/**
* {@inheritdoc}
*/
public function checkJWT(JWTInterface $jwt)
{
$aud = $jwt->getAudience();
if (!is_null($aud) && $this->audience !== $aud) {
throw new \Exception('Bad audience.');
}
return $this;
}
/**
* {@inheritdoc}
*/
public function checkJWT(JWTInterface $jwt)
{
$nbf = $jwt->getNotBefore();
if (!is_null($nbf) && time() < $nbf) {
throw new \Exception('Can not use this JWT yet.');
}
return $this;
}
/**
* {@inheritdoc}
*/
public function checkJWT(JWTInterface $jwt)
{
$iat = $jwt->getIssuedAt();
if (!is_null($iat) && time() < $iat) {
throw new \Exception('The JWT is issued in the futur.');
}
return $this;
}
/**
* {@inheritdoc}
*/
public function checkJWT(JWTInterface $jwt)
{
$iss = $jwt->getIssuer();
if (!is_null($iss) && !in_array($iss, $this->issuers)) {
throw new \Exception('Issuer not allowed.');
}
return $this;
}
/**
* {@inheritdoc}
*/
public function checkJWT(JWTInterface $jwt)
{
$sub = $jwt->getIssuer();
if (!is_null($sub) && !$this->isSubjectValid($sub)) {
throw new \Exception('Invalid subject.');
}
return $this;
}
/**
* {@inheritdoc}
*/
public function checkJWT(JWTInterface $jwt)
{
$exp = $jwt->getExpirationTime();
if (!is_null($exp) && time() > $exp) {
throw new \Exception('The JWT has expired.');
}
return $this;
}
/**
* {@inheritdoc}
*/
public function checkJWT(JWTInterface $jwt)
{
$crit = $jwt->getCritical();
if (!is_null($crit)) {
foreach ($crit as $critical) {
if (is_null($jwt->getHeaderValue($critical)) && is_null($jwt->getPayloadValue($critical))) {
throw new \Exception(sprintf("The claim/header '%s' is marked as critical but value is not set.", $critical));
}
}
}
return $this;
}
/**
* @param \Jose\SignatureInstructionInterface $instruction
* @param \Jose\JWTInterface $input
* @param string $jwt_payload
*
* @return array
*/
protected function computeSignature(SignatureInstructionInterface $instruction, JWTInterface $input, $jwt_payload)
{
$protected_header = array_merge($input->getProtectedHeader(), $instruction->getProtectedHeader());
$unprotected_header = array_merge($input->getUnprotectedHeader(), $instruction->getUnprotectedHeader());
$complete_header = array_merge($protected_header, $protected_header);
$jwt_protected_header = empty($protected_header) ? null : Base64Url::encode(json_encode($protected_header));
$signature_algorithm = $this->getSignatureAlgorithm($complete_header, $instruction->getKey());
if (!$this->checkKeyUsage($instruction->getKey(), 'signature')) {
throw new \InvalidArgumentException('Key cannot be used to sign');
}
$signature = $signature_algorithm->sign($instruction->getKey(), $jwt_protected_header . '.' . $jwt_payload);
$jwt_signature = Base64Url::encode($signature);
$result = ['signature' => $jwt_signature];
if (!is_null($protected_header)) {
$result['protected'] = $jwt_protected_header;
}
if (!empty($unprotected_header)) {
$result['header'] = $unprotected_header;
}
return $result;
}