Skip to content

Commit 4b45fbb

Browse files
ylebreylebre
committed
updating token handling
1 parent c4e2a22 commit 4b45fbb

1 file changed

Lines changed: 33 additions & 26 deletions

File tree

src/Utils/DPop.php

Lines changed: 33 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,14 @@
22

33
namespace Pdsinterop\Solid\Auth\Utils;
44

5-
use Lcobucci\JWT\Parser;
6-
use Lcobucci\JWT\Signer\Key;
7-
use Lcobucci\JWT\ValidationData;
5+
use Lcobucci\JWT\Configuration;
6+
use Lcobucci\Clock\Clock;
7+
use DateTimeImmutable;
8+
use DateInterval;
9+
use Lcobucci\JWT\Signer\Key\InMemory;
10+
use Lcobucci\JWT\Signer\Rsa\Sha256;
11+
use Lcobucci\JWT\Validation\Constraint\LooseValidAt;
12+
813
use Jose\Component\Core\JWK;
914
use Jose\Component\Core\Util\ECKey;
1015
use Jose\Component\Core\Util\RSAKey;
@@ -37,20 +42,20 @@ public function getDpopKey($dpop, $request) {
3742
//error_log("11");
3843
$this->validateDpop($dpop, $request);
3944
//error_log("22");
40-
41-
$parser = new \Lcobucci\JWT\Parser();
45+
4246
// 1. the string value is a well-formed JWT,
43-
$dpop = $parser->parse($dpop);
44-
$jwk = $dpop->getHeader("jwk");
47+
$jwtConfig = $configuration = Configuration::forUnsecuredSigner();
48+
$dpop = $jwtConfig->parser()->parse($dpop);
49+
$jwk = $dpop->headers()->get("jwk");
4550
//error_log(print_r($jwk, true));
4651

4752
return $jwk->kid;
4853
}
4954

5055
private function validateJwtDpop($jwt, $dpopKey) {
51-
$parser = new \Lcobucci\JWT\Parser();
52-
$jwt = $parser->parse($jwt);
53-
$cnf = $jwt->getClaim("cnf");
56+
$jwtConfig = $configuration = Configuration::forUnsecuredSigner();
57+
$jwt = $jwtConfig->parser()->parse($jwt);
58+
$cnf = $jwt->claims()->get("cnf");
5459

5560
if ($cnf->jkt == $dpopKey) {
5661
//error_log("dpopKey matches");
@@ -88,17 +93,16 @@ private function validateDpop($dpop, $request) {
8893
received previously (see Section 9.1).
8994
*/
9095
//error_log("1");
91-
92-
$parser = new \Lcobucci\JWT\Parser();
9396
// 1. the string value is a well-formed JWT,
94-
$dpop = $parser->parse($dpop);
97+
$jwtConfig = $configuration = Configuration::forUnsecuredSigner();
98+
$dpop = $jwtConfig->parser()->parse($dpop);
9599

96100
//error_log("2");
97101
// 2. all required claims are contained in the JWT,
98-
$htm = $dpop->getClaim("htm"); // http method
99-
$htu = $dpop->getClaim("htu"); // http uri
100-
$typ = $dpop->getHeader("typ");
101-
$alg = $dpop->getHeader("alg");
102+
$htm = $dpop->claims()->get("htm"); // http method
103+
$htu = $dpop->claims()->get("htu"); // http uri
104+
$typ = $dpop->headers()->get("typ");
105+
$alg = $dpop->headers()->get("alg");
102106

103107
//error_log("3");
104108
// 3. the "typ" field in the header has the value "dpop+jwt",
@@ -117,7 +121,7 @@ private function validateDpop($dpop, $request) {
117121
//error_log("5");
118122
// 5. that the JWT is signed using the public key contained in the
119123
// "jwk" header of the JWT,
120-
$jwk = $dpop->getHeader("jwk");
124+
$jwk = $dpop->headers()->get("jwk");
121125
$webTokenJwk = \Jose\Component\Core\JWK::createFromJson(json_encode($jwk));
122126
switch ($alg) {
123127
case "RS256":
@@ -132,8 +136,9 @@ private function validateDpop($dpop, $request) {
132136
throw new \Exception("unsupported algorithm");
133137
break;
134138
}
135-
$key = new \Lcobucci\JWT\Signer\Key($pem);
136-
if (!$dpop->verify($signer, $key)) {
139+
$key = InMemory::plainText($pem);
140+
$jwtConfig = Configuration::forSymmetricSigner($signer, InMemory::plainText($pem));
141+
if (!$jwtConfig->validator()->validate($dpop, $jwtConfig->validationConstraints())) {
137142
throw new \Exception("invalid signature");
138143
}
139144

@@ -162,9 +167,10 @@ private function validateDpop($dpop, $request) {
162167

163168
//error_log("8");
164169
// 8. the token was issued within an acceptable timeframe (see Section 9.1), and
165-
$leeway = 5; // allow 5 seconds clock skew
166-
$validationData = new ValidationData(time() + $leeway); // It will use the current time to validate (iat, nbf and exp)
167-
if (!$dpop->validate($validationData)) {
170+
$leeway = new \DateInterval("PT5S"); // allow 5 seconds clock skew
171+
$clock = new Clock(new \DateTimeImmutable());
172+
$constraint = new LooseValidAt($clock, $leeway); // It will use the current time to validate (iat, nbf and exp)
173+
if (!$constraint->asset($dpop)) {
168174
throw new \Exception("token timing is invalid");
169175
}
170176

@@ -176,14 +182,15 @@ private function validateDpop($dpop, $request) {
176182
}
177183

178184
private function getSubjectFromJwt($jwt) {
179-
$parser = new \Lcobucci\JWT\Parser();
185+
$jwtConfig = $configuration = Configuration::forUnsecuredSigner();
186+
$jwt = $jwtConfig->parser()->parse($jwt);
180187
try {
181-
$jwt = $parser->parse($jwt);
188+
$jwt = $jwtConfig->parser()->parse($jwt);
182189
} catch(\Exception $e) {
183190
return $this->server->getResponse()->withStatus(409, "Invalid JWT token");
184191
}
185192

186-
$sub = $jwt->getClaim("sub");
193+
$sub = $jwt->claims()->get("sub");
187194
return $sub;
188195
}
189196
}

0 commit comments

Comments
 (0)