token_claims)) { $claims = array_merge($claims, $id_token_claims); } $jwt = $this->jwt_creator->sign($claims, $headers, $signature_key); if ($client->hasPublicKeySet() && $client->has('id_token_encrypted_response_alg') && $client->has('id_token_encrypted_response_enc')) { $key_set = $client->getPublicKeySet(); $key = $key_set->selectKey('enc'); if (null !== $key) { $headers = ['typ' => 'JWT', 'jti' => Base64Url::encode(random_bytes(25)), 'alg' => $client->get('id_token_encrypted_response_alg'), 'enc' => $client->get('id_token_encrypted_response_enc')]; $jwt = $this->jwt_creator->encrypt($jwt, $headers, $key); } } $id_token->setToken($jwt); $id_token->setExpiresAt($exp); $id_token->setClientPublicId($client->getPublicId()); $id_token->setResourceOwnerPublicId($user_account->getUserPublicId()); return $id_token; }
/** * @param \OAuth2\Token\AccessTokenInterface $access_token * @param \OAuth2\Client\ClientInterface|null $resource_server * * @return array */ protected function preparePayload(AccessTokenInterface $access_token, ClientInterface $resource_server = null) { $aud = [$this->getIssuer()]; if (null !== $resource_server) { $access_token[] = $resource_server->getPublicId(); } $payload = ['jti' => Base64Url::encode(random_bytes(25)), 'iss' => $this->getIssuer(), 'aud' => $aud, 'iat' => time(), 'nbf' => time(), 'exp' => $access_token->getExpiresAt(), 'sub' => $access_token->getClientPublicId(), 'token_type' => $access_token->getTokenTypeParameter('token_type'), 'scp' => $access_token->getScope(), 'resource_owner' => $access_token->getResourceOwnerPublicId(), 'user_account' => $access_token->getUserAccountPublicId()]; $payload['metadatas'] = $access_token->getMetadatas(); if (0 !== ($expires_at = $access_token->getExpiresAt())) { $payload['exp'] = $expires_at; } if (!empty($access_token->getParameters())) { $parameters = $access_token->getParameters(); //This part should be updated to support 'cnf' (confirmation) claim (see POP). $payload['other'] = $parameters; } if (null !== $access_token->getRefreshToken()) { $payload['refresh_token'] = $access_token->getRefreshToken(); } return $payload; }