public function checkCallbackSignature($token, $tokenId)
{
try {
$parser = new Parser();
$token = $parser->parse((string) $token);
} catch (\RuntimeException $exception) {
throw new Exception\InvalidToken();
}
$validation = new ValidationData();
$validation->setIssuer($this->gatewayUrl);
$validation->setAudience($this->key);
$validation->setId($tokenId);
if (!$token->validate($validation)) {
throw new Exception\TokenValidationFailed();
}
if (!$token->verify(new Sha256(), $this->secret)) {
throw new Exception\TokenVerificationFailed();
}
if (!$token->hasClaim('sub')) {
throw new Exception\SubjectClaimMissing();
}
$this->username = $token->getClaim('sub');
if (!$token->hasClaim('pass')) {
throw new Exception\PassClaimMissing();
}
$this->pass = $token->getClaim('pass');
}
/**
* @param string $token
* @return ParsedToken
* @throws InvalidException if token can't be parsed
*/
protected function getParsedToken($token)
{
try {
return $this->parser->parse((string) $token);
} catch (\InvalidArgumentException $e) {
throw new InvalidException('Could not parse token: ' . $e->getMessage(), InvalidException::CODE_TOKEN_INVALID, $e);
}
}
/**
* @param StringLiteral $tokenString
* @return Jwt
*/
public function parse(StringLiteral $tokenString)
{
try {
return $this->parser->parse($tokenString->toNative());
} catch (\InvalidArgumentException $e) {
throw new JwtParserException($e);
}
}
/**
* @param string $token
* @return ParsedToken
* @throws InvalidException if token can't be parsed
*/
protected function getParsedToken($token)
{
try {
return $this->parser->parse((string) $token);
} catch (\InvalidArgumentException $e) {
throw InvalidException::tokenUnparseable($token, $e);
}
}
/**
* @param Request $request
* @return Token
*/
public function extractTokenFromRequest(Request $request) : Token
{
foreach ($this->extractors as $extractor) {
if ($extractor->canHandle($request)) {
$token = $extractor->extract($request);
return $this->jwtParser->parse($token);
}
}
throw new BadCredentialsException('No Auth Token found.');
}
public function authenticate($token, Signer $signer, $key)
{
try {
$token = $this->parser->parse($token);
} catch (\InvalidArgumentException $e) {
throw new UnrecognizedToken();
}
if (!$token->verify($signer, $key)) {
throw new InvalidSignature();
}
}
/**
* [Return the value of a token the request].
*
* @param string $token
*
* @return Lcobucci\JWT\Token
*/
public function decodeToken($token)
{
try {
$parser = new Parser();
if (!($token = $parser->parse((string) $token))) {
throw new Exception('Token inválido');
}
return $token;
} catch (Exception $e) {
abort(401, 'Favor efetuar o login novamente');
}
}
/**
* validate token
*
* @param [string] $tokenString
* @param [string] $socketId
* @return [boolean]
*/
private function validateToken($tokenString)
{
//
$parser = new Parser();
// data of validator
// add time for experitation
$validatorData = new ValidationData();
$validatorData->setCurrentTime(time());
// getting token for JWT
$token = $parser->parse((string) $tokenString);
return $token->validate($validatorData);
}
protected function validTokenFromStr($tokenStr)
{
if (!empty($tokenStr)) {
$token = $this->parser->parse($tokenStr);
if ($token->verify(new $this->signer(), $this->secret)) {
return $token;
}
}
return null;
}
/**
* @test
*/
public function it_can_verify_a_token_signature()
{
$this->assertTrue($this->decoderService->verifySignature($this->parser->parse($this->tokenString)));
// Change one of the claims, but keep the original header and
// signature.
$manipulatedClaims = $this->tokenClaimsAsValueObjects;
$manipulatedClaims['uid'] = new Basic('uid', '0');
$encoder = new Encoder();
$manipulatedPayload = $this->payload;
$manipulatedPayload[1] = $encoder->base64UrlEncode($encoder->jsonEncode($manipulatedClaims));
// Re-create the token string using the original header and signature,
// but with manipulated claims.
$manipulatedTokenString = implode('.', $manipulatedPayload);
$this->assertFalse($this->decoderService->verifySignature($this->parser->parse($manipulatedTokenString)));
}
/**
* Extract the token from the given request object
*
* @param Request $request
*
* @return Token|null
*/
private function parseToken(Request $request)
{
$cookies = $request->getCookieParams();
$cookieName = $this->defaultCookie->getName();
if (!isset($cookies[$cookieName])) {
return null;
}
try {
$token = $this->tokenParser->parse($cookies[$cookieName]);
} catch (\InvalidArgumentException $invalidToken) {
return null;
}
if (!$token->validate(new ValidationData())) {
return null;
}
return $token;
}
public function authenticate()
{
// parse response
$code = null;
$state = null;
if (isset($_GET['error'])) {
throw new \Exception('Response from Authorization Server: ' . $_GET['error']);
}
if (isset($_GET['code'])) {
$code = $_GET['code'];
}
if (isset($_GET['state'])) {
$state = $_GET['state'];
}
$existingState = $this->getStateSession();
if ($existingState !== $state) {
throw new \Exception('Broken authorization flow - state mismatch');
}
if ($code === null) {
throw new \Exception('"code" param has not been received from Authorization Server');
}
$authorizationCode = $this->requestTokens($code);
if (isset($authorizationCode->error)) {
throw new \Exception($authorizationCode->error_description);
}
if (!isset($authorizationCode->id_token)) {
throw new \Exception('id_token has not been received from Authorization Server');
}
$tmpimpl = count(explode('.', $authorizationCode->id_token));
if ($tmpimpl != 3 && $tmpimpl != 5) {
throw new \Exception('Incorrect id_token received from Authorization Server');
}
if ($tmpimpl == 5) {
throw new \Exception('Encrypted JWT is not supported yet');
}
$parser = new Lcobucci\JWT\Parser();
$token = $parser->parse($authorizationCode->id_token);
$alg = $token->getHeader('alg');
if ($alg !== 'RS256') {
throw new \Exception('Only alg RS256 is accepted');
}
$kid = $token->getHeader('kid');
$validationData = new Lcobucci\JWT\ValidationData();
$validationData->setIssuer($this->getProviderURL());
$validationData->setAudience($this->clientID);
$isValidToken = $token->validate($validationData);
if (!$isValidToken) {
throw new \Exception('Received "id_token" is not valid - propbably expired');
}
// verify sig
$jwks_uri = $this->getOPConfigValue('jwks_uri');
$jwks_body = $this->runHttpRequest($jwks_uri);
$this->jwks = json_decode($jwks_body, true);
if (!is_array($this->jwks) || !array_key_exists('keys', $this->jwks)) {
throw new \Exception('JWKS not found, cannot verify signature');
}
$keyVer = null;
foreach ($this->jwks['keys'] as $key => $val) {
if ($val['kid'] === $kid && $val['use'] === 'sig') {
$keyVer = $this->jwks['keys'][$key];
break;
}
}
if ($keyVer === null) {
throw new \Exception('JWK not found, cannot verify signature');
}
$jwkObj = new Jwk($keyVer);
$signer = new Lcobucci\JWT\Signer\Rsa\Sha256();
$keychain = new Lcobucci\JWT\Signer\Keychain();
$sigValid = $token->verify($signer, $keychain->getPublicKey($jwkObj->toKey()));
if ($sigValid !== true) {
throw new \Exception('Received "id_token" is not valid. Signature validation failed');
}
/**
* @var Lcobucci\JWT\Claim\Basic[] $claimsObj
*/
$claimsObj = $token->getClaims();
$claims = array();
foreach ($claimsObj as $cl) {
if ($cl instanceof Lcobucci\JWT\Claim\Basic) {
$claims['' . $cl->getName() . ''] = $cl->getValue();
}
}
$claims['iss'] = $token->getClaim('iss');
unset($_SESSION['joidc_once']);
unset($_SESSION['joidc_state']);
unset($_SESSION['joidc_issuer']);
return $claims;
}
/**
* @param array $payload
*/
protected function revokeOtherAccessTokens(array $payload)
{
$token = $this->tokens->find($tokenId = $this->jwt->parse($payload['access_token'])->getClaim('jti'));
$this->tokens->revokeOtherAccessTokens($token->client_id, $token->user_id, $tokenId, Passport::$pruneRevokedTokens);
}
