/**
* Verifies the id token, returns the verified token contents.
*
* @param $jwt string the token
* @param $certs array of certificates
* @param $required_audience string the expected consumer of the token
* @param [$issuer] the expected issues, defaults to Google
* @param [$max_expiry] the max lifetime of a token, defaults to MAX_TOKEN_LIFETIME_SECS
* @throws Exception
* @return mixed token information if valid, false if not
*/
public function verifySignedJwtWithCerts($jwt, $certs, $required_audience, $issuer = null, $max_expiry = null)
{
if (!$max_expiry) {
// Set the maximum time we will accept a token for.
$max_expiry = self::MAX_TOKEN_LIFETIME_SECS;
}
$segments = explode(".", $jwt);
if (count($segments) != 3) {
throw new Exception("Wrong number of segments in token: {$jwt}");
}
$signed = $segments[0] . "." . $segments[1];
$signature = Utils::urlSafeB64Decode($segments[2]);
// Parse envelope.
$envelope = json_decode(Utils::urlSafeB64Decode($segments[0]), true);
if (!$envelope) {
throw new Exception("Can't parse token envelope: " . $segments[0]);
}
// Parse token
$json_body = Utils::urlSafeB64Decode($segments[1]);
$payload = json_decode($json_body, true);
if (!$payload) {
throw new Exception("Can't parse token payload: " . $segments[1]);
}
// Check signature
$verified = false;
foreach ($certs as $keyName => $pem) {
$public_key = new Pem($pem);
if ($public_key->verify($signed, $signature)) {
$verified = true;
break;
}
}
if (!$verified) {
throw new Exception("Invalid token signature: {$jwt}");
}
// Check issued-at timestamp
$iat = 0;
if (array_key_exists("iat", $payload)) {
$iat = $payload["iat"];
}
if (!$iat) {
throw new Exception("No issue time in token: {$json_body}");
}
$earliest = $iat - self::CLOCK_SKEW_SECS;
// Check expiration timestamp
$now = time();
$exp = 0;
if (array_key_exists("exp", $payload)) {
$exp = $payload["exp"];
}
if (!$exp) {
throw new Exception("No expiration time in token: {$json_body}");
}
if ($exp >= $now + $max_expiry) {
throw new Exception(sprintf("Expiration time too far in future: %s", $json_body));
}
$latest = $exp + self::CLOCK_SKEW_SECS;
if ($now < $earliest) {
throw new Exception(sprintf("Token used too early, %s < %s: %s", $now, $earliest, $json_body));
}
if ($now > $latest) {
throw new Exception(sprintf("Token used too late, %s > %s: %s", $now, $latest, $json_body));
}
// support HTTP and HTTPS issuers
// @see https://developers.google.com/identity/sign-in/web/backend-auth
$iss = $payload['iss'];
if ($issuer && !in_array($iss, (array) $issuer)) {
throw new Exception(sprintf("Invalid issuer, %s not in %s: %s", $iss, "[" . implode(",", (array) $issuer) . "]", $json_body));
}
// Check audience
$aud = $payload["aud"];
if ($aud != $required_audience) {
throw new Exception(sprintf("Wrong recipient, %s != %s:", $aud, $required_audience, $json_body));
}
// All good.
return new LoginTicket($envelope, $payload);
}
/**
* @param array $headers The HTTP request headers
* to be set and normalized.
*/
public function setRequestHeaders($headers)
{
$headers = Utils::normalize($headers);
if ($this->requestHeaders) {
$headers = array_merge($this->requestHeaders, $headers);
}
$this->requestHeaders = $headers;
}
