/** * Fetches the JSON web key set from the `jwks_uri` parameter. */ public function fetchJWKs() { if (isset($this->container['oauth']['jwks_uri'])) { $web = \Web::instance(); $response = new HTTPResponse($web->request($this->container['oauth']['jwks_uri'], array('headers' => array('Accept' => 'application/jwk-set+json,application/json,text/plain,application/octet-stream')))); if ($response->isHttpError()) { return; } $jwks = json_decode($response->getBody(), true); if ($jwks == NULL) { return; } $this->container['oauth']['jwks'] = $jwks; } }
/** * Verifies a sector identifier URI. * * This function retrieves the JSON document specified by `$sector_identifier_uri` and checks * whether the URIs in that document are contained in `$expected_redirect_uris` * * @param string $sector_identifier_uri the sector identifier URI * @param array $expected_redirect_uris an array of URIs that the document in `$sector_identifier_uri` * is expected to match * @return bool true if the sector identifier is verified */ protected function verifySectorIdentifier($sector_identifier_uri, $expected_redirect_uris) { $web = \Web::instance(); $this->logger->log(LogLevel::INFO, 'OAuth dynamic client registration request: verifying OpenID Connect sector_identifier_uri ' . $sector_identifier_uri); if (parse_url($sector_identifier_uri, PHP_URL_SCHEME) != 'https') { $this->logger->log(LogLevel::ERROR, 'Not https:' . $sector_identifier_uri); return false; } $response = new HTTPResponse($web->request($sector_identifier_uri, array('headers' => array('Accept' => 'application/json')))); if ($response->isHttpError()) { $this->logger->log(LogLevel::ERROR, 'Cannot retrieve sector_identifier_uri:' . $sector_identifier_uri); return false; } $test_redirect_uris = json_decode($response->getBody(), true); if ($test_redirect_uris == NULL) { $this->logger->log(LogLevel::ERROR, 'Invalid sector_identifier_uri: not valid JSON'); return false; } elseif (count(array_diff($expected_redirect_uris, $test_redirect_uris)) > 0 || count(array_diff($test_redirect_uris, $expected_redirect_uris)) > 0) { $this->logger->log(LogLevel::ERROR, 'Redirect URIs in sector_identifier_uri do not match redirect_uris'); return false; } else { $this->logger->log(LogLevel::DEBUG, 'sector_identifier_uri verified'); return true; } }