Fix exception when iss is missing

samuelwei · samuelwei · commit 28590d62937f · 2025-04-29T11:32:24.000+02:00
diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -527,7 +527,7 @@ public function verifyLogoutTokenClaims($claims): bool
         }
 
         // Validate the iss
-        if (!$this->validateIssuer($claims->iss)) {
+        if (!isset($claims->iss) || !$this->validateIssuer($claims->iss)) {
             return false;
         }
         // Validate the aud
@@ -1208,7 +1208,7 @@ protected function verifyJWTClaims($claims, ?string $accessToken = null): bool
         }
         $auds = $claims->aud;
         $auds = is_array( $auds ) ? $auds : [ $auds ];
-        return (($this->validateIssuer($claims->iss))
+        return ((isset($claims->iss) && $this->validateIssuer($claims->iss))
             && (in_array($this->clientID, $auds, true))
             && ($claims->sub === $this->getIdTokenPayload()->sub)
             && (!isset($claims->nonce) || $claims->nonce === $this->getNonce())
diff --git a/tests/OpenIDConnectClientTest.php b/tests/OpenIDConnectClientTest.php
@@ -63,6 +63,13 @@ public function getIdTokenPayload()
             'iss' => 'issuer',
         ]);
         self::assertFalse($valid);
+
+        # missing iss
+        $valid = $client->testVerifyJWTClaims((object)[
+            'aud' => 'client-id',
+            'sub' => 'sub',
+        ]);
+        self::assertFalse($valid);
     }
     public function testJWTDecode()
     {
@@ -336,6 +343,18 @@ public function provideTestVerifyLogoutTokenClaimsData(): array
                 ],
                 false
             ],
+            'invalid-no-iss' => [
+                (object)[
+                    'aud' => [ 'fake-client-id', 'some-other-aud' ],
+                    'sub' => 'fake-client-sub',
+                    'sid' => 'fake-client-sid',
+                    'iat' => time(),
+                    'events' => (object) [
+                        'http://schemas.openid.net/event/backchannel-logout' => (object)[]
+                    ],
+                ],
+                false
+            ],
         ];
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -527,7 +527,7 @@ public function verifyLogoutTokenClaims($claims): bool`
`527`	`527`	`}`
`528`	`528`
`529`	`529`	`// Validate the iss`
`530`		`- if (!$this->validateIssuer($claims->iss)) {`
	`530`	`+ if (!isset($claims->iss) \|\| !$this->validateIssuer($claims->iss)) {`
`531`	`531`	`return false;`
`532`	`532`	`}`
`533`	`533`	`// Validate the aud`
`@@ -1208,7 +1208,7 @@ protected function verifyJWTClaims($claims, ?string $accessToken = null): bool`
`1208`	`1208`	`}`
`1209`	`1209`	`$auds = $claims->aud;`
`1210`	`1210`	`$auds = is_array( $auds ) ? $auds : [ $auds ];`
`1211`		`- return (($this->validateIssuer($claims->iss))`
	`1211`	`+ return ((isset($claims->iss) && $this->validateIssuer($claims->iss))`
`1212`	`1212`	`&& (in_array($this->clientID, $auds, true))`
`1213`	`1213`	`&& ($claims->sub === $this->getIdTokenPayload()->sub)`
`1214`	`1214`	`&& (!isset($claims->nonce) \|\| $claims->nonce === $this->getNonce())`