Merge pull request #6 from pdsinterop/code-cleanup

Added token generation code to support id_token

Author: ylebre

src/Config/Server.php

@@ -56,9 +56,21 @@ final public function __construct(array $data, bool $strict = false)
     {
         $data = array_merge([
             OidcMeta::ID_TOKEN_SIGNING_ALG_VALUES_SUPPORTED => ['RS256'],
-            OidcMeta::RESPONSE_TYPES_SUPPORTED => \Pdsinterop\Solid\Auth\Enum\OAuth2\ResponseType::CODE_ID_TOKEN_TOKEN,
             OidcMeta::SUBJECT_TYPES_SUPPORTED =>  ['public'],
-        ], $data);
+			OidcMeta::RESPONSE_TYPES_SUPPORTED => array("code","code token","code id_token","id_token code","id_token","id_token token","code id_token token","none"),
+			OidcMeta::TOKEN_TYPES_SUPPORTED => array("legacyPop","dpop"),
+			OidcMeta::RESPONSE_MODES_SUPPORTED => array("query","fragment"),
+			OidcMeta::GRANT_TYPES_SUPPORTED => array("authorization_code","implicit","refresh_token","client_credentials"),
+			OidcMeta::TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED => "client_secret_basic",
+			OidcMeta::TOKEN_ENDPOINT_AUTH_SIGNING_ALG_VALUES_SUPPORTED => ["RS256"],
+			OidcMeta::DISPLAY_VALUES_SUPPORTED => [],
+			OidcMeta::CLAIM_TYPES_SUPPORTED => ["normal"],
+			OidcMeta::CLAIMS_SUPPORTED => [],
+			OidcMeta::CLAIMS_PARAMETER_SUPPORTED => false,
+			OidcMeta::REQUEST_PARAMETER_SUPPORTED => true,
+			OidcMeta::REQUEST_URI_PARAMETER_SUPPORTED => false,
+			OidcMeta::REQUIRE_REQUEST_URI_REGISTRATION => false
+		], $data);
 
         $this->data = array_filter($data, [OidcMeta::class, 'has'], ARRAY_FILTER_USE_KEY);
         $this->strict = $strict;

src/Entity/Scope.php

@@ -10,4 +10,8 @@ class Scope implements ScopeEntityInterface
 {
     use EntityTrait;
     use ScopeTrait;
+	
+	public function getIdentifier() {
+		return "openid";
+	}
 }

src/Enum/OpenId/OpenIdConnectMetadata.php

@@ -204,4 +204,9 @@ class OpenIdConnectMetadata extends AbstractEnum
      * JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included.
      */
     public const USERINFO_SIGNING_ALG_VALUES_SUPPORTED = 'userinfo_signing_alg_values_supported';
+	
+	/* FIXME: Solid types here */
+	public const TOKEN_TYPES_SUPPORTED = 'token_types_supported';
+	public const CHECK_SESSION_IFRAME = 'check_session_iframe';
+	public const END_SESSION_ENDPOINT = 'end_session_endpoint';
 }

src/Factory/ConfigFactory.php

@@ -47,6 +47,7 @@ final public function create() : Config
         $grantTypes = [
             GrantType::AUTH_CODE,
             GrantType::CLIENT_CREDENTIALS,
+            GrantType::IMPLICIT,
             GrantType::REFRESH_TOKEN,
         ];
 

src/Factory/GrantTypeFactory.php

@@ -8,6 +8,7 @@
 use League\OAuth2\Server\Grant\AuthCodeGrant;
 use League\OAuth2\Server\Grant\ClientCredentialsGrant;
 use League\OAuth2\Server\Grant\GrantTypeInterface;
+use League\OAuth2\Server\Grant\ImplicitGrant;
 use League\OAuth2\Server\Grant\RefreshTokenGrant;
 use Pdsinterop\Solid\Auth\Config\Expiration;
 use Pdsinterop\Solid\Auth\Enum\OAuth2\GrantType;
@@ -52,6 +53,10 @@ final public function createGrantType(string $grantType) : GrantTypeInterface
                 $grant = $this->createClientCredentialsGrant();
                 break;
 
+            case GrantType::IMPLICIT:
+                $grant = $this->createImplicitGrant($expiration->forAccessToken());
+                break;
+
             case GrantType::REFRESH_TOKEN:
                 $grant = $this->createRefreshTokenGrant($factory);
                 break;
@@ -88,6 +93,11 @@ private function createAuthCodeGrant(RepositoryFactory $factory, DateInterval $e
         );
     }
 
+    private function createImplicitGrant(DateInterval $expiration) : ImplicitGrant
+    {
+        return new ImplicitGrant($expiration);
+    }
+
     private function createRefreshTokenGrant(RepositoryFactory $factory) : RefreshTokenGrant
     {
         return new RefreshTokenGrant(

src/Repository/AccessToken.php

@@ -25,7 +25,13 @@ public function getNewToken(
         array $scopes,
         $userIdentifier = null
     ) : AccessTokenEntityInterface {
-        return new AccessTokenEntity($clientEntity);
+
+		$accessToken = new AccessTokenEntity($clientEntity);
+		$accessToken->setUserIdentifier($userIdentifier);
+		foreach ($scopes as $scope) {
+			$accessToken->addScope(new \Pdsinterop\Solid\Auth\Entity\Scope($scope));
+		}
+		return $accessToken;
     }
 
     /**

src/TokenGenerator.php

@@ -0,0 +1,142 @@
+<?php declare(strict_types=1);
+
+namespace Pdsinterop\Solid\Auth;
+
+use Pdsinterop\Solid\Auth\Utils\Jwks;
+use Pdsinterop\Solid\Auth\Enum\OpenId\OpenIdConnectMetadata as OidcMeta;
+
+class TokenGenerator
+{
+    ////////////////////////////// CLASS PROPERTIES \\\\\\\\\\\\\\\\\\\\\\\\\\\\
+
+    /** @var Config */
+    public $config;
+
+    //////////////////////////////// PUBLIC API \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
+
+    final public function __construct(
+        Config $config
+    ) {
+        $this->config = $config;
+    }
+	
+	public function generateRegistrationAccessToken($clientId, $privateKey) {
+		$issuer = $this->config->getServer()->get(OidcMeta::ISSUER);
+
+		// Create JWT
+		$signer = new \Lcobucci\JWT\Signer\Rsa\Sha256();
+		$keychain = new \Lcobucci\JWT\Signer\Keychain();				
+		$builder = new \Lcobucci\JWT\Builder();
+		$token = $builder
+			->setIssuer($issuer)
+            ->permittedFor($clientId)
+			->set("sub", $clientId)
+			->sign($signer, $keychain->getPrivateKey($privateKey))
+			->getToken();
+		return $token->__toString();
+	}
+		
+	public function generateIdToken($accessToken, $clientId, $subject, $nonce, $privateKey) {
+		$issuer = $this->config->getServer()->get(OidcMeta::ISSUER);
+
+        $jwks = $this->getJwks();
+		$tokenHash = $this->generateTokenHash($accessToken);
+
+		// Create JWT
+		$signer = new \Lcobucci\JWT\Signer\Rsa\Sha256();
+		$keychain = new \Lcobucci\JWT\Signer\Keychain();
+		$builder = new \Lcobucci\JWT\Builder();
+		$token = $builder
+			->setIssuer($issuer)
+            ->permittedFor($clientId)
+			->setIssuedAt(time())
+			->setNotBefore(time() - 1)
+			->setExpiration(time() + 14*24*60*60)
+			->set("azp", $clientId)
+			->set("sub", $subject)
+			->set("jti", $this->generateJti())
+			->set("nonce", $nonce)
+			->set("at_hash", $tokenHash) //FIXME: at_hash should only be added if the response_type is a token
+			->set("c_hash", $tokenHash) // FIXME: c_hash should only be added if the response_type is a code
+			->set("cnf", array(
+				"jwk" => $jwks['keys'][0]
+			))
+			->withHeader('kid', $jwks['keys'][0]['kid'])
+			->sign($signer, $keychain->getPrivateKey($privateKey))
+			->getToken();
+		return $token->__toString();
+	}
+	
+	public function respondToRegistration($registration, $privateKey) {
+		/*
+			Expects in $registration:
+			client_id
+			client_id_issued_at
+			redirect_uris
+			registration_client_uri
+		*/
+		$registration_access_token = $this->generateRegistrationAccessToken($registration['client_id'], $privateKey);
+
+		$registrationBase = array(
+			'response_types' => array("id_token token"),
+			'grant_types' => array("implicit"),
+			'application_type' => 'web',
+			'id_token_signed_response_alg' => "RS256",
+			'token_endpoint_auth_method' => 'client_secret_basic',
+			'registration_access_token' => $registration_access_token,
+		);
+		
+		return array_merge($registrationBase, $registration);
+	}
+	
+	public function addIdTokenToResponse($response, $clientId, $subject, $nonce, $privateKey) {
+			if ($response->hasHeader("Location")) {
+			$value = $response->getHeaderLine("Location");
+			if (preg_match("/#access_token=(.*?)&/", $value, $matches)) {
+				$idToken = $this->generateIdToken(
+					$matches[1],
+					$clientId,
+					$subject,
+					$nonce,
+					$privateKey
+				);
+				$value = preg_replace("/#access_token=(.*?)&/", "#access_token=\$1&id_token=$idToken&", $value);				
+				$response = $response->withHeader("Location", $value);
+			} else if (preg_match("/code=(.*?)&/", $value, $matches)) {
+				$idToken = $this->generateIdToken(
+					$matches[1],
+					$clientId,
+					$subject,
+					$nonce,
+					$privateKey
+				);
+				$value = preg_replace("/code=(.*?)&/", "code=\$1&id_token=$idToken&", $value);
+				$response = $response->withHeader("Location", value);				
+			}
+		}
+		return $response;
+	}
+	///////////////////////////// HELPER FUNCTIONS \\\\\\\\\\\\\\\\\\\\\\\\\\\\\
+
+	private function generateJti() {
+		return substr(md5((string)time()), 12); // FIXME: generate unique jti values
+	}
+	
+	private function generateTokenHash($accessToken) {
+		$atHash = hash('sha256', $accessToken);
+		$atHash = substr($atHash, 0, 32);
+		$atHash = hex2bin($atHash);
+		$atHash = base64_encode($atHash);
+		$atHash = rtrim($atHash, '=');
+		$atHash = str_replace('/', '_', $atHash);
+		$atHash = str_replace('+', '-', $atHash);
+
+		return $atHash;
+	}
+
+	private function getJwks() {
+        $key = $this->config->getKeys()->getPublicKey();
+        $jwks = new Jwks($key);
+		return json_decode($jwks->__toString(), true);
+	}
+}

src/Utils/Jwks.php

@@ -47,6 +47,7 @@ private function createKey(string $certificate, $subject) : array
             JwkParameter::KEY_TYPE => 'RSA',
             RsaParameter::PUBLIC_EXPONENT => 'AQAB', // Hard-coded as `Base64Url::encode($keyInfo['rsa']['e'])` tends to be empty...
             RsaParameter::PUBLIC_MODULUS => Base64Url::encode($subject),
+            JwkParameter::KEY_OPERATIONS => array("verify"),
         ];
     }