BookStack Code Mirror - bookstack/blob - app/Access/Oidc/OidcIdToken.php

1 <?php

2

3 namespace BookStack\Access\Oidc;

4

5 class OidcIdToken extends OidcJwtWithClaims implements ProvidesClaims

6 {

7 /**

8 * Validate all possible parts of the id token.

9 *

10 * @throws OidcInvalidTokenException

11 */

12 public function validate(string $clientId): bool

13 {

14 parent::validateCommonTokenDetails($clientId);

15 $this->validateTokenClaims($clientId);

16

17 return true;

18 }

19

20 /**

21 * Validate the claims of the token.

22 * As per https://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation.

23 *

24 * @throws OidcInvalidTokenException

25 */

26 protected function validateTokenClaims(string $clientId): void

27 {

28 // 1. The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery)

29 // MUST exactly match the value of the iss (issuer) Claim.

30 // Already done in parent.

31

32 // 2. The Client MUST validate that the aud (audience) Claim contains its client_id value registered

33 // at the Issuer identified by the iss (issuer) Claim as an audience. The ID Token MUST be rejected

34 // if the ID Token does not list the Client as a valid audience, or if it contains additional

35 // audiences not trusted by the Client.

36 // Partially done in parent.

37 $aud = is_string($this->payload['aud']) ? [$this->payload['aud']] : $this->payload['aud'];

38 if (count($aud) !== 1) {

39 throw new OidcInvalidTokenException('Token audience value has ' . count($aud) . ' values, Expected 1');

40 }

41

42 // 3. If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.

43 // NOTE: Addressed by enforcing a count of 1 above.

44

45 // 4. If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id

46 // is the Claim Value.

47 if (isset($this->payload['azp']) && $this->payload['azp'] !== $clientId) {

48 throw new OidcInvalidTokenException('Token authorized party exists but does not match the expected client_id');

49 }

50

51 // 5. The current time MUST be before the time represented by the exp Claim

52 // (possibly allowing for some small leeway to account for clock skew).

53 if (empty($this->payload['exp'])) {

54 throw new OidcInvalidTokenException('Missing token expiration time value');

55 }

56

57 $skewSeconds = 120;

58 $now = time();

59 if ($now >= (intval($this->payload['exp']) + $skewSeconds)) {

60 throw new OidcInvalidTokenException('Token has expired');

61 }

62

63 // 6. The iat Claim can be used to reject tokens that were issued too far away from the current time,

64 // limiting the amount of time that nonces need to be stored to prevent attacks.

65 // The acceptable range is Client specific.

66 if (empty($this->payload['iat'])) {

67 throw new OidcInvalidTokenException('Missing token issued at time value');

68 }

69

70 $dayAgo = time() - 86400;

71 $iat = intval($this->payload['iat']);

72 if ($iat > ($now + $skewSeconds) || $iat < $dayAgo) {

73 throw new OidcInvalidTokenException('Token issue at time is not recent or is invalid');

74 }

75

76 // 7. If the acr Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate.

77 // The meaning and processing of acr Claim Values is out of scope for this document.

78 // NOTE: Not used for our case here. acr is not requested.

79

80 // 8. When a max_age request is made, the Client SHOULD check the auth_time Claim value and request

81 // re-authentication if it determines too much time has elapsed since the last End-User authentication.

82 // NOTE: Not used for our case here. A max_age request is not made.

83

84 // Custom: Ensure the "sub" (Subject) Claim exists and has a value.

85 if (empty($this->payload['sub'])) {

86 throw new OidcInvalidTokenException('Missing token subject value');

87 }

88 }

89 }