Skip to content

Commit 4df03d4

Browse files
spvickersspvickers
committed
Updates to JWT handling
1 parent cc86068 commit 4df03d4

File tree

3 files changed

+78
-62
lines changed

3 files changed

+78
-62
lines changed

src/AccessToken.php

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -168,9 +168,7 @@ public function get($scope = '', $scopeOnly = false)
168168
'scope' => implode(' ', $scopesRequested)
169169
);
170170
if (!empty(Tool::$defaultTool)) {
171-
if (empty(Tool::$defaultTool->platform)) {
172-
Tool::$defaultTool->platform = $this->platform;
173-
}
171+
Tool::$defaultTool->platform = $this->platform;
174172
$body = Tool::$defaultTool->signServiceRequest($url, $method, $type, $body);
175173
} else {
176174
$body = $this->platform->signServiceRequest($url, $method, $type, $body);

src/Jwt/WebTokenClient.php

Lines changed: 23 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -58,19 +58,30 @@ public function isEncrypted()
5858
*/
5959
public function load($jwtString, $privateKey = null)
6060
{
61+
$ok = true;
6162
$this->jwe = null;
6263
$this->jwt = null;
6364
$this->claims = null;
6465
try {
6566
$serializer = new Signature\Serializer\CompactSerializer();
6667
$this->jwt = $serializer->unserialize($jwtString);
6768
} catch (\Exception $e) {
68-
$serializer = new Encryption\Serializer\CompactSerializer();
69-
$this->jwt = $serializer->unserialize($jwtString);
69+
$ok = false;
70+
}
71+
if (!$ok) {
72+
try {
73+
$serializer = new Encryption\Serializer\CompactSerializer();
74+
$this->jwt = $serializer->unserialize($jwtString);
75+
$ok = $this->decrypt($privateKey);
76+
} catch (\Exception $e) {
77+
$ok = false;
78+
}
7079
}
71-
if ($this->decrypt($privateKey)) {
80+
if ($ok) {
7281
$this->claims = json_decode($this->jwt->getPayload(), true);
7382
}
83+
84+
return $ok;
7485
}
7586

7687
/**
@@ -430,7 +441,7 @@ public static function getJWKS($pemKey, $signatureMethod, $kid)
430441
*/
431442
private function decrypt($privateKey)
432443
{
433-
$ok = true;
444+
$ok = false;
434445
if ($this->jwt instanceof Encryption\JWE) {
435446
$this->jwe = clone $this->jwt;
436447
$keyEnc = $this->jwe->getSharedProtectedHeaderParameter('alg');
@@ -447,11 +458,14 @@ private function decrypt($privateKey)
447458
$jweDecrypter = new Encryption\JWEDecrypter($keyEncryptionAlgorithmManager, $contentEncryptionAlgorithmManager,
448459
$compressionMethodManager);
449460
if ($jweDecrypter->decryptUsingKey($this->jwt, $jwk, 0)) {
450-
$jwt = $this->jwt->getPayload();
451-
$serializer = new Signature\Serializer\CompactSerializer();
452-
$this->jwt = $serializer->unserialize($jwt);
453-
} else {
454-
$ok = false;
461+
try {
462+
$jwt = $this->jwt->getPayload();
463+
$serializer = new Signature\Serializer\CompactSerializer();
464+
$this->jwt = $serializer->unserialize($jwt);
465+
$ok = true;
466+
} catch (\Exception $e) {
467+
$ok = false;
468+
}
455469
}
456470
}
457471

src/System.php

Lines changed: 54 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -529,69 +529,73 @@ private function parseMessage()
529529
try {
530530
$this->jwt = Jwt::getJwtClient();
531531
if (isset($this->rawParameters['id_token'])) {
532-
$this->jwt->load($this->rawParameters['id_token'], $this->rsaKey);
532+
$this->ok = $this->jwt->load($this->rawParameters['id_token'], $this->rsaKey);
533533
} else {
534-
$this->jwt->load($this->rawParameters['JWT'], $this->rsaKey);
534+
$this->ok = $this->jwt->load($this->rawParameters['JWT'], $this->rsaKey);
535535
}
536-
$this->ok = $this->jwt->hasClaim('iss') && $this->jwt->hasClaim('aud') &&
537-
$this->jwt->hasClaim(Util::JWT_CLAIM_PREFIX . '/claim/deployment_id');
538-
if ($this->ok) {
539-
$iss = $this->jwt->getClaim('iss');
540-
$aud = $this->jwt->getClaim('aud');
541-
$deploymentId = $this->jwt->getClaim(Util::JWT_CLAIM_PREFIX . '/claim/deployment_id');
542-
$this->ok = !empty($iss) && !empty($aud) && !empty($deploymentId);
543-
if (!$this->ok) {
544-
$this->reason = 'iss, aud and/or deployment_id claim is empty';
545-
} elseif (is_array($aud)) {
546-
if ($this->jwt->hasClaim('azp')) {
547-
$this->ok = !empty($this->jwt->getClaim('azp'));
548-
if (!$this->ok) {
549-
$this->reason = 'azp claim is empty';
550-
} else {
551-
$this->ok = in_array($this->jwt->getClaim('azp'), $aud);
552-
if ($this->ok) {
553-
$aud = $this->jwt->getClaim('azp');
536+
if (!$this->ok) {
537+
$this->reason = 'Message does not contain a valid JWT';
538+
} else {
539+
$this->ok = $this->jwt->hasClaim('iss') && $this->jwt->hasClaim('aud') &&
540+
$this->jwt->hasClaim(Util::JWT_CLAIM_PREFIX . '/claim/deployment_id');
541+
if ($this->ok) {
542+
$iss = $this->jwt->getClaim('iss');
543+
$aud = $this->jwt->getClaim('aud');
544+
$deploymentId = $this->jwt->getClaim(Util::JWT_CLAIM_PREFIX . '/claim/deployment_id');
545+
$this->ok = !empty($iss) && !empty($aud) && !empty($deploymentId);
546+
if (!$this->ok) {
547+
$this->reason = 'iss, aud and/or deployment_id claim is empty';
548+
} elseif (is_array($aud)) {
549+
if ($this->jwt->hasClaim('azp')) {
550+
$this->ok = !empty($this->jwt->getClaim('azp'));
551+
if (!$this->ok) {
552+
$this->reason = 'azp claim is empty';
554553
} else {
555-
$this->reason = 'azp claim value is not included in aud claim';
554+
$this->ok = in_array($this->jwt->getClaim('azp'), $aud);
555+
if ($this->ok) {
556+
$aud = $this->jwt->getClaim('azp');
557+
} else {
558+
$this->reason = 'azp claim value is not included in aud claim';
559+
}
560+
}
561+
} else {
562+
$aud = $aud[0];
563+
$this->ok = !empty($aud);
564+
if (!$this->ok) {
565+
$this->reason = 'First element of aud claim is empty';
556566
}
557567
}
558-
} else {
559-
$aud = $aud[0];
560-
$this->ok = !empty($aud);
568+
} elseif ($this->jwt->hasClaim('azp')) {
569+
$this->ok = $this->jwt->getClaim('azp') === $aud;
561570
if (!$this->ok) {
562-
$this->reason = 'First element of aud claim is empty';
571+
$this->reason = 'aud claim does not match the azp claim';
563572
}
564573
}
565-
} elseif ($this->jwt->hasClaim('azp')) {
566-
$this->ok = $this->jwt->getClaim('azp') === $aud;
567-
if (!$this->ok) {
568-
$this->reason = 'aud claim does not match the azp claim';
569-
}
570-
}
571-
if ($this->ok) {
572-
$this->platform = Platform::fromPlatformId($iss, $aud, $deploymentId, $this->dataConnector);
573-
if (isset($this->rawParameters['id_token'])) {
574-
$this->ok = !empty($this->rawParameters['state']);
575-
if ($this->ok) {
576-
$nonce = new PlatformNonce($this->platform, $this->rawParameters['state']);
577-
$this->ok = $nonce->load();
574+
if ($this->ok) {
575+
$this->platform = Platform::fromPlatformId($iss, $aud, $deploymentId, $this->dataConnector);
576+
if (isset($this->rawParameters['id_token'])) {
577+
$this->ok = !empty($this->rawParameters['state']);
578578
if ($this->ok) {
579-
$this->ok = $nonce->delete();
579+
$nonce = new PlatformNonce($this->platform, $this->rawParameters['state']);
580+
$this->ok = $nonce->load();
581+
if ($this->ok) {
582+
$this->ok = $nonce->delete();
583+
}
580584
}
581585
}
586+
if ($this->ok) {
587+
$this->platform->platformId = $this->jwt->getClaim('iss');
588+
$this->messageParameters = array();
589+
$this->messageParameters['oauth_consumer_key'] = $aud;
590+
$this->messageParameters['oauth_signature_method'] = $this->jwt->getHeader('alg');
591+
$this->parseClaims();
592+
} else {
593+
$this->reason = 'state parameter is invalid or missing';
594+
}
582595
}
583-
if ($this->ok) {
584-
$this->platform->platformId = $this->jwt->getClaim('iss');
585-
$this->messageParameters = array();
586-
$this->messageParameters['oauth_consumer_key'] = $aud;
587-
$this->messageParameters['oauth_signature_method'] = $this->jwt->getHeader('alg');
588-
$this->parseClaims();
589-
} else {
590-
$this->reason = 'state parameter is invalid or missing';
591-
}
596+
} else {
597+
$this->reason = 'iss, aud and/or deployment_id claim not found';
592598
}
593-
} else {
594-
$this->reason = 'iss, aud and/or deployment_id claim not found';
595599
}
596600
} catch (\Exception $e) {
597601
$this->ok = false;

0 commit comments

Comments
 (0)