webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-01-03 23:42:28 +03:00
Code Activity

OIDC Userinfo: Added additional tests to cover jwks usage

Browse Source
This commit is contained in:
Dan Brown
2024-04-19 15:05:00 +01:00
parent b18cee3dc4
commit 0958909cd9
3 changed files with 73 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/Access/Oidc/OidcJwtWithClaims.php
View File

@@ -59,7 +59,7 @@ class OidcJwtWithClaims implements ProvidesClaims
*
* @throws OidcInvalidTokenException
*/
protected function validateCommonTokenDetails(): bool
public function validateCommonTokenDetails(): bool
{
$this->validateTokenStructure();
$this->validateTokenSignature();
@@ -151,7 +151,7 @@ class OidcJwtWithClaims implements ProvidesClaims
*
* @throws OidcInvalidTokenException
*/
public function validateCommonClaims(): void
protected function validateCommonClaims(): void
{
// 1. The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery)
// MUST exactly match the value of the iss (issuer) Claim.

15
app/Access/Oidc/OidcUserinfoResponse.php
View File

@@ -20,11 +20,6 @@ class OidcUserinfoResponse implements ProvidesClaims
$this->jwt = new OidcJwtWithClaims($response->getBody()->getContents(), $issuer, $keys);
$this->claims = $this->jwt->getAllClaims();
}
// TODO - Response validation (5.3.4):
// TODO - Verify that the OP that responded was the intended OP through a TLS server certificate check, per RFC 6125 [RFC6125].
// TODO - If the Client has provided a userinfo_encrypted_response_alg parameter during Registration, decrypt the UserInfo Response using the keys specified during Registration.
// TODO - If the response was signed, the Client SHOULD validate the signature according to JWS [JWS].
}
/**
@@ -33,7 +28,7 @@ class OidcUserinfoResponse implements ProvidesClaims
public function validate(string $idTokenSub): bool
{
if (!is_null($this->jwt)) {
$this->jwt->validateCommonClaims();
$this->jwt->validateCommonTokenDetails();
}
$sub = $this->getClaim('sub');
@@ -49,6 +44,14 @@ class OidcUserinfoResponse implements ProvidesClaims
throw new OidcInvalidTokenException("Subject value provided in the userinfo endpoint does not match the provided ID token value");
}
// Spec v1.0 5.3.4 Defines the following:
// Verify that the OP that responded was the intended OP through a TLS server certificate check, per RFC 6125 [RFC6125].
// This is effectively done as part of the HTTP request we're making through CURLOPT_SSL_VERIFYHOST on the request.
// If the Client has provided a userinfo_encrypted_response_alg parameter during Registration, decrypt the UserInfo Response using the keys specified during Registration.
// We don't currently support JWT encryption for OIDC
// If the response was signed, the Client SHOULD validate the signature according to JWS [JWS].
// This is done as part of the validateCommonClaims above.
return true;
}