steverhoades / oauth2-openid-connect-client Goto Github PK
View Code? Open in Web Editor NEWAn OAuth2 OpenID Connect client that sits on top of ThePHPLeague's OAuth2 Client
License: MIT License
An OAuth2 OpenID Connect client that sits on top of ThePHPLeague's OAuth2 Client
License: MIT License
Hi,
I cannot get actually validated aud field, because clientID is string and openid server sends aud as list/array.
According to rfc https://tools.ietf.org/html/rfc7519#section-4.1.3, aud is really string[]
.
Should I send PR to validate aud against [$clientID]
?
Am I the only one who experiences this issue?
Since Oauth2 Client released 2.0.0 on january, it would be good to upgrade the provider to use the latest version.
The ID Token's aud
value MAY
be an array:
JSON Web Token (JWT) ->
4.1.3. "aud" (Audience) Claim:
"In the general case, the "aud" value is an array of case-sensitive strings, each containing a StringOrURI value."
OpenID Connect Core 1.0 ->
3.1.3.7. ID Token Validation
"Clients MUST validate the ID Token in the Token Response in the following manner:
[...] 3. [...] The aud (audience) Claim MAY contain an array with more than one element."
Currently the value gets validated by the EqualsTo
(s. OpenIDConnectProvider
, L60). This leads to errors, if the server provides the aud
/ aud
s as array.
Creating a PR...
I'm having issues with some server difference in timestamps.
The IdentityProvider gives me nbf timestamps one second in the future sometimes. I can't control their clock so there should be a setting where you could give it a little tolerance, maybe a few seconds. Right now there is no way to do this without modifying the source code directly.
The \OpenIDConnectClient\OpenIDConnectProvider::getAccessToken method is not only used for exchanging the initial token, but also for obtaining the Refresh Token.
When refreshing a token, there is no ID Token included, as there is no authentication.
This is causing the getAccessToken method to fail.
https://github.com/steverhoades/oauth2-openid-connect-client/blob/master/src/OpenIDConnectProvider.php#L130
Because getAccessToken is used for refreshing, I believe the best solution would be to fall back to the standard oauth flow
and just call a parent class if the method is only used for refreshing the token (when the grant is 'refresh_token')
I think it would be better to add the id_token
also to the response of the jsonSerialize Method of the access Token. So the received, token containing the id token, could be stored in the session. Maybe you can add something like this to the AccessToken class:
public function jsonSerialize()
{
$parameters = parent::jsonSerialize();
if ($this->idToken) {
$parameters['id_token'] = (string)$this->idToken;
}
return $parameters;
}
The method getIdTokenIssuer
in OpenIDConnectProvider
has no return statement so the method returns null an the 'iss' will never be validated.
Hello
I am trying to use your library but get the error
Lcobucci\JWT\Signer\Rsa\Sha256' not found in client.php:6 S
I have tried playing around with the folder structure but no luck
The folder structure downloaded via composer does not have src in it
Please can this be fixed asap?
Cheers
Paul
The aud
value is (or better: MAY
be) a list. But it's from auth server / provider perspective. The client knows only one aud
value -- its client ID.
Currently (implemented in the issue #11 / pr #13) the aud
is an array (s. OpenIDConnectProvider
, L156). It causes errors on validation, since the EqualsTo
(or EqualsToOrContains
) validator expects the $expectedValue
to be a string
.
PR (pr #17) updated.
Looks like it doesn't work with php 8.1 - fails with this message:
{"exception":"[object] (Lcobucci\JWT\Signer\InvalidKeyProvided(code: 0): It was not possible to parse your key, reason: error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length at /var/www/site/vendor/lcobucci/jwt/src/Signer/InvalidKeyProvided.php:17)
I think its just that Lcobucci\JWT 3.4 library is incompatible with php 8+ -> and should be upgraded to version 4.
All OpenID Connect standard compliant servers implement .well-known endpoints for discovering underlying endpoint urls and public keys (multiple for issues like rotation)
There is complexity is in converting the keysets from JWK format to PEM
If implementing discovery, provider configuration would then be at the minimum:
note azp should not need to match clientId or audience if the service using the client is a resource server validating the access token, as another client could be entitled to access the resource server via a matching allowedAudience
It seems that the latest version v0.1.2
is not available on packagist: https://packagist.org/packages/steverhoades/oauth2-openid-connect-client.
composer require steverhoades/oauth2-openid-connect-client
gives me v0.1.0
.
LcoBucci\JWT
converts some parts of the JWT token to DateTimeImmutable
objects (since this commit in 2020: lcobucci/jwt@df83ac6, which was released with v3.4 of the library), for example the exp
value. ValidatorChain
and GreaterOrEquals
in this library then tries to validate the expiration date and expects an integer, but receives a DateTimeImmutable
, leading to exceptions because of the Assert::nullOrIntegerish
. A DateTimeImmutable
object seems to not be expected at all.
So I don't think the library can actually work in v1.0, because when checking the expiration of the token is will always throw an exception, or am I missing something?
Reference: #lcobucci/jwt#72
URL error 60: SSL certificate problem: self-signed certificate in certificate chain (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for some URL
A client may want to implement a token endpoint that takes an id_token as an argument from a client and verifies, validates and then returns a JSON object of the claims.
Hi,
if I run example client I get message "expires" is not set on the token
but there is claim "exp" with valid value.
Is there something broken?
Im doing password grant and a little stumped on how to specify scopes.
Looking at OpenIDConnectProvider code looks like scopes
are specified in provider options.
I've tried that but this resulted in id_token
not being returned.
After digging more I found that this worked for me - specifying when I call to get access token:
$token = $oidcClient->getAccessToken('password', [
'username' => $ue,
'password' => $p,
'scope' => 'openid email username is_first_login',
]);
Which one is correct though? and why would I specify scopes in provider options then?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.