/** * Verifies the id token, returns the verified token contents. * * @param $jwt string the token * @param $certs array of certificates * @param $required_audience string the expected consumer of the token * @param [$issuer] the expected issues, defaults to Google * @param [$max_expiry] the max lifetime of a token, defaults to MAX_TOKEN_LIFETIME_SECS * @throws Exception * @return mixed token information if valid, false if not */ public function verifySignedJwtWithCerts($jwt, $certs, $required_audience, $issuer = null, $max_expiry = null) { if (!$max_expiry) { // Set the maximum time we will accept a token for. $max_expiry = self::MAX_TOKEN_LIFETIME_SECS; } $segments = explode(".", $jwt); if (count($segments) != 3) { throw new Exception("Wrong number of segments in token: {$jwt}"); } $signed = $segments[0] . "." . $segments[1]; $signature = Utils::urlSafeB64Decode($segments[2]); // Parse envelope. $envelope = json_decode(Utils::urlSafeB64Decode($segments[0]), true); if (!$envelope) { throw new Exception("Can't parse token envelope: " . $segments[0]); } // Parse token $json_body = Utils::urlSafeB64Decode($segments[1]); $payload = json_decode($json_body, true); if (!$payload) { throw new Exception("Can't parse token payload: " . $segments[1]); } // Check signature $verified = false; foreach ($certs as $keyName => $pem) { $public_key = new Pem($pem); if ($public_key->verify($signed, $signature)) { $verified = true; break; } } if (!$verified) { throw new Exception("Invalid token signature: {$jwt}"); } // Check issued-at timestamp $iat = 0; if (array_key_exists("iat", $payload)) { $iat = $payload["iat"]; } if (!$iat) { throw new Exception("No issue time in token: {$json_body}"); } $earliest = $iat - self::CLOCK_SKEW_SECS; // Check expiration timestamp $now = time(); $exp = 0; if (array_key_exists("exp", $payload)) { $exp = $payload["exp"]; } if (!$exp) { throw new Exception("No expiration time in token: {$json_body}"); } if ($exp >= $now + $max_expiry) { throw new Exception(sprintf("Expiration time too far in future: %s", $json_body)); } $latest = $exp + self::CLOCK_SKEW_SECS; if ($now < $earliest) { throw new Exception(sprintf("Token used too early, %s < %s: %s", $now, $earliest, $json_body)); } if ($now > $latest) { throw new Exception(sprintf("Token used too late, %s > %s: %s", $now, $latest, $json_body)); } // support HTTP and HTTPS issuers // @see https://developers.google.com/identity/sign-in/web/backend-auth $iss = $payload['iss']; if ($issuer && !in_array($iss, (array) $issuer)) { throw new Exception(sprintf("Invalid issuer, %s not in %s: %s", $iss, "[" . implode(",", (array) $issuer) . "]", $json_body)); } // Check audience $aud = $payload["aud"]; if ($aud != $required_audience) { throw new Exception(sprintf("Wrong recipient, %s != %s:", $aud, $required_audience, $json_body)); } // All good. return new LoginTicket($envelope, $payload); }
/** * @param array $headers The HTTP request headers * to be set and normalized. */ public function setRequestHeaders($headers) { $headers = Utils::normalize($headers); if ($this->requestHeaders) { $headers = array_merge($this->requestHeaders, $headers); } $this->requestHeaders = $headers; }