Skip to content

III-6914 #2156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
JonasVHG wants to merge 7 commits into
base: master
Choose a base branch
from
Open

III-6914 #2156

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
81f0a6f
no longer validate v1 tokens.
JonasVHG Feb 12, 2026
9485e93
do not use UitIdV1JwtValidator in constructor of RequestAuthenticator…
JonasVHG Feb 12, 2026
bfe04d5
linting
JonasVHG Feb 12, 2026
732b4b1
remove test for v1 token.
JonasVHG Feb 12, 2026
d9ed3fb
remove const for v1 token
JonasVHG Feb 12, 2026
696f8f5
remove validator for v1 token
JonasVHG Feb 12, 2026
f7a0973
remove obsolete tests
JonasVHG Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletions app/Authentication/AuthServiceProvider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@
use CultuurNet\UDB3\Cache\CacheFactory;
use CultuurNet\UDB3\Container\AbstractServiceProvider;
use CultuurNet\UDB3\Http\Auth\Jwt\JsonWebToken;
use CultuurNet\UDB3\Http\Auth\Jwt\UitIdV1JwtValidator;
use CultuurNet\UDB3\Http\Auth\Jwt\UitIdV2JwtValidator;
use CultuurNet\UDB3\Http\Auth\RequestAuthenticatorMiddleware;
use CultuurNet\UDB3\Impersonator;
Expand Down Expand Up @@ -53,10 +52,6 @@ public function register(): void
RequestAuthenticatorMiddleware::class,
function () use ($container): RequestAuthenticatorMiddleware {
$authenticator = new RequestAuthenticatorMiddleware(
new UitIdV1JwtValidator(
'file://' . __DIR__ . '/../../' . $container->get('config')['jwt']['v1']['keys']['public']['file'],
$container->get('config')['jwt']['v1']['valid_issuers']
),
$this->createUitIdV2JwtValidator($container),
new CachedApiKeyAuthenticator(
new CultureFeedApiKeyAuthenticator($container->get(ConsumerReadRepository::class)),
Expand Down
6 changes: 0 additions & 6 deletions src/Http/Auth/Jwt/JsonWebToken.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@

final class JsonWebToken
{
public const UIT_ID_V1_JWT_PROVIDER_TOKEN = 'uit_v1_jwt_provider_token';
public const UIT_ID_V2_JWT_PROVIDER_TOKEN = 'uit_v2_jwt_provider_token';
public const UIT_ID_V2_USER_ACCESS_TOKEN = 'uit_v2_user_access_token';
public const UIT_ID_V2_CLIENT_ACCESS_TOKEN = 'uit_v2_client_access_token';
Expand Down Expand Up @@ -53,11 +52,6 @@ public function __construct(string $jwt)
*/
public function getType(): string
{
// V1 tokens had a non-standardized "uid" claim
if ($this->token->claims()->has('uid')) {
return self::UIT_ID_V1_JWT_PROVIDER_TOKEN;
}

// Because ID tokens from Keycloak always have a `azp` claim the `typ` claim can be used to verify if a Keycloak ID token is passed.
if ($this->token->claims()->get('typ', '') === 'ID') {
return self::UIT_ID_V2_JWT_PROVIDER_TOKEN;
Expand Down
25 changes: 0 additions & 25 deletions src/Http/Auth/Jwt/UitIdV1JwtValidator.php
View file
Open in desktop

This file was deleted.

15 changes: 4 additions & 11 deletions src/Http/Auth/RequestAuthenticatorMiddleware.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,6 @@ final class RequestAuthenticatorMiddleware implements MiddlewareInterface

private ?JsonWebToken $token = null;
private ?ApiKey $apiKey = null;

private JwtValidator $uitIdV1JwtValidator;
private JwtValidator $uitIdV2JwtValidator;
private ApiKeyAuthenticator $apiKeyAuthenticator;
private ApiKeyConsumerReadRepository $apiKeyConsumerReadRepository;
Expand All @@ -56,7 +54,6 @@ final class RequestAuthenticatorMiddleware implements MiddlewareInterface
private ?ApiKeysMatchedToClientIds $apiKeysMatchedToClientIds;

public function __construct(
JwtValidator $uitIdV1JwtValidator,
JwtValidator $uitIdV2JwtValidator,
ApiKeyAuthenticator $apiKeyAuthenticator,
ApiKeyConsumerReadRepository $apiKeyConsumerReadRepository,
Expand All @@ -65,7 +62,6 @@ public function __construct(
ClientIdResolver $clientIdResolver,
?ApiKeysMatchedToClientIds $apiKeysMatchedToClientIds = null
) {
$this->uitIdV1JwtValidator = $uitIdV1JwtValidator;
$this->uitIdV2JwtValidator = $uitIdV2JwtValidator;
$this->apiKeyAuthenticator = $apiKeyAuthenticator;
$this->apiKeyConsumerReadRepository = $apiKeyConsumerReadRepository;
Expand Down Expand Up @@ -103,9 +99,9 @@ private function authenticate(ServerRequestInterface $request): void

$this->authenticateToken($request);

// Requests that use a token from the JWT provider (v1 or v2) require an API key from UiTID v1.
// Requests that use a token from the JWT provider (v2) require an API key from UiTID v1.
// Requests that use a token that they got from a clientId do not require an API key.
if ($this->token->getType() === JsonWebToken::UIT_ID_V1_JWT_PROVIDER_TOKEN || $this->token->getType() === JsonWebToken::UIT_ID_V2_JWT_PROVIDER_TOKEN) {
if ($this->token->getType() === JsonWebToken::UIT_ID_V2_JWT_PROVIDER_TOKEN) {
$this->authenticateApiKey($request);
}

Expand Down Expand Up @@ -150,11 +146,8 @@ private function authenticateToken(ServerRequestInterface $request): void
throw ApiProblem::unauthorized('Token "' . $tokenString . '" is not a valid JWT.');
}

$isV1 = $this->token->getType() === JsonWebToken::UIT_ID_V1_JWT_PROVIDER_TOKEN;
$validator = $isV1 ? $this->uitIdV1JwtValidator : $this->uitIdV2JwtValidator;

$validator->verifySignature($this->token);
$validator->validateClaims($this->token);
$this->uitIdV2JwtValidator->verifySignature($this->token);
$this->uitIdV2JwtValidator->validateClaims($this->token);
}

private function authenticateApiKey(ServerRequestInterface $request): void
Expand Down
50 changes: 0 additions & 50 deletions tests/Http/Auth/Jwt/JsonWebTokenTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,21 +36,6 @@ public function it_returns_uid_claim_as_id_if_present(): void
$this->assertEquals('6e3ef9b3-e37b-428e-af30-05f3a96dbbe4', $jwt->getUserId());
}

/**
* @test
*/
public function it_returns_uitid_v1_claim_as_id_if_present(): void
{
$jwt = JsonWebTokenFactory::createWithClaims(
[
'https://publiq.be/uitidv1id' => 'b55f041e-5c5e-4850-9fb8-8cf73d538c56',
'sub' => 'auth0|ce6abd8f-b1e2-4bce-9dde-08af64438e87',
]
);

$this->assertEquals('b55f041e-5c5e-4850-9fb8-8cf73d538c56', $jwt->getUserId());
}

/**
* @test
*/
Expand Down Expand Up @@ -113,15 +98,6 @@ public function it_returns_null_as_client_name_if_publiq_client_name_claim_is_mi
$this->assertNull($jwt->getClientName());
}

/**
* @test
*/
public function it_returns_v1_jwt_provider_token_type_if_a_uid_claim_is_present(): void
{
$jwt = JsonWebTokenFactory::createWithClaims(['uid' => 'mock']);
$this->assertEquals(JsonWebToken::UIT_ID_V1_JWT_PROVIDER_TOKEN, $jwt->getType());
}

/**
* @test
*/
Expand Down Expand Up @@ -163,32 +139,6 @@ public function it_returns_v2_user_access_token_type_otherwise(): void
$this->assertEquals(JsonWebToken::UIT_ID_V2_USER_ACCESS_TOKEN, $jwt->getType());
}

/**
* @test
*/
public function it_returns_user_identity_details_for_v1_jwt_provider_tokens(): void
{
$userIdentityResolver = $this->createMock(UserIdentityResolver::class);
$userIdentityResolver->expects($this->never())
->method('getUserById');

$v1Token = JsonWebTokenFactory::createWithClaims(
[
'uid' => 'c82bd40c-1932-4c45-bd5d-a76cc9907cee',
'nick' => 'mock-nickname',
'email' => 'mock@example.com',
]
);

$details = new UserIdentityDetails(
'c82bd40c-1932-4c45-bd5d-a76cc9907cee',
'mock-nickname',
'mock@example.com'
);

$this->assertEquals($details, $v1Token->getUserIdentityDetails($userIdentityResolver));
}

/**
* @test
*/
Expand Down