Cheetah
All Classes Namespaces Files Functions Variables Pages
JwtBearer.php
Go to the documentation of this file.
1 <?php
2 
3 namespace OAuth2\GrantType;
4 
5 use OAuth2\ClientAssertionType\ClientAssertionTypeInterface;
6 use OAuth2\Storage\JwtBearerInterface;
7 use OAuth2\Encryption\Jwt;
8 use OAuth2\Encryption\EncryptionInterface;
9 use OAuth2\ResponseType\AccessTokenInterface;
10 use OAuth2\RequestInterface;
11 use OAuth2\ResponseInterface;
12 
21 class JwtBearer implements GrantTypeInterface, ClientAssertionTypeInterface
22 {
23  private $jwt;
24 
25  protected $storage;
26  protected $audience;
27  protected $jwtUtil;
28  protected $allowedAlgorithms;
29 
38  public function __construct(JwtBearerInterface $storage, $audience, EncryptionInterface $jwtUtil = null, array $config = array())
39  {
40  $this->storage = $storage;
41  $this->audience = $audience;
42 
43  if (is_null($jwtUtil)) {
44  $jwtUtil = new Jwt();
45  }
46 
47  $this->config = array_merge(array(
48  'allowed_algorithms' => array('RS256', 'RS384', 'RS512')
49  ), $config);
50 
51  $this->jwtUtil = $jwtUtil;
52 
53  $this->allowedAlgorithms = $this->config['allowed_algorithms'];
54  }
55 
64  public function getQuerystringIdentifier()
65  {
66  return 'urn:ietf:params:oauth:grant-type:jwt-bearer';
67  }
68 
77  public function validateRequest(RequestInterface $request, ResponseInterface $response)
78  {
79  if (!$request->request("assertion")) {
80  $response->setError(400, 'invalid_request', 'Missing parameters: "assertion" required');
81 
82  return null;
83  }
84 
85  // Store the undecoded JWT for later use
86  $undecodedJWT = $request->request('assertion');
87 
88  // Decode the JWT
89  $jwt = $this->jwtUtil->decode($request->request('assertion'), null, false);
90 
91  if (!$jwt) {
92  $response->setError(400, 'invalid_request', "JWT is malformed");
93 
94  return null;
95  }
96 
97  // ensure these properties contain a value
98  // @todo: throw malformed error for missing properties
99  $jwt = array_merge(array(
100  'scope' => null,
101  'iss' => null,
102  'sub' => null,
103  'aud' => null,
104  'exp' => null,
105  'nbf' => null,
106  'iat' => null,
107  'jti' => null,
108  'typ' => null,
109  ), $jwt);
110 
111  if (!isset($jwt['iss'])) {
112  $response->setError(400, 'invalid_grant', "Invalid issuer (iss) provided");
113 
114  return null;
115  }
116 
117  if (!isset($jwt['sub'])) {
118  $response->setError(400, 'invalid_grant', "Invalid subject (sub) provided");
119 
120  return null;
121  }
122 
123  if (!isset($jwt['exp'])) {
124  $response->setError(400, 'invalid_grant', "Expiration (exp) time must be present");
125 
126  return null;
127  }
128 
129  // Check expiration
130  if (ctype_digit($jwt['exp'])) {
131  if ($jwt['exp'] <= time()) {
132  $response->setError(400, 'invalid_grant', "JWT has expired");
133 
134  return null;
135  }
136  } else {
137  $response->setError(400, 'invalid_grant', "Expiration (exp) time must be a unix time stamp");
138 
139  return null;
140  }
141 
142  // Check the not before time
143  if ($notBefore = $jwt['nbf']) {
144  if (ctype_digit($notBefore)) {
145  if ($notBefore > time()) {
146  $response->setError(400, 'invalid_grant', "JWT cannot be used before the Not Before (nbf) time");
147 
148  return null;
149  }
150  } else {
151  $response->setError(400, 'invalid_grant', "Not Before (nbf) time must be a unix time stamp");
152 
153  return null;
154  }
155  }
156 
157  // Check the audience if required to match
158  if (!isset($jwt['aud']) || ($jwt['aud'] != $this->audience)) {
159  $response->setError(400, 'invalid_grant', "Invalid audience (aud)");
160 
161  return null;
162  }
163 
164  // Check the jti (nonce)
165  // @see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-13#section-4.1.7
166  if (isset($jwt['jti'])) {
167  $jti = $this->storage->getJti($jwt['iss'], $jwt['sub'], $jwt['aud'], $jwt['exp'], $jwt['jti']);
168 
169  //Reject if jti is used and jwt is still valid (exp parameter has not expired).
170  if ($jti && $jti['expires'] > time()) {
171  $response->setError(400, 'invalid_grant', "JSON Token Identifier (jti) has already been used");
172 
173  return null;
174  } else {
175  $this->storage->setJti($jwt['iss'], $jwt['sub'], $jwt['aud'], $jwt['exp'], $jwt['jti']);
176  }
177  }
178 
179  // Get the iss's public key
180  // @see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06#section-4.1.1
181  if (!$key = $this->storage->getClientKey($jwt['iss'], $jwt['sub'])) {
182  $response->setError(400, 'invalid_grant', "Invalid issuer (iss) or subject (sub) provided");
183 
184  return null;
185  }
186 
187  // Verify the JWT
188  if (!$this->jwtUtil->decode($undecodedJWT, $key, $this->allowedAlgorithms)) {
189  $response->setError(400, 'invalid_grant', "JWT failed signature verification");
190 
191  return null;
192  }
193 
194  $this->jwt = $jwt;
195 
196  return true;
197  }
198 
199  public function getClientId()
200  {
201  return $this->jwt['iss'];
202  }
203 
204  public function getUserId()
205  {
206  return $this->jwt['sub'];
207  }
208 
209  public function getScope()
210  {
211  return null;
212  }
213 
220  public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope)
221  {
222  $includeRefreshToken = false;
223 
224  return $accessToken->createAccessToken($client_id, $user_id, $scope, $includeRefreshToken);
225  }
226 }
OAuth2\GrantType\JwtBearer
Definition: JwtBearer.php:22
OAuth2\GrantType\JwtBearer\getClientId
getClientId()
Definition: JwtBearer.php:199
$config
$config
Definition: Filter.ExtractStyleBlocks.txt:33
OAuth2\GrantType\GrantTypeInterface
Definition: GrantTypeInterface.php:13
OAuth2\RequestInterface\request
request($name, $default=null)
use
GNU LESSER GENERAL PUBLIC LICENSE February Free Software Inc Franklin Fifth MA USA Everyone is permitted to copy and distribute verbatim copies of this license but changing it is not allowed[This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.] Preamble The licenses for most software are designed to take away your freedom to share and change it By the GNU General Public Licenses are intended to guarantee your freedom to share and change free software to make sure the software is free for all its users This the Lesser General Public applies to some specially designated software packages typically libraries of the Free Software Foundation and other authors who decide to use it You can use it but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular based on the explanations below When we speak of free we are referring to freedom of use
Definition: license.txt:27
OAuth2\GrantType
Definition: AuthorizationCode.php:3
php
OAuth2\Encryption\Jwt
Definition: Jwt.php:10
OAuth2\GrantType\JwtBearer\getScope
getScope()
Definition: JwtBearer.php:209
OAuth2\GrantType\JwtBearer\__construct
__construct(JwtBearerInterface $storage, $audience, EncryptionInterface $jwtUtil=null, array $config=array())
Definition: JwtBearer.php:38
OAuth2\GrantType\JwtBearer\validateRequest
validateRequest(RequestInterface $request, ResponseInterface $response)
Definition: JwtBearer.php:77
OAuth2\ResponseType\AccessTokenInterface
Definition: AccessTokenInterface.php:10
OAuth2\ResponseInterface\setError
setError($statusCode, $name, $description=null, $uri=null)
OAuth2\GrantType\JwtBearer\getUserId
getUserId()
Definition: JwtBearer.php:204
OAuth2\GrantType\JwtBearer\getQuerystringIdentifier
getQuerystringIdentifier()
Definition: JwtBearer.php:64
time
that in the case of a Adaptation or at a minimum such credit will if a credit for all contributing authors of the Adaptation or Collection then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors For the avoidance of You may only use the credit required by this Section for the purpose of attribution in the manner set out above by exercising Your rights under this You may not implicitly or explicitly assert or imply any connection sponsorship or endorsement by the Original Licensor and or Attribution as of You or Your use of the without the express prior written permission of the Original Licensor and or Attribution Parties Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable if You Distribute or Publicly Perform the Work either by itself or as part of any Adaptations or You must not modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author s honor or reputation Licensor agrees that in those in which any exercise of the right granted in modification or other derogatory action prejudicial to the Original Author s honor and the Licensor will waive or not as this to the fullest extent permitted by the applicable national to enable You to reasonably exercise Your right under Warranties and Disclaimer UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN LICENSOR OFFERS THE WORK AS IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE STATUTORY OR WITHOUT WARRANTIES OF FITNESS FOR A PARTICULAR OR THE ABSENCE OF LATENT OR OTHER OR THE PRESENCE OF ABSENCE OF WHETHER OR NOT DISCOVERABLE SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED SO SUCH EXCLUSION MAY NOT APPLY TO YOU Limitation on Liability EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Termination This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License Individuals or entities who have received Adaptations or Collections from You under this will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses and will survive any termination of this License Subject to the above terms and the license granted here is Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time
Definition: license.txt:56
OAuth2\ResponseInterface
Definition: ResponseInterface.php:12
OAuth2\ClientAssertionType\ClientAssertionTypeInterface
Definition: ClientAssertionTypeInterface.php:12
OAuth2\ResponseType\AccessTokenInterface\createAccessToken
createAccessToken($client_id, $user_id, $scope=null, $includeRefreshToken=true)
OAuth2\GrantType\JwtBearer\$audience
$audience
Definition: JwtBearer.php:26
OAuth2\RequestInterface
Definition: RequestInterface.php:6
OAuth2\Storage\JwtBearerInterface
Definition: JwtBearerInterface.php:16
OAuth2\GrantType\JwtBearer\$allowedAlgorithms
$allowedAlgorithms
Definition: JwtBearer.php:28
OAuth2\GrantType\JwtBearer\$storage
$storage
Definition: JwtBearer.php:25
OAuth2\GrantType\JwtBearer\createAccessToken
createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope)
Definition: JwtBearer.php:220
OAuth2\GrantType\JwtBearer\$jwtUtil
$jwtUtil
Definition: JwtBearer.php:27
OAuth2\Encryption\EncryptionInterface
Definition: EncryptionInterface.php:6
Generated by doxygen 1.8.20