/** @dataProvider provideClientCredentials */
public function testInvalidJwtHeader($client_id, $client_key)
{
$jwtUtil = new Jwt();
$params = array('iss' => $client_id, 'exp' => time() + 1000, 'iat' => time(), 'sub' => '*****@*****.**', 'aud' => 'http://myapp.com/oauth/auth', 'scope' => null);
// testing for algorithm tampering when only RSA256 signing is allowed
// @see https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
$tampered = $jwtUtil->encode($params, $client_key, 'HS256');
$payload = $jwtUtil->decode($tampered, $client_key, array('RS256'));
$this->assertFalse($payload);
}
/**
* Generate a JWT
*
* @param $privateKey The private key to use to sign the token
* @param $iss The issuer, usually the client_id
* @param $sub The subject, usually a user_id
* @param $aud The audience, usually the URI for the oauth server
* @param $exp The expiration date. If the current time is greater than the exp, the JWT is invalid
* @param $nbf The "not before" time. If the current time is less than the nbf, the JWT is invalid
* @param $jti The "jwt token identifier", or nonce for this JWT
*
* @return string
*/
function generateJWT($privateKey, $iss, $sub, $aud, $exp = null, $nbf = null, $jti = null)
{
if (!$exp) {
$exp = time() + 1000;
}
$params = array('iss' => $iss, 'sub' => $sub, 'aud' => $aud, 'exp' => $exp, 'iat' => time());
if ($nbf) {
$params['nbf'] = $nbf;
}
if ($jti) {
$params['jti'] = $jti;
}
$jwtUtil = new Jwt();
return $jwtUtil->encode($params, $privateKey, 'RS256');
}
/**
* Generate a JWT
* http://bshaffer.github.io/oauth2-server-php-docs/grant-types/jwt-bearer/
*
* @param $privateKey The private key to use to sign the token
* @param $iss The issuer, usually the client_id
* @param $sub The subject, usually a user_id
* @param $aud The audience, usually the URI for the oauth server
* @param $exp The expiration date. If the current time is greater than the exp, the JWT is invalid
* @param $nbf The "not before" time. If the current time is less than the nbf, the JWT is invalid
* @param $jti The "jwt token identifier", or nonce for this JWT
*
* @return string
*/
public function generate($privateKey, $iss, $sub, $aud, $exp = null, $nbf = null, $jti = null)
{
if (!class_exists('OAuth2\\Encryption\\Jwt')) {
throw new Exception('bshaffer/oauth2-server-php is required to generate a JWT');
}
if (!$exp) {
$exp = time() + 300;
}
$params = array('iss' => $iss, 'sub' => $sub, 'aud' => $aud, 'exp' => $exp, 'iat' => time());
if ($nbf) {
$params['nbf'] = $nbf;
}
if ($jti) {
$params['jti'] = $jti;
}
$jwtUtil = new ServerJwt();
return $jwtUtil->encode($params, $privateKey, 'RS256');
}
private function extractTokenDataFromResponse(Response $response)
{
$this->assertEquals($response->getStatusCode(), 302);
$location = $response->getHttpHeader('Location');
$this->assertNotContains('error', $location);
$parts = parse_url($location);
$this->assertArrayHasKey('fragment', $parts);
$this->assertFalse(isset($parts['query']));
parse_str($parts['fragment'], $params);
$this->assertNotNull($params);
$this->assertArrayHasKey('id_token', $params);
$this->assertArrayNotHasKey('access_token', $params);
list($headb64, $payloadb64, $signature) = explode('.', $params['id_token']);
$jwt = new Jwt();
$header = json_decode($jwt->urlSafeB64Decode($headb64), true);
$payload = json_decode($jwt->urlSafeB64Decode($payloadb64), true);
return array($header, $payload, $signature);
}
/** @dataProvider provideStorage */
public function testSetAccessToken($storage)
{
if (!$storage instanceof PublicKey) {
// incompatible storage
return;
}
$crypto = new jwtAccessToken($storage);
$publicKeyStorage = Bootstrap::getInstance()->getMemoryStorage();
$encryptionUtil = new Jwt();
$jwtAccessToken = array('access_token' => rand(), 'expires' => time() + 100, 'scope' => 'foo');
$token = $encryptionUtil->encode($jwtAccessToken, $storage->getPrivateKey(), $storage->getEncryptionAlgorithm());
$this->assertNotNull($token);
$tokenData = $crypto->getAccessToken($token);
$this->assertTrue(is_array($tokenData));
/* assert the decoded token is the same */
$this->assertEquals($tokenData['access_token'], $jwtAccessToken['access_token']);
$this->assertEquals($tokenData['expires'], $jwtAccessToken['expires']);
$this->assertEquals($tokenData['scope'], $jwtAccessToken['scope']);
}
public function testCreateAccessToken()
{
$server = $this->getTestServer();
$jwtResponseType = $server->getResponseType('token');
$accessToken = $jwtResponseType->createAccessToken('Test Client ID', 123, 'test', false);
$jwt = new Jwt();
$decodedAccessToken = $jwt->decode($accessToken['access_token'], null, false);
$this->assertArrayHasKey('id', $decodedAccessToken);
$this->assertArrayHasKey('iss', $decodedAccessToken);
$this->assertArrayHasKey('aud', $decodedAccessToken);
$this->assertArrayHasKey('exp', $decodedAccessToken);
$this->assertArrayHasKey('iat', $decodedAccessToken);
$this->assertArrayHasKey('token_type', $decodedAccessToken);
$this->assertArrayHasKey('scope', $decodedAccessToken);
$this->assertEquals('https://api.example.com', $decodedAccessToken['iss']);
$this->assertEquals('Test Client ID', $decodedAccessToken['aud']);
$this->assertEquals(123, $decodedAccessToken['sub']);
$delta = $decodedAccessToken['exp'] - $decodedAccessToken['iat'];
$this->assertEquals(3600, $delta);
}
/**
* 产生28位 openid
* @param $clientID
* @param $user_id 用户在服务端登录id
* @return string
*/
protected function generateOpenID($clientID, $user_id)
{
$str = substr($clientID, 0, 6);
$str .= substr(md5($user_id, false), 0, 15);
$encryptionUtil = new Jwt();
$str = $encryptionUtil->urlSafeB64Encode($str);
return $str;
}
/**
* Generates a JWT
* @param $exp The expiration date. If the current time is greater than the exp, the JWT is invalid.
* @param $nbf The "not before" time. If the current time is less than the nbf, the JWT is invalid.
* @param $sub The subject we are acting on behalf of. This could be the email address of the user in the system.
* @param $iss The issuer, usually the client_id.
* @return string
*/
private function getJWT($exp = null, $nbf = null, $sub = null, $iss = 'Test Client ID', $jti = null)
{
if (!$exp) {
$exp = time() + 1000;
}
if (!$sub) {
$sub = "*****@*****.**";
}
$params = array('iss' => $iss, 'exp' => $exp, 'iat' => time(), 'sub' => $sub, 'aud' => 'http://myapp.com/oauth/auth');
if ($nbf) {
$params['nbf'] = $nbf;
}
if ($jti) {
$params['jti'] = $jti;
}
$jwtUtil = new Jwt();
return $jwtUtil->encode($params, $this->privateKey, 'RS256');
}
private function getJWT($exp = null, $nbf = null, $sub = null, $iss = 'Test Client ID', $scope = null)
{
$params = $this->getJWTParams($exp, $nbf, $sub, $iss, $scope);
$jwtUtil = new Jwt();
if (version_compare(PHP_VERSION, '5.3.3') <= 0) {
return $jwtUtil->encode($params, 'mysecretkey', 'HS256');
}
return $jwtUtil->encode($params, $this->privateKey, 'RS256');
}
public function testInvalidJwt()
{
$jwtUtil = new Jwt();
$this->assertFalse($jwtUtil->decode('goob'));
$this->assertFalse($jwtUtil->decode('go.o.b'));
}
public function decodeJwt($encoded)
{
$jwt = new Jwt();
return $jwt->decode($encoded, $this->getJwtKey());
}
