X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/7d7cd32ca72397b635f7be597ad467ca27cffe6e..refs/pull/5312/head:/app/Access/Oidc/OidcUserinfoResponse.php

diff --git a/app/Access/Oidc/OidcUserinfoResponse.php b/app/Access/Oidc/OidcUserinfoResponse.php
index 7c7760434..9aded654e 100644
--- a/app/Access/Oidc/OidcUserinfoResponse.php
+++ b/app/Access/Oidc/OidcUserinfoResponse.php
@@ -7,25 +7,30 @@ use Psr\Http\Message\ResponseInterface;
 class OidcUserinfoResponse implements ProvidesClaims
 {
     protected array $claims = [];
+    protected ?OidcJwtWithClaims $jwt = null;
 
-    public function __construct(ResponseInterface $response)
+    public function __construct(ResponseInterface $response, string $issuer, array $keys)
     {
-        if ($response->getHeader('Content-Type')[0] === 'application/json') {
+        $contentType = $response->getHeader('Content-Type')[0];
+        if ($contentType === 'application/json') {
             $this->claims = json_decode($response->getBody()->getContents(), true);
         }
 
-        // TODO - Support JWTs
-        // TODO - Response validation (5.3.4):
-            // TODO - Verify that the OP that responded was the intended OP through a TLS server certificate check, per RFC 6125 [RFC6125].
-            // TODO - If the Client has provided a userinfo_encrypted_response_alg parameter during Registration, decrypt the UserInfo Response using the keys specified during Registration.
-            // TODO - If the response was signed, the Client SHOULD validate the signature according to JWS [JWS].
+        if ($contentType === 'application/jwt') {
+            $this->jwt = new OidcJwtWithClaims($response->getBody()->getContents(), $issuer, $keys);
+            $this->claims = $this->jwt->getAllClaims();
+        }
     }
 
     /**
      * @throws OidcInvalidTokenException
      */
-    public function validate(string $idTokenSub): bool
+    public function validate(string $idTokenSub, string $clientId): bool
     {
+        if (!is_null($this->jwt)) {
+            $this->jwt->validateCommonTokenDetails($clientId);
+        }
+
         $sub = $this->getClaim('sub');
 
         // Spec: v1.0 5.3.2: The sub (subject) Claim MUST always be returned in the UserInfo Response.
@@ -39,6 +44,14 @@ class OidcUserinfoResponse implements ProvidesClaims
             throw new OidcInvalidTokenException("Subject value provided in the userinfo endpoint does not match the provided ID token value");
         }
 
+        // Spec v1.0 5.3.4 Defines the following:
+        // Verify that the OP that responded was the intended OP through a TLS server certificate check, per RFC 6125 [RFC6125].
+          // This is effectively done as part of the HTTP request we're making through CURLOPT_SSL_VERIFYHOST on the request.
+        // If the Client has provided a userinfo_encrypted_response_alg parameter during Registration, decrypt the UserInfo Response using the keys specified during Registration.
+          // We don't currently support JWT encryption for OIDC
+        // If the response was signed, the Client SHOULD validate the signature according to JWS [JWS].
+          // This is done as part of the validateCommonClaims above.
+
         return true;
     }