<?php
-namespace BookStack\Auth\Access\OpenIdConnect;
+namespace BookStack\Auth\Access\Oidc;
use InvalidArgumentException;
use League\OAuth2\Client\Token\AccessToken;
-class OpenIdConnectAccessToken extends AccessToken
+class OidcAccessToken extends AccessToken
{
/**
* Constructs an access token.
<?php
-namespace BookStack\Auth\Access\OpenIdConnect;
+namespace BookStack\Auth\Access\Oidc;
-class OpenIdConnectIdToken
+class OidcIdToken
{
/**
* @var array
/**
* Validate all possible parts of the id token.
- * @throws InvalidTokenException
+ * @throws OidcInvalidTokenException
*/
public function validate(string $clientId): bool
{
/**
* Validate the structure of the given token and ensure we have the required pieces.
* As per https://datatracker.ietf.org/doc/html/rfc7519#section-7.2
- * @throws InvalidTokenException
+ * @throws OidcInvalidTokenException
*/
protected function validateTokenStructure(): void
{
foreach (['header', 'payload'] as $prop) {
if (empty($this->$prop) || !is_array($this->$prop)) {
- throw new InvalidTokenException("Could not parse out a valid {$prop} within the provided token");
+ throw new OidcInvalidTokenException("Could not parse out a valid {$prop} within the provided token");
}
}
if (empty($this->signature) || !is_string($this->signature)) {
- throw new InvalidTokenException("Could not parse out a valid signature within the provided token");
+ throw new OidcInvalidTokenException("Could not parse out a valid signature within the provided token");
}
}
/**
* Validate the signature of the given token and ensure it validates against the provided key.
- * @throws InvalidTokenException
+ * @throws OidcInvalidTokenException
*/
protected function validateTokenSignature(): void
{
if ($this->header['alg'] !== 'RS256') {
- throw new InvalidTokenException("Only RS256 signature validation is supported. Token reports using {$this->header['alg']}");
+ throw new OidcInvalidTokenException("Only RS256 signature validation is supported. Token reports using {$this->header['alg']}");
}
$parsedKeys = array_map(function($key) {
try {
- return new JwtSigningKey($key);
- } catch (InvalidKeyException $e) {
+ return new OidcJwtSigningKey($key);
+ } catch (OidcInvalidKeyException $e) {
return null;
}
}, $this->keys);
$parsedKeys = array_filter($parsedKeys);
$contentToSign = $this->tokenParts[0] . '.' . $this->tokenParts[1];
- /** @var JwtSigningKey $parsedKey */
+ /** @var OidcJwtSigningKey $parsedKey */
foreach ($parsedKeys as $parsedKey) {
if ($parsedKey->verify($contentToSign, $this->signature)) {
return;
}
}
- throw new InvalidTokenException('Token signature could not be validated using the provided keys');
+ throw new OidcInvalidTokenException('Token signature could not be validated using the provided keys');
}
/**
* Validate the claims of the token.
* As per https://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation
- * @throws InvalidTokenException
+ * @throws OidcInvalidTokenException
*/
protected function validateTokenClaims(string $clientId): void
{
// 1. The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery)
// MUST exactly match the value of the iss (issuer) Claim.
if (empty($this->payload['iss']) || $this->issuer !== $this->payload['iss']) {
- throw new InvalidTokenException('Missing or non-matching token issuer value');
+ throw new OidcInvalidTokenException('Missing or non-matching token issuer value');
}
// 2. The Client MUST validate that the aud (audience) Claim contains its client_id value registered
// if the ID Token does not list the Client as a valid audience, or if it contains additional
// audiences not trusted by the Client.
if (empty($this->payload['aud'])) {
- throw new InvalidTokenException('Missing token audience value');
+ throw new OidcInvalidTokenException('Missing token audience value');
}
$aud = is_string($this->payload['aud']) ? [$this->payload['aud']] : $this->payload['aud'];
if (count($aud) !== 1) {
- throw new InvalidTokenException('Token audience value has ' . count($aud) . ' values, Expected 1');
+ throw new OidcInvalidTokenException('Token audience value has ' . count($aud) . ' values, Expected 1');
}
if ($aud[0] !== $clientId) {
- throw new InvalidTokenException('Token audience value did not match the expected client_id');
+ throw new OidcInvalidTokenException('Token audience value did not match the expected client_id');
}
// 3. If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
// 4. If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id
// is the Claim Value.
if (isset($this->payload['azp']) && $this->payload['azp'] !== $clientId) {
- throw new InvalidTokenException('Token authorized party exists but does not match the expected client_id');
+ throw new OidcInvalidTokenException('Token authorized party exists but does not match the expected client_id');
}
// 5. The current time MUST be before the time represented by the exp Claim
// (possibly allowing for some small leeway to account for clock skew).
if (empty($this->payload['exp'])) {
- throw new InvalidTokenException('Missing token expiration time value');
+ throw new OidcInvalidTokenException('Missing token expiration time value');
}
$skewSeconds = 120;
$now = time();
if ($now >= (intval($this->payload['exp']) + $skewSeconds)) {
- throw new InvalidTokenException('Token has expired');
+ throw new OidcInvalidTokenException('Token has expired');
}
// 6. The iat Claim can be used to reject tokens that were issued too far away from the current time,
// limiting the amount of time that nonces need to be stored to prevent attacks.
// The acceptable range is Client specific.
if (empty($this->payload['iat'])) {
- throw new InvalidTokenException('Missing token issued at time value');
+ throw new OidcInvalidTokenException('Missing token issued at time value');
}
$dayAgo = time() - 86400;
$iat = intval($this->payload['iat']);
if ($iat > ($now + $skewSeconds) || $iat < $dayAgo) {
- throw new InvalidTokenException('Token issue at time is not recent or is invalid');
+ throw new OidcInvalidTokenException('Token issue at time is not recent or is invalid');
}
// 7. If the acr Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate.
// Custom: Ensure the "sub" (Subject) Claim exists and has a value.
if (empty($this->payload['sub'])) {
- throw new InvalidTokenException('Missing token subject value');
+ throw new OidcInvalidTokenException('Missing token subject value');
}
}
--- /dev/null
+<?php
+
+namespace BookStack\Auth\Access\Oidc;
+
+class OidcInvalidKeyException extends \Exception
+{
+
+}
\ No newline at end of file
--- /dev/null
+<?php
+
+namespace BookStack\Auth\Access\Oidc;
+
+use Exception;
+
+class OidcInvalidTokenException extends Exception
+{
+
+}
\ No newline at end of file
--- /dev/null
+<?php
+
+namespace BookStack\Auth\Access\Oidc;
+
+class OidcIssuerDiscoveryException extends \Exception
+{
+
+}
\ No newline at end of file
<?php
-namespace BookStack\Auth\Access\OpenIdConnect;
+namespace BookStack\Auth\Access\Oidc;
use phpseclib3\Crypt\Common\PublicKey;
use phpseclib3\Crypt\PublicKeyLoader;
use phpseclib3\Crypt\RSA;
use phpseclib3\Math\BigInteger;
-class JwtSigningKey
+class OidcJwtSigningKey
{
/**
* @var PublicKey
* 'file:///var/www/cert.pem'
* ['kty' => 'RSA', 'alg' => 'RS256', 'n' => 'abc123...']
* @param array|string $jwkOrKeyPath
- * @throws InvalidKeyException
+ * @throws OidcInvalidKeyException
*/
public function __construct($jwkOrKeyPath)
{
} else if (is_string($jwkOrKeyPath) && strpos($jwkOrKeyPath, 'file://') === 0) {
$this->loadFromPath($jwkOrKeyPath);
} else {
- throw new InvalidKeyException('Unexpected type of key value provided');
+ throw new OidcInvalidKeyException('Unexpected type of key value provided');
}
}
/**
- * @throws InvalidKeyException
+ * @throws OidcInvalidKeyException
*/
protected function loadFromPath(string $path)
{
file_get_contents($path)
)->withPadding(RSA::SIGNATURE_PKCS1);
} catch (\Exception $exception) {
- throw new InvalidKeyException("Failed to load key from file path with error: {$exception->getMessage()}");
+ throw new OidcInvalidKeyException("Failed to load key from file path with error: {$exception->getMessage()}");
}
if (!($this->key instanceof RSA)) {
- throw new InvalidKeyException("Key loaded from file path is not an RSA key as expected");
+ throw new OidcInvalidKeyException("Key loaded from file path is not an RSA key as expected");
}
}
/**
- * @throws InvalidKeyException
+ * @throws OidcInvalidKeyException
*/
protected function loadFromJwkArray(array $jwk)
{
if ($jwk['alg'] !== 'RS256') {
- throw new InvalidKeyException("Only RS256 keys are currently supported. Found key using {$jwk['alg']}");
+ throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$jwk['alg']}");
}
if (empty($jwk['use'])) {
- throw new InvalidKeyException('A "use" parameter on the provided key is expected');
+ throw new OidcInvalidKeyException('A "use" parameter on the provided key is expected');
}
if ($jwk['use'] !== 'sig') {
- throw new InvalidKeyException("Only signature keys are currently supported. Found key for use {$jwk['use']}");
+ throw new OidcInvalidKeyException("Only signature keys are currently supported. Found key for use {$jwk['use']}");
}
if (empty($jwk['e'])) {
- throw new InvalidKeyException('An "e" parameter on the provided key is expected');
+ throw new OidcInvalidKeyException('An "e" parameter on the provided key is expected');
}
if (empty($jwk['n'])) {
- throw new InvalidKeyException('A "n" parameter on the provided key is expected');
+ throw new OidcInvalidKeyException('A "n" parameter on the provided key is expected');
}
$n = strtr($jwk['n'] ?? '', '-_', '+/');
'n' => new BigInteger(base64_decode($n), 256),
])->withPadding(RSA::SIGNATURE_PKCS1);
} catch (\Exception $exception) {
- throw new InvalidKeyException("Failed to load key from JWK parameters with error: {$exception->getMessage()}");
+ throw new OidcInvalidKeyException("Failed to load key from JWK parameters with error: {$exception->getMessage()}");
}
}
<?php
-namespace BookStack\Auth\Access\OpenIdConnect;
+namespace BookStack\Auth\Access\Oidc;
use League\OAuth2\Client\Grant\AbstractGrant;
use League\OAuth2\Client\Provider\AbstractProvider;
* Credit to the https://github.com/steverhoades/oauth2-openid-connect-client
* project for the idea of extending a League\OAuth2 client for this use-case.
*/
-class OpenIdConnectOAuthProvider extends AbstractProvider
+class OidcOAuthProvider extends AbstractProvider
{
use BearerAuthorizationTrait;
*
* @param array $response
* @param AbstractGrant $grant
- * @return OpenIdConnectAccessToken
+ * @return OidcAccessToken
*/
protected function createAccessToken(array $response, AbstractGrant $grant)
{
- return new OpenIdConnectAccessToken($response);
+ return new OidcAccessToken($response);
}
<?php
-namespace BookStack\Auth\Access\OpenIdConnect;
+namespace BookStack\Auth\Access\Oidc;
use GuzzleHttp\Psr7\Request;
use Illuminate\Contracts\Cache\Repository;
* Acts as a DTO for settings used within the oidc request and token handling.
* Performs auto-discovery upon request.
*/
-class OpenIdConnectProviderSettings
+class OidcProviderSettings
{
/**
* @var string
/**
* Discover and autoload settings from the configured issuer.
- * @throws IssuerDiscoveryException
+ * @throws OidcIssuerDiscoveryException
*/
public function discoverFromIssuer(ClientInterface $httpClient, Repository $cache, int $cacheMinutes)
{
});
$this->applySettingsFromArray($discoveredSettings);
} catch (ClientExceptionInterface $exception) {
- throw new IssuerDiscoveryException("HTTP request failed during discovery with error: {$exception->getMessage()}");
+ throw new OidcIssuerDiscoveryException("HTTP request failed during discovery with error: {$exception->getMessage()}");
}
}
/**
- * @throws IssuerDiscoveryException
+ * @throws OidcIssuerDiscoveryException
* @throws ClientExceptionInterface
*/
protected function loadSettingsFromIssuerDiscovery(ClientInterface $httpClient): array
$result = json_decode($response->getBody()->getContents(), true);
if (empty($result) || !is_array($result)) {
- throw new IssuerDiscoveryException("Error discovering provider settings from issuer at URL {$issuerUrl}");
+ throw new OidcIssuerDiscoveryException("Error discovering provider settings from issuer at URL {$issuerUrl}");
}
if ($result['issuer'] !== $this->issuer) {
- throw new IssuerDiscoveryException("Unexpected issuer value found on discovery response");
+ throw new OidcIssuerDiscoveryException("Unexpected issuer value found on discovery response");
}
$discoveredSettings = [];
/**
* Return an array of jwks as PHP key=>value arrays.
* @throws ClientExceptionInterface
- * @throws IssuerDiscoveryException
+ * @throws OidcIssuerDiscoveryException
*/
protected function loadKeysFromUri(string $uri, ClientInterface $httpClient): array
{
$result = json_decode($response->getBody()->getContents(), true);
if (empty($result) || !is_array($result) || !isset($result['keys'])) {
- throw new IssuerDiscoveryException("Error reading keys from issuer jwks_uri");
+ throw new OidcIssuerDiscoveryException("Error reading keys from issuer jwks_uri");
}
return $result['keys'];
-<?php namespace BookStack\Auth\Access\OpenIdConnect;
+<?php namespace BookStack\Auth\Access\Oidc;
use BookStack\Auth\Access\LoginService;
use BookStack\Auth\Access\RegistrationService;
* Class OpenIdConnectService
* Handles any app-specific OIDC tasks.
*/
-class OpenIdConnectService
+class OidcService
{
protected $registrationService;
protected $loginService;
}
/**
- * @throws IssuerDiscoveryException
+ * @throws OidcIssuerDiscoveryException
* @throws ClientExceptionInterface
*/
- protected function getProviderSettings(): OpenIdConnectProviderSettings
+ protected function getProviderSettings(): OidcProviderSettings
{
- $settings = new OpenIdConnectProviderSettings([
+ $settings = new OidcProviderSettings([
'issuer' => $this->config['issuer'],
'clientId' => $this->config['client_id'],
'clientSecret' => $this->config['client_secret'],
/**
* Load the underlying OpenID Connect Provider.
*/
- protected function getProvider(OpenIdConnectProviderSettings $settings): OpenIdConnectOAuthProvider
+ protected function getProvider(OidcProviderSettings $settings): OidcOAuthProvider
{
- return new OpenIdConnectOAuthProvider($settings->arrayForProvider());
+ return new OidcOAuthProvider($settings->arrayForProvider());
}
/**
* Calculate the display name
*/
- protected function getUserDisplayName(OpenIdConnectIdToken $token, string $defaultValue): string
+ protected function getUserDisplayName(OidcIdToken $token, string $defaultValue): string
{
$displayNameAttr = $this->config['display_name_claims'];
* Extract the details of a user from an ID token.
* @return array{name: string, email: string, external_id: string}
*/
- protected function getUserDetails(OpenIdConnectIdToken $token): array
+ protected function getUserDetails(OidcIdToken $token): array
{
$id = $token->getClaim('sub');
return [
* @throws UserRegistrationException
* @throws StoppedAuthenticationException
*/
- protected function processAccessTokenCallback(OpenIdConnectAccessToken $accessToken, OpenIdConnectProviderSettings $settings): User
+ protected function processAccessTokenCallback(OidcAccessToken $accessToken, OidcProviderSettings $settings): User
{
$idTokenText = $accessToken->getIdToken();
- $idToken = new OpenIdConnectIdToken(
+ $idToken = new OidcIdToken(
$idTokenText,
$settings->issuer,
$settings->keys,
try {
$idToken->validate($settings->clientId);
- } catch (InvalidTokenException $exception) {
+ } catch (OidcInvalidTokenException $exception) {
throw new OpenIdConnectException("ID token validate failed with error: {$exception->getMessage()}");
}
+++ /dev/null
-<?php
-
-namespace BookStack\Auth\Access\OpenIdConnect;
-
-class InvalidKeyException extends \Exception
-{
-
-}
\ No newline at end of file
+++ /dev/null
-<?php
-
-namespace BookStack\Auth\Access\OpenIdConnect;
-
-use Exception;
-
-class InvalidTokenException extends Exception
-{
-
-}
\ No newline at end of file
+++ /dev/null
-<?php
-
-namespace BookStack\Auth\Access\OpenIdConnect;
-
-class IssuerDiscoveryException extends \Exception
-{
-
-}
\ No newline at end of file
namespace BookStack\Http\Controllers\Auth;
-use BookStack\Auth\Access\OpenIdConnect\OpenIdConnectService;
+use BookStack\Auth\Access\Oidc\OidcService;
use BookStack\Http\Controllers\Controller;
use Illuminate\Http\Request;
/**
* OpenIdController constructor.
*/
- public function __construct(OpenIdConnectService $oidcService)
+ public function __construct(OidcService $oidcService)
{
$this->oidcService = $oidcService;
$this->middleware('guard:oidc');
namespace Tests\Unit;
-use BookStack\Auth\Access\OpenIdConnect\InvalidTokenException;
-use BookStack\Auth\Access\OpenIdConnect\OpenIdConnectIdToken;
+use BookStack\Auth\Access\Oidc\OidcInvalidTokenException;
+use BookStack\Auth\Access\Oidc\OidcIdToken;
use phpseclib3\Crypt\RSA;
use Tests\TestCase;
-class OpenIdConnectIdTokenTest extends TestCase
+class OidcIdTokenTest extends TestCase
{
public function test_valid_token_passes_validation()
{
- $token = new OpenIdConnectIdToken($this->idToken(), 'https://auth.example.com', [
+ $token = new OidcIdToken($this->idToken(), 'https://auth.example.com', [
$this->jwkKeyArray()
]);
public function test_get_claim_returns_value_if_existing()
{
- $token = new OpenIdConnectIdToken($this->idToken(), 'https://auth.example.com', []);
+ $token = new OidcIdToken($this->idToken(), 'https://auth.example.com', []);
}
public function test_get_claim_returns_null_if_not_existing()
{
- $token = new OpenIdConnectIdToken($this->idToken(), 'https://auth.example.com', []);
+ $token = new OidcIdToken($this->idToken(), 'https://auth.example.com', []);
$this->assertEquals(null, $token->getClaim('emails'));
}
public function test_get_all_claims_returns_all_payload_claims()
{
$defaultPayload = $this->getDefaultPayload();
- $token = new OpenIdConnectIdToken($this->idToken($defaultPayload), 'https://auth.example.com', []);
+ $token = new OidcIdToken($this->idToken($defaultPayload), 'https://auth.example.com', []);
$this->assertEquals($defaultPayload, $token->getAllClaims());
}
];
foreach ($messagesAndTokenValues as [$message, $tokenValue]) {
- $token = new OpenIdConnectIdToken($tokenValue, 'https://auth.example.com', []);
+ $token = new OidcIdToken($tokenValue, 'https://auth.example.com', []);
$err = null;
try {
$token->validate('abc');
$err = $exception;
}
- $this->assertInstanceOf(InvalidTokenException::class, $err, $message);
+ $this->assertInstanceOf(OidcInvalidTokenException::class, $err, $message);
$this->assertEquals($message, $err->getMessage());
}
}
public function test_error_thrown_if_token_signature_not_validated_from_no_keys()
{
- $token = new OpenIdConnectIdToken($this->idToken(), 'https://auth.example.com', []);
- $this->expectException(InvalidTokenException::class);
+ $token = new OidcIdToken($this->idToken(), 'https://auth.example.com', []);
+ $this->expectException(OidcInvalidTokenException::class);
$this->expectExceptionMessage('Token signature could not be validated using the provided keys');
$token->validate('abc');
}
public function test_error_thrown_if_token_signature_not_validated_from_non_matching_key()
{
- $token = new OpenIdConnectIdToken($this->idToken(), 'https://auth.example.com', [
+ $token = new OidcIdToken($this->idToken(), 'https://auth.example.com', [
array_merge($this->jwkKeyArray(), [
'n' => 'iqK-1QkICMf_cusNLpeNnN-bhT0-9WLBvzgwKLALRbrevhdi5ttrLHIQshaSL0DklzfyG2HWRmAnJ9Q7sweEjuRiiqRcSUZbYu8cIv2hLWYu7K_NH67D2WUjl0EnoHEuiVLsZhQe1CmdyLdx087j5nWkd64K49kXRSdxFQUlj8W3NeK3CjMEUdRQ3H4RZzJ4b7uuMiFA29S2ZhMNG20NPbkUVsFL-jiwTd10KSsPT8yBYipI9O7mWsUWt_8KZs1y_vpM_k3SyYihnWpssdzDm1uOZ8U3mzFr1xsLAO718GNUSXk6npSDzLl59HEqa6zs4O9awO2qnSHvcmyELNk31w'
])
]);
- $this->expectException(InvalidTokenException::class);
+ $this->expectException(OidcInvalidTokenException::class);
$this->expectExceptionMessage('Token signature could not be validated using the provided keys');
$token->validate('abc');
}
public function test_error_thrown_if_token_signature_not_validated_from_invalid_key()
{
- $token = new OpenIdConnectIdToken($this->idToken(), 'https://auth.example.com', ['url://example.com']);
- $this->expectException(InvalidTokenException::class);
+ $token = new OidcIdToken($this->idToken(), 'https://auth.example.com', ['url://example.com']);
+ $this->expectException(OidcInvalidTokenException::class);
$this->expectExceptionMessage('Token signature could not be validated using the provided keys');
$token->validate('abc');
}
public function test_error_thrown_if_token_algorithm_is_not_rs256()
{
- $token = new OpenIdConnectIdToken($this->idToken([], ['alg' => 'HS256']), 'https://auth.example.com', []);
- $this->expectException(InvalidTokenException::class);
+ $token = new OidcIdToken($this->idToken([], ['alg' => 'HS256']), 'https://auth.example.com', []);
+ $this->expectException(OidcInvalidTokenException::class);
$this->expectExceptionMessage("Only RS256 signature validation is supported. Token reports using HS256");
$token->validate('abc');
}
];
foreach ($claimOverridesByErrorMessage as [$message, $overrides]) {
- $token = new OpenIdConnectIdToken($this->idToken($overrides), 'https://auth.example.com', [
+ $token = new OidcIdToken($this->idToken($overrides), 'https://auth.example.com', [
$this->jwkKeyArray()
]);
$err = $exception;
}
- $this->assertInstanceOf(InvalidTokenException::class, $err, $message);
+ $this->assertInstanceOf(OidcInvalidTokenException::class, $err, $message);
$this->assertEquals($message, $err->getMessage());
}
}
$file = tmpfile();
$testFilePath = 'file://' . stream_get_meta_data($file)['uri'];
file_put_contents($testFilePath, $this->pemKey());
- $token = new OpenIdConnectIdToken($this->idToken(), 'https://auth.example.com', [
+ $token = new OidcIdToken($this->idToken(), 'https://auth.example.com', [
$testFilePath
]);
projects / bookstack / commitdiff