X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/b18cee3dc4cec028ff9efa69dab960649bb38425..refs/pull/5685/head:/app/Access/Oidc/OidcUserinfoResponse.php

diff --git a/app/Access/Oidc/OidcUserinfoResponse.php b/app/Access/Oidc/OidcUserinfoResponse.php
index bb6c2454a..33b8ec806 100644
--- a/app/Access/Oidc/OidcUserinfoResponse.php
+++ b/app/Access/Oidc/OidcUserinfoResponse.php
@@ -11,7 +11,9 @@ class OidcUserinfoResponse implements ProvidesClaims
 
     public function __construct(ResponseInterface $response, string $issuer, array $keys)
     {
-        $contentType = $response->getHeader('Content-Type')[0];
+        $contentTypeHeaderValue = $response->getHeader('Content-Type')[0] ?? '';
+        $contentType = strtolower(trim(explode(';', $contentTypeHeaderValue, 2)[0]));
+
         if ($contentType === 'application/json') {
             $this->claims = json_decode($response->getBody()->getContents(), true);
         }
@@ -20,20 +22,15 @@ class OidcUserinfoResponse implements ProvidesClaims
             $this->jwt = new OidcJwtWithClaims($response->getBody()->getContents(), $issuer, $keys);
             $this->claims = $this->jwt->getAllClaims();
         }
-
-        // TODO - Response validation (5.3.4):
-            // TODO - Verify that the OP that responded was the intended OP through a TLS server certificate check, per RFC 6125 [RFC6125].
-            // TODO - If the Client has provided a userinfo_encrypted_response_alg parameter during Registration, decrypt the UserInfo Response using the keys specified during Registration.
-            // TODO - If the response was signed, the Client SHOULD validate the signature according to JWS [JWS].
     }
 
     /**
      * @throws OidcInvalidTokenException
      */
-    public function validate(string $idTokenSub): bool
+    public function validate(string $idTokenSub, string $clientId): bool
     {
         if (!is_null($this->jwt)) {
-            $this->jwt->validateCommonClaims();
+            $this->jwt->validateCommonTokenDetails($clientId);
         }
 
         $sub = $this->getClaim('sub');
@@ -49,6 +46,14 @@ class OidcUserinfoResponse implements ProvidesClaims
             throw new OidcInvalidTokenException("Subject value provided in the userinfo endpoint does not match the provided ID token value");
         }
 
+        // Spec v1.0 5.3.4 Defines the following:
+        // Verify that the OP that responded was the intended OP through a TLS server certificate check, per RFC 6125 [RFC6125].
+          // This is effectively done as part of the HTTP request we're making through CURLOPT_SSL_VERIFYHOST on the request.
+        // If the Client has provided a userinfo_encrypted_response_alg parameter during Registration, decrypt the UserInfo Response using the keys specified during Registration.
+          // We don't currently support JWT encryption for OIDC
+        // If the response was signed, the Client SHOULD validate the signature according to JWS [JWS].
+          // This is done as part of the validateCommonClaims above.
+
         return true;
     }