Merge pull request #331 from jumbojett/fix/client_secret_jwt-configurable-alternative

fix: client_secret_jwt and private_key_jwt support is disabled by def…

Author: DeepDiver1975

README.md

@@ -2,7 +2,7 @@ PHP OpenID Connect Basic Client
 ========================
 A simple library that allows an application to authenticate a user through the basic OpenID Connect flow.
 This library hopes to encourage OpenID Connect use by making it simple enough for a developer with little knowledge of
-the OpenID Connect protocol to setup authentication.
+the OpenID Connect protocol to set up authentication.
 
 A special thanks goes to Justin Richer and Amanda Anganes for their help and support of the protocol.
 
@@ -12,11 +12,12 @@ A special thanks goes to Justin Richer and Amanda Anganes for their help and sup
  3. JSON extension
 
 ## Install ##
- 1. Install library using composer
+1. Install library using composer
 ```
 composer require jumbojett/openid-connect-php
 ```
- 2. Include composer autoloader
+
+2. Include composer autoloader
 ```php
 require __DIR__ . '/vendor/autoload.php';
 ```
@@ -191,6 +192,28 @@ function handleLogout() {
 
 ```
 
+## Example 10: Enable Token Endpoint Auth Methods ##
+
+By default, only `client_secret_basic` is enabled on client side which was the only supported for a long time.
+Recently `client_secret_jwt` and `private_key_jwt` have been added, but they remain disabled until explicitly enabled.
+
+```php
+use Jumbojett\OpenIDConnectClient;
+
+$oidc = new OpenIDConnectClient('https://id.provider.com',
+                                'ClientIDHere',
+                                null);
+# enable 'client_secret_basic' and 'client_secret_jwt'                                
+$oidc->setTokenEndpointAuthMethodsSupported(['client_secret_basic', 'client_secret_jwt']);
+
+# for 'private_key_jwt' in addition also the generator function has to be set.
+$oidc->setTokenEndpointAuthMethodsSupported(['private_key_jwt']);
+$oidc->setPrivateKeyJwtGenerator(function(string $token_endpoint) {
+    # TODO: what ever is necessary
+})
+```
+
+
 ## Development Environments ##
 In some cases you may need to disable SSL security on your development systems.
 Note: This is not recommended on production systems.

src/OpenIDConnectClient.php

@@ -261,6 +261,11 @@ class OpenIDConnectClient
      */
     private $backChannelSubject;
 
+    /**
+     * @var array list of supported auth methods
+     */
+    private $token_endpoint_auth_methods_supported = ['client_secret_basic'];
+
     /**
      * @param $provider_url string optional
      *
@@ -597,6 +602,14 @@ public function addRegistrationParam($param) {
         $this->registrationParams = array_merge($this->registrationParams, (array)$param);
     }
 
+    /**
+     * @param array $token_endpoint_auth_methods_supported
+     */
+    public function setTokenEndpointAuthMethodsSupported($token_endpoint_auth_methods_supported)
+    {
+        $this->token_endpoint_auth_methods_supported = $token_endpoint_auth_methods_supported;
+    }
+
     /**
      * @param $jwk object - example: (object) ['kid' => ..., 'nbf' => ..., 'use' => 'sig', 'kty' => "RSA", 'e' => "", 'n' => ""]
      */
@@ -872,7 +885,7 @@ public function requestResourceOwnerToken($bClientAuth = FALSE) {
         //For client authentication include the client values
         if($bClientAuth) {
             $token_endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic']);
-            if (in_array('client_secret_basic', $token_endpoint_auth_methods_supported, true)) {
+            if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
                 $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
             } else {
                 $post_data['client_id']     = $this->clientID;
@@ -911,19 +924,19 @@ protected function requestTokens($code, $headers = array()) {
 
         $authorizationHeader = null;
         # Consider Basic authentication if provider config is set this way
-        if (in_array('client_secret_basic', $token_endpoint_auth_methods_supported, true)) {
+        if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
             $authorizationHeader = 'Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret));
             unset($token_params['client_secret']);
 	        unset($token_params['client_id']);
         }
 
         // When there is a private key jwt generator and it is supported then use it as client authentication
-        if ($this->privateKeyJwtGenerator !== null && in_array('private_key_jwt', $token_endpoint_auth_methods_supported, true)) {
+        if ($this->privateKeyJwtGenerator !== null && $this->supportsAuthMethod('private_key_jwt', $token_endpoint_auth_methods_supported)) {
             $token_params['client_assertion_type'] = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
             $token_params['client_assertion'] = $this->privateKeyJwtGenerator->__invoke($token_endpoint);
         }
 
-        if (in_array('client_secret_jwt', $token_endpoint_auth_methods_supported, true)) {
+        if ($this->supportsAuthMethod('client_secret_jwt', $token_endpoint_auth_methods_supported)) {
             $client_assertion_type = $this->getProviderConfigValue('client_assertion_type');
 
             if(isset($this->providerConfig['client_assertion'])){
@@ -994,7 +1007,7 @@ public function requestTokenExchange($subjectToken, $subjectTokenType, $audience
         }
 
         # Consider Basic authentication if provider config is set this way
-        if (in_array('client_secret_basic', $token_endpoint_auth_methods_supported, true)) {
+        if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
             $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
             unset($post_data['client_secret']);
             unset($post_data['client_id']);
@@ -1031,13 +1044,13 @@ public function refreshToken($refresh_token) {
         ];
 
         # Consider Basic authentication if provider config is set this way
-        if (in_array('client_secret_basic', $token_endpoint_auth_methods_supported, true)) {
+        if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
             $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
             unset($token_params['client_secret']);
             unset($token_params['client_id']);
         }
 
-        if (in_array('client_secret_jwt', $token_endpoint_auth_methods_supported, true)) {
+        if ($this->supportsAuthMethod('client_secret_jwt', $token_endpoint_auth_methods_supported)) {
             $client_assertion_type = $this->getProviderConfigValue('client_assertion_type');
             $client_assertion = $this->getJWTClientAssertion($this->getProviderConfigValue('token_endpoint'));
 
@@ -1728,7 +1741,7 @@ public function introspectToken($token, $token_type_hint = '', $clientId = null,
         $headers = ['Authorization: Basic ' . base64_encode(urlencode($clientId) . ':' . urlencode($clientSecret)),
             'Accept: application/json'];
 
-        if (in_array('client_secret_jwt', $token_endpoint_auth_methods_supported, true)) {
+        if ($this->supportsAuthMethod('client_secret_jwt', $token_endpoint_auth_methods_supported)) {
             $client_assertion_type = $this->getProviderConfigValue('client_assertion_type');
             $client_assertion = $this->getJWTClientAssertion($this->getProviderConfigValue('introspection_endpoint'));
 
@@ -2188,4 +2201,19 @@ public function getSidFromBackChannel() {
     public function getSubjectFromBackChannel() {
         return $this->backChannelSubject;
     }
+
+    /**
+     * @param string $auth_method
+     * @param array $token_endpoint_auth_methods_supported
+     * @return bool
+     */
+    public function supportsAuthMethod($auth_method, $token_endpoint_auth_methods_supported)
+    {
+        # client_secret_jwt has to explicitly be enabled
+        if (!in_array($auth_method, $this->token_endpoint_auth_methods_supported, true)) {
+            return false;
+        }
+
+        return in_array($auth_method, $token_endpoint_auth_methods_supported, true);
+    }
 }

tests/OpenIDConnectClientTest.php

@@ -62,4 +62,30 @@ public function testSerialize()
         $serialized = serialize($client);
         $this->assertInstanceOf('Jumbojett\OpenIDConnectClient', unserialize($serialized));
     }
+
+    /**
+     * @dataProvider provider
+     */
+    public function testAuthMethodSupport($expected, $authMethod, $clientAuthMethods, $idpAuthMethods)
+    {
+        $client = new OpenIDConnectClient();
+        if ($clientAuthMethods !== null) {
+            $client->setTokenEndpointAuthMethodsSupported($clientAuthMethods);
+        }
+        $this->assertEquals($expected, $client->supportsAuthMethod($authMethod, $idpAuthMethods));
+    }
+
+    public function provider()
+    {
+        return [
+            'client_secret_basic - default config' => [true, 'client_secret_basic', null, ['client_secret_basic']],
+
+            'client_secret_jwt - default config' => [false, 'client_secret_jwt', null, ['client_secret_basic', 'client_secret_jwt']],
+            'client_secret_jwt - explicitly enabled' => [true, 'client_secret_jwt', ['client_secret_jwt'], ['client_secret_basic', 'client_secret_jwt']],
+
+            'private_key_jwt - default config' => [false, 'private_key_jwt', null, ['client_secret_basic', 'client_secret_jwt', 'private_key_jwt']],
+            'private_key_jwt - explicitly enabled' => [true, 'private_key_jwt', ['private_key_jwt'], ['client_secret_basic', 'client_secret_jwt', 'private_key_jwt']],
+
+        ];
+    }
 }