Skip to content

Commit

Permalink
Merge pull request jumbojett#334 from hallowelt/Fix_LogoutToken_Valid…
Browse files Browse the repository at this point in the history 
…ation_AUD_Claim

Fix LogoutToken verification for single value `aud` claims
  • Loading branch information
@azmeuk
azmeuk authored Mar 29, 2023
2 parents 20b51cb + dd9ceb0 commit e46f108
Show file tree
Hide file tree
Showing 3 changed files with 151 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
* Support for signed and encrypted UserInfo response. #305
* Support for signed and encrypted ID Token. #305
* Update construct typehint in docblock. #364
* Fixed LogoutToken verification for single value aud claims #334

### Added
- Support for signed and encrypted UserInfo response. #305
Expand Down
4 changes: 3 additions & 1 deletion src/OpenIDConnectClient.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -563,7 +563,9 @@ public function verifyLogoutTokenClaims($claims)
return false;
}
// Validate the aud
if ((!$claims->aud === $this->clientID) || (!in_array($this->clientID, $claims->aud, true))) {
$auds = $claims->aud;
$auds = is_array( $auds ) ? $auds : [ $auds ];
if (!in_array($this->clientID, $auds, true)) {
return false;
}
// Validate the iat. At this point we can return true if it is ok
Expand Down
147 changes: 147 additions & 0 deletions tests/OpenIDConnectClientTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,4 +88,151 @@ public function provider()

];
}

/**
* @covers Jumbojett\\OpenIDConnectClient::verifyLogoutTokenClaims
* @dataProvider provideTestVerifyLogoutTokenClaimsData
*/
public function testVerifyLogoutTokenClaims( $claims, $expectedResult )
{
/** @var OpenIDConnectClient | MockObject $client */
$client = $this->getMockBuilder(OpenIDConnectClient::class)->setMethods(['decodeJWT'])->getMock();

$client->setClientID('fake-client-id');
$client->setIssuer('fake-issuer');
$client->setIssuerValidator(function() {
return true;
});
$client->setProviderURL('https://jwt.io/');

$actualResult = $client->verifyLogoutTokenClaims( $claims );

$this->assertEquals( $expectedResult, $actualResult );
}

/**
* @return array
*/
public function provideTestVerifyLogoutTokenClaimsData() {
return [
'valid-single-aud' => [
(object)[
'iss' => 'fake-issuer',
'aud' => 'fake-client-id',
'sid' => 'fake-client-sid',
'sub' => 'fake-client-sub',
'iat' => time(),
'events' => (object) [
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
],
],
true
],
'valid-multiple-auds' => [
(object)[
'iss' => 'fake-issuer',
'aud' => [ 'fake-client-id', 'some-other-aud' ],
'sid' => 'fake-client-sid',
'sub' => 'fake-client-sub',
'iat' => time(),
'events' => (object) [
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
],
],
true
],
'invalid-no-sid-and-no-sub' => [
(object)[
'iss' => 'fake-issuer',
'aud' => [ 'fake-client-id', 'some-other-aud' ],
'iat' => time(),
'events' => (object) [
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
],
],
false
],
'valid-no-sid' => [
(object)[
'iss' => 'fake-issuer',
'aud' => [ 'fake-client-id', 'some-other-aud' ],
'sub' => 'fake-client-sub',
'iat' => time(),
'events' => (object) [
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
],
],
true
],
'valid-no-sub' => [
(object)[
'iss' => 'fake-issuer',
'aud' => [ 'fake-client-id', 'some-other-aud' ],
'sid' => 'fake-client-sid',
'iat' => time(),
'events' => (object) [
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
],
],
true
],
'invalid-with-nonce' => [
(object)[
'iss' => 'fake-issuer',
'aud' => [ 'fake-client-id', 'some-other-aud' ],
'sid' => 'fake-client-sid',
'iat' => time(),
'events' => (object) [
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
],
'nonce' => 'must-not-be-set'
],
false
],
'invalid-no-events' => [
(object)[
'iss' => 'fake-issuer',
'aud' => [ 'fake-client-id', 'some-other-aud' ],
'sid' => 'fake-client-sid',
'iat' => time(),
'nonce' => 'must-not-be-set'
],
false
],
'invalid-no-backchannel-event' => [
(object)[
'iss' => 'fake-issuer',
'aud' => [ 'fake-client-id', 'some-other-aud' ],
'sid' => 'fake-client-sid',
'iat' => time(),
'events' => (object) [],
'nonce' => 'must-not-be-set'
],
false
],
'invalid-no-iat' => [
(object)[
'iss' => 'fake-issuer',
'aud' => [ 'fake-client-id', 'some-other-aud' ],
'sid' => 'fake-client-sid',
'events' => (object) [
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
]
],
false
],
'invalid-bad-iat' => [
(object)[
'iss' => 'fake-issuer',
'aud' => [ 'fake-client-id', 'some-other-aud' ],
'sid' => 'fake-client-sid',
'iat' => time() + 301,
'events' => (object) [
'http://schemas.openid.net/event/backchannel-logout' => (object)[]
]
],
false
],
];
}
}

0 comments on commit e46f108

Please sign in to comment.