From 4f82133be4db266d766db4c7ad8a61720aa8884f Mon Sep 17 00:00:00 2001 From: brian Date: Tue, 22 May 2018 17:34:49 -0500 Subject: [PATCH 1/3] Include Client ID (kid) parameter in JWT header --- src/OAuth2/Encryption/EncryptionInterface.php | 2 +- src/OAuth2/Encryption/Jwt.php | 12 ++++++++---- src/OAuth2/OpenID/ResponseType/IdToken.php | 2 +- src/OAuth2/ResponseType/JwtAccessToken.php | 2 +- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/OAuth2/Encryption/EncryptionInterface.php b/src/OAuth2/Encryption/EncryptionInterface.php index 8dc720a43..928c1413f 100644 --- a/src/OAuth2/Encryption/EncryptionInterface.php +++ b/src/OAuth2/Encryption/EncryptionInterface.php @@ -10,7 +10,7 @@ interface EncryptionInterface * @param null $algorithm * @return mixed */ - public function encode($payload, $key, $algorithm = null); + public function encode($payload, $key, $algorithm = null, $keyId = null); /** * @param $payload diff --git a/src/OAuth2/Encryption/Jwt.php b/src/OAuth2/Encryption/Jwt.php index c258b8fc3..7e8df5b54 100644 --- a/src/OAuth2/Encryption/Jwt.php +++ b/src/OAuth2/Encryption/Jwt.php @@ -17,9 +17,9 @@ class Jwt implements EncryptionInterface * @param string $algo * @return string */ - public function encode($payload, $key, $algo = 'HS256') + public function encode($payload, $key, $algo = 'HS256', $keyId = null) { - $header = $this->generateJwtHeader($payload, $algo); + $header = $this->generateJwtHeader($payload, $algo, $keyId); $segments = array( $this->urlSafeB64Encode(json_encode($header)), @@ -195,12 +195,16 @@ public function urlSafeB64Decode($b64) /** * Override to create a custom header */ - protected function generateJwtHeader($payload, $algorithm) + protected function generateJwtHeader($payload, $algorithm, $keyId = null) { - return array( + $header = array( 'typ' => 'JWT', 'alg' => $algorithm, ); + if (!is_null($keyId)) { + $header['kid'] = $keyId; + } + return $header; } /** diff --git a/src/OAuth2/OpenID/ResponseType/IdToken.php b/src/OAuth2/OpenID/ResponseType/IdToken.php index 55e446074..011931631 100644 --- a/src/OAuth2/OpenID/ResponseType/IdToken.php +++ b/src/OAuth2/OpenID/ResponseType/IdToken.php @@ -144,7 +144,7 @@ protected function encodeToken(array $token, $client_id = null) $private_key = $this->publicKeyStorage->getPrivateKey($client_id); $algorithm = $this->publicKeyStorage->getEncryptionAlgorithm($client_id); - return $this->encryptionUtil->encode($token, $private_key, $algorithm); + return $this->encryptionUtil->encode($token, $private_key, $algorithm, $client_id); } /** diff --git a/src/OAuth2/ResponseType/JwtAccessToken.php b/src/OAuth2/ResponseType/JwtAccessToken.php index 0ee3708aa..3c2a5e293 100644 --- a/src/OAuth2/ResponseType/JwtAccessToken.php +++ b/src/OAuth2/ResponseType/JwtAccessToken.php @@ -111,7 +111,7 @@ protected function encodeToken(array $token, $client_id = null) $private_key = $this->publicKeyStorage->getPrivateKey($client_id); $algorithm = $this->publicKeyStorage->getEncryptionAlgorithm($client_id); - return $this->encryptionUtil->encode($token, $private_key, $algorithm); + return $this->encryptionUtil->encode($token, $private_key, $algorithm, $client_id); } /** From 2eee815832f0b2ccf12943a3b6387eda8961fba4 Mon Sep 17 00:00:00 2001 From: brian Date: Tue, 22 May 2018 17:49:18 -0500 Subject: [PATCH 2/3] Use the namespace if using the firebase/php-jwt package --- composer.json | 4 ++-- src/OAuth2/Encryption/FirebaseJwt.php | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/composer.json b/composer.json index 272d20027..66f825deb 100644 --- a/composer.json +++ b/composer.json @@ -21,7 +21,7 @@ "require-dev": { "phpunit/phpunit": "^4.0", "aws/aws-sdk-php": "~2.8", - "firebase/php-jwt": "~2.2", + "firebase/php-jwt": "~2.3", "predis/predis": "dev-master", "thobbs/phpcassa": "dev-master", "mongodb/mongodb": "^1.1" @@ -30,7 +30,7 @@ "predis/predis": "Required to use Redis storage", "thobbs/phpcassa": "Required to use Cassandra storage", "aws/aws-sdk-php": "~2.8 is required to use DynamoDB storage", - "firebase/php-jwt": "~2.2 is required to use JWT features", + "firebase/php-jwt": "~2.3 is required to use JWT features", "mongodb/mongodb": "^1.1 is required to use MongoDB storage" } } diff --git a/src/OAuth2/Encryption/FirebaseJwt.php b/src/OAuth2/Encryption/FirebaseJwt.php index 1b527e0a0..e84ac609b 100644 --- a/src/OAuth2/Encryption/FirebaseJwt.php +++ b/src/OAuth2/Encryption/FirebaseJwt.php @@ -10,14 +10,14 @@ class FirebaseJwt implements EncryptionInterface { public function __construct() { - if (!class_exists('\JWT')) { + if (!class_exists('\Firebase\JWT\JWT')) { throw new \ErrorException('firebase/php-jwt must be installed to use this feature. You can do this by running "composer require firebase/php-jwt"'); } } public function encode($payload, $key, $alg = 'HS256', $keyId = null) { - return \JWT::encode($payload, $key, $alg, $keyId); + return \Firebase\JWT\JWT::encode($payload, $key, $alg, $keyId); } public function decode($jwt, $key = null, $allowedAlgorithms = null) @@ -29,7 +29,7 @@ public function decode($jwt, $key = null, $allowedAlgorithms = null) $key = null; } - return (array)\JWT::decode($jwt, $key, $allowedAlgorithms); + return (array)\Firebase\JWT\JWT::decode($jwt, $key, $allowedAlgorithms); } catch (\Exception $e) { return false; } @@ -37,11 +37,11 @@ public function decode($jwt, $key = null, $allowedAlgorithms = null) public function urlSafeB64Encode($data) { - return \JWT::urlsafeB64Encode($data); + return \Firebase\JWT\JWT::urlsafeB64Encode($data); } public function urlSafeB64Decode($b64) { - return \JWT::urlsafeB64Decode($b64); + return \Firebase\JWT\JWT::urlsafeB64Decode($b64); } } From 4a50f1d3427bedfb1e7aaca422e51ef648ba3f62 Mon Sep 17 00:00:00 2001 From: brian Date: Tue, 22 May 2018 18:34:19 -0500 Subject: [PATCH 3/3] Fix typo on minimum version of firebase/php-jwt --- composer.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/composer.json b/composer.json index 66f825deb..c0703467f 100644 --- a/composer.json +++ b/composer.json @@ -21,7 +21,7 @@ "require-dev": { "phpunit/phpunit": "^4.0", "aws/aws-sdk-php": "~2.8", - "firebase/php-jwt": "~2.3", + "firebase/php-jwt": "~3.0", "predis/predis": "dev-master", "thobbs/phpcassa": "dev-master", "mongodb/mongodb": "^1.1" @@ -30,7 +30,7 @@ "predis/predis": "Required to use Redis storage", "thobbs/phpcassa": "Required to use Cassandra storage", "aws/aws-sdk-php": "~2.8 is required to use DynamoDB storage", - "firebase/php-jwt": "~2.3 is required to use JWT features", + "firebase/php-jwt": "~3.0 is required to use JWT features", "mongodb/mongodb": "^1.1 is required to use MongoDB storage" } }