/** @dataProvider provideClientCredentials */
public function testJwtUtil($client_id, $client_key)
{
$jwtUtil = new Jwt();
$params = array('iss' => $client_id, 'exp' => time() + 1000, 'iat' => time(), 'sub' => '*****@*****.**', 'aud' => 'http://myapp.com/oauth/auth', 'scope' => null);
$encoded = $jwtUtil->encode($params, $this->privateKey, 'RS256');
$payload = $jwtUtil->decode($encoded, $client_key);
$this->assertEquals($params, $payload);
}
/** @dataProvider provideClientCredentials */
public function testInvalidJwtHeader($client_id, $client_key)
{
$jwtUtil = new Jwt();
$params = array('iss' => $client_id, 'exp' => time() + 1000, 'iat' => time(), 'sub' => '*****@*****.**', 'aud' => 'http://myapp.com/oauth/auth', 'scope' => null);
// testing for algorithm tampering when only RSA256 signing is allowed
// @see https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
$tampered = $jwtUtil->encode($params, $client_key, 'HS256');
$payload = $jwtUtil->decode($tampered, $client_key, array('RS256'));
$this->assertFalse($payload);
}
/**
* Generate a JWT
*
* @param $privateKey The private key to use to sign the token
* @param $iss The issuer, usually the client_id
* @param $sub The subject, usually a user_id
* @param $aud The audience, usually the URI for the oauth server
* @param $exp The expiration date. If the current time is greater than the exp, the JWT is invalid
* @param $nbf The "not before" time. If the current time is less than the nbf, the JWT is invalid
* @param $jti The "jwt token identifier", or nonce for this JWT
*
* @return string
*/
function generateJWT($privateKey, $iss, $sub, $aud, $exp = null, $nbf = null, $jti = null)
{
if (!$exp) {
$exp = time() + 1000;
}
$params = array('iss' => $iss, 'sub' => $sub, 'aud' => $aud, 'exp' => $exp, 'iat' => time());
if ($nbf) {
$params['nbf'] = $nbf;
}
if ($jti) {
$params['jti'] = $jti;
}
$jwtUtil = new Jwt();
return $jwtUtil->encode($params, $privateKey, 'RS256');
}
/**
* Generate a JWT
* http://bshaffer.github.io/oauth2-server-php-docs/grant-types/jwt-bearer/
*
* @param $privateKey The private key to use to sign the token
* @param $iss The issuer, usually the client_id
* @param $sub The subject, usually a user_id
* @param $aud The audience, usually the URI for the oauth server
* @param $exp The expiration date. If the current time is greater than the exp, the JWT is invalid
* @param $nbf The "not before" time. If the current time is less than the nbf, the JWT is invalid
* @param $jti The "jwt token identifier", or nonce for this JWT
*
* @return string
*/
public function generate($privateKey, $iss, $sub, $aud, $exp = null, $nbf = null, $jti = null)
{
if (!class_exists('OAuth2\\Encryption\\Jwt')) {
throw new Exception('bshaffer/oauth2-server-php is required to generate a JWT');
}
if (!$exp) {
$exp = time() + 300;
}
$params = array('iss' => $iss, 'sub' => $sub, 'aud' => $aud, 'exp' => $exp, 'iat' => time());
if ($nbf) {
$params['nbf'] = $nbf;
}
if ($jti) {
$params['jti'] = $jti;
}
$jwtUtil = new ServerJwt();
return $jwtUtil->encode($params, $privateKey, 'RS256');
}
/** @dataProvider provideStorage */
public function testSetAccessToken($storage)
{
if (!$storage instanceof PublicKey) {
// incompatible storage
return;
}
$crypto = new jwtAccessToken($storage);
$publicKeyStorage = Bootstrap::getInstance()->getMemoryStorage();
$encryptionUtil = new Jwt();
$jwtAccessToken = array('access_token' => rand(), 'expires' => time() + 100, 'scope' => 'foo');
$token = $encryptionUtil->encode($jwtAccessToken, $storage->getPrivateKey(), $storage->getEncryptionAlgorithm());
$this->assertNotNull($token);
$tokenData = $crypto->getAccessToken($token);
$this->assertTrue(is_array($tokenData));
/* assert the decoded token is the same */
$this->assertEquals($tokenData['access_token'], $jwtAccessToken['access_token']);
$this->assertEquals($tokenData['expires'], $jwtAccessToken['expires']);
$this->assertEquals($tokenData['scope'], $jwtAccessToken['scope']);
}
/**
* Generates a JWT
* @param $exp The expiration date. If the current time is greater than the exp, the JWT is invalid.
* @param $nbf The "not before" time. If the current time is less than the nbf, the JWT is invalid.
* @param $sub The subject we are acting on behalf of. This could be the email address of the user in the system.
* @param $iss The issuer, usually the client_id.
* @return string
*/
private function getJWT($exp = null, $nbf = null, $sub = null, $iss = 'Test Client ID', $jti = null)
{
if (!$exp) {
$exp = time() + 1000;
}
if (!$sub) {
$sub = "*****@*****.**";
}
$params = array('iss' => $iss, 'exp' => $exp, 'iat' => time(), 'sub' => $sub, 'aud' => 'http://myapp.com/oauth/auth');
if ($nbf) {
$params['nbf'] = $nbf;
}
if ($jti) {
$params['jti'] = $jti;
}
$jwtUtil = new Jwt();
return $jwtUtil->encode($params, $this->privateKey, 'RS256');
}
private function getJWT($exp = null, $nbf = null, $sub = null, $iss = 'Test Client ID', $scope = null)
{
$params = $this->getJWTParams($exp, $nbf, $sub, $iss, $scope);
$jwtUtil = new Jwt();
if (version_compare(PHP_VERSION, '5.3.3') <= 0) {
return $jwtUtil->encode($params, 'mysecretkey', 'HS256');
}
return $jwtUtil->encode($params, $this->privateKey, 'RS256');
}
public function encodeJwt($payload)
{
$jwt = new Jwt();
return $jwt->encode($payload, $this->getJwtKey());
}
