steverhoades / oauth2-openid-connect-client Goto Github PK

Hi,
I cannot get actually validated aud field, because clientID is string and openid server sends aud as list/array.
According to rfc https://tools.ietf.org/html/rfc7519#section-4.1.3, aud is really string[].
Should I send PR to validate aud against [$clientID]?
Am I the only one who experiences this issue?

Since Oauth2 Client released 2.0.0 on january, it would be good to upgrade the provider to use the latest version.

The ID Token's aud value MAY be an array:

JSON Web Token (JWT) -> 4.1.3. "aud" (Audience) Claim:

"In the general case, the "aud" value is an array of case-sensitive strings, each containing a StringOrURI value."

OpenID Connect Core 1.0 -> 3.1.3.7. ID Token Validation

"Clients MUST validate the ID Token in the Token Response in the following manner:
[...] 3. [...] The aud (audience) Claim MAY contain an array with more than one element."

Currently the value gets validated by the EqualsTo (s. OpenIDConnectProvider, L60). This leads to errors, if the server provides the aud / auds as array.

Creating a PR...

I'm having issues with some server difference in timestamps.

The IdentityProvider gives me nbf timestamps one second in the future sometimes. I can't control their clock so there should be a setting where you could give it a little tolerance, maybe a few seconds. Right now there is no way to do this without modifying the source code directly.

The \OpenIDConnectClient\OpenIDConnectProvider::getAccessToken method is not only used for exchanging the initial token, but also for obtaining the Refresh Token.
When refreshing a token, there is no ID Token included, as there is no authentication.

This is causing the getAccessToken method to fail.
https://github.com/steverhoades/oauth2-openid-connect-client/blob/master/src/OpenIDConnectProvider.php#L130

Because getAccessToken is used for refreshing, I believe the best solution would be to fall back to the standard oauth flow
and just call a parent class if the method is only used for refreshing the token (when the grant is 'refresh_token')

I think it would be better to add the id_token also to the response of the jsonSerialize Method of the access Token. So the received, token containing the id token, could be stored in the session. Maybe you can add something like this to the AccessToken class:

public function jsonSerialize()
{
    $parameters = parent::jsonSerialize();
    if ($this->idToken) {
        $parameters['id_token'] = (string)$this->idToken;
    }

    return $parameters;
}

The method getIdTokenIssuer in OpenIDConnectProvider has no return statement so the method returns null an the 'iss' will never be validated.

Hello

I am trying to use your library but get the error

Lcobucci\JWT\Signer\Rsa\Sha256' not found in client.php:6 S

I have tried playing around with the folder structure but no luck

The folder structure downloaded via composer does not have src in it

Please can this be fixed asap?

Cheers

Paul

The aud value is (or better: MAY be) a list. But it's from auth server / provider perspective. The client knows only one aud value -- its client ID.

Currently (implemented in the issue #11 / pr #13) the aud is an array (s. OpenIDConnectProvider, L156). It causes errors on validation, since the EqualsTo (or EqualsToOrContains) validator expects the $expectedValue to be a string.

PR (pr #17) updated.

Looks like it doesn't work with php 8.1 - fails with this message:

{"exception":"[object] (Lcobucci\JWT\Signer\InvalidKeyProvided(code: 0): It was not possible to parse your key, reason: error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length at /var/www/site/vendor/lcobucci/jwt/src/Signer/InvalidKeyProvided.php:17)

I think its just that Lcobucci\JWT 3.4 library is incompatible with php 8+ -> and should be upgraded to version 4.

All OpenID Connect standard compliant servers implement .well-known endpoints for discovering underlying endpoint urls and public keys (multiple for issues like rotation)

There is complexity is in converting the keysets from JWK format to PEM

If implementing discovery, provider configuration would then be at the minimum:

• issuerUrl - The url of the IdP, which underneath sits .well-known/openid-configuration
• clientId - (if authenticating, not required for validation if allowedAudience supplied)
• clientSecret - (if the IdP server requires it for authenticating)
• allowedAudience - (optional for validation, matching either the string aud claim, or if aud claim is an array, one of the array entries)

note azp should not need to match clientId or audience if the service using the client is a resource server validating the access token, as another client could be entitled to access the resource server via a matching allowedAudience

It seems that the latest version v0.1.2 is not available on packagist: https://packagist.org/packages/steverhoades/oauth2-openid-connect-client.

composer require steverhoades/oauth2-openid-connect-client gives me v0.1.0.

LcoBucci\JWT converts some parts of the JWT token to DateTimeImmutable objects (since this commit in 2020: lcobucci/jwt@df83ac6, which was released with v3.4 of the library), for example the exp value. ValidatorChain and GreaterOrEquals in this library then tries to validate the expiration date and expects an integer, but receives a DateTimeImmutable, leading to exceptions because of the Assert::nullOrIntegerish. A DateTimeImmutable object seems to not be expected at all.

So I don't think the library can actually work in v1.0, because when checking the expiration of the token is will always throw an exception, or am I missing something?

Reference: #lcobucci/jwt#72

URL error 60: SSL certificate problem: self-signed certificate in certificate chain (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for some URL

A client may want to implement a token endpoint that takes an id_token as an argument from a client and verifies, validates and then returns a JSON object of the claims.

Hi,
if I run example client I get message "expires" is not set on the token but there is claim "exp" with valid value.
Is there something broken?

Im doing password grant and a little stumped on how to specify scopes.
Looking at OpenIDConnectProvider code looks like scopes are specified in provider options.
I've tried that but this resulted in id_token not being returned.

After digging more I found that this worked for me - specifying when I call to get access token:

            $token = $oidcClient->getAccessToken('password', [
                'username' => $ue,
                'password' => $p,
                'scope'    => 'openid email username is_first_login',
            ]);

Which one is correct though? and why would I specify scopes in provider options then?