public function __construct(array $options = [], $provider) { parent::__construct($options); if (!empty($options['id_token'])) { $this->idToken = $options['id_token']; $keys = $provider->getJwtVerificationKeys(); $idTokenClaims = null; try { $tks = explode('.', $this->idToken); // Check if the id_token contains signature if (count($tks) == 3 && !empty($tks[2])) { $idTokenClaims = (array) JWT::decode($this->idToken, $keys, ['RS256']); } else { // The id_token is unsigned (coming from v1.0 endpoint) - https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx // Validate the access_token signature first by parsing it as JWT into claims $accessTokenClaims = (array) JWT::decode($options['access_token'], $keys, ['RS256']); // Then parse the idToken claims only without validating the signature $idTokenClaims = (array) JWT::jsonDecode(JWT::urlsafeB64Decode($tks[1])); } } catch (JWT_Exception $e) { throw new RuntimeException("Unable to parse the id_token!"); } if ($provider->getClientId() != $idTokenClaims['aud']) { throw new RuntimeException("The audience is invalid!"); } if ($idTokenClaims['nbf'] > time() || $idTokenClaims['exp'] < time()) { // Additional validation is being performed in firebase/JWT itself throw new RuntimeException("The id_token is invalid!"); } if ($provider->tenant == "common") { $provider->tenant = $idTokenClaims['tid']; $tenant = $provider->getTenantDetails($provider->tenant); if ($idTokenClaims['iss'] != $tenant['issuer']) { throw new RuntimeException("Invalid token issuer!"); } } else { $tenant = $provider->getTenantDetails($provider->tenant); if ($idTokenClaims['iss'] != $tenant['issuer']) { throw new RuntimeException("Invalid token issuer!"); } } $this->idTokenClaims = $idTokenClaims; } }
/** * Decodes a JWT string into a PHP object. * * @param string $jwt The JWT * @param string|array|null $key The key, or map of keys. * If the algorithm used is asymmetric, this is the public key * @param array $allowed_algs List of supported verification algorithms * Supported algorithms are 'HS256', 'HS384', 'HS512' and 'RS256' * * @return object The JWT's payload as a PHP object * * @throws DomainException Algorithm was not provided * @throws UnexpectedValueException Provided JWT was invalid * @throws SignatureInvalidException Provided JWT was invalid because the signature verification failed * @throws BeforeValidException Provided JWT is trying to be used before it's eligible as defined by 'nbf' * @throws BeforeValidException Provided JWT is trying to be used before it's been created as defined by 'iat' * @throws ExpiredException Provided JWT has since expired, as defined by the 'exp' claim * * @uses jsonDecode * @uses urlsafeB64Decode */ public static function decode($jwt, $key, $allowed_algs = array()) { if (empty($key)) { throw new InvalidArgumentException('Key may not be empty'); } $tks = explode('.', $jwt); if (count($tks) != 3) { throw new UnexpectedValueException('Wrong number of segments'); } list($headb64, $bodyb64, $cryptob64) = $tks; if (null === ($header = JWT::jsonDecode(JWT::urlsafeB64Decode($headb64)))) { throw new UnexpectedValueException('Invalid header encoding'); } if (null === ($payload = JWT::jsonDecode(JWT::urlsafeB64Decode($bodyb64)))) { throw new UnexpectedValueException('Invalid claims encoding'); } $sig = JWT::urlsafeB64Decode($cryptob64); if (empty($header->alg)) { throw new DomainException('Empty algorithm'); } if (empty(self::$supported_algs[$header->alg])) { throw new DomainException('Algorithm not supported'); } if (!is_array($allowed_algs) || !in_array($header->alg, $allowed_algs)) { throw new DomainException('Algorithm not allowed'); } if (is_array($key) || $key instanceof \ArrayAccess) { if (isset($header->kid)) { $key = $key[$header->kid]; } else { throw new DomainException('"kid" empty, unable to lookup correct key'); } } // Check the signature if (!JWT::verify("{$headb64}.{$bodyb64}", $sig, $key, $header->alg)) { throw new SignatureInvalidException('Signature verification failed'); } // Check if the nbf if it is defined. This is the time that the // token can actually be used. If it's not yet that time, abort. if (isset($payload->nbf) && $payload->nbf > time() + self::$leeway) { throw new BeforeValidException('Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->nbf)); } // Check that this token has been created before 'now'. This prevents // using tokens that have been created for later use (and haven't // correctly used the nbf claim). if (isset($payload->iat) && $payload->iat > time() + self::$leeway) { throw new BeforeValidException('Cannot handle token prior to ' . date(DateTime::ISO8601, $payload->iat)); } // Check if this token has expired. if (isset($payload->exp) && time() - self::$leeway >= $payload->exp) { throw new ExpiredException('Expired token', $payload); } return $payload; }
public function testMalformedJsonThrowsException() { $this->setExpectedException('DomainException'); JWT::jsonDecode('this is not valid JSON string'); }