Add redirect tests, fix test issues, refactor code

samuelwei · samuelwei · commit 30343b739e45 · 2025-07-02T10:50:42.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,7 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Min. PHP version to 8.1 #488
 - `fetchURL` response type to `Response` class #488
 - `Nonce` claim must be present, Partially reverts #280
-- `verifySignatures` method signature, accepting `JWS` object instead of string
+- `verifySignatures` method signature, accepting `JWS` object instead of string #488
 
 ### Fixed
 - Check existence of `sub` claim when verifying JWT #474
@@ -33,7 +33,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `getResponseContentType()`, replaced with new response method `getContentType()` #488
 - `verifyJWTClaims()`, replaced with individual checks #488
 - `validateIssuer()`, replaced with `IssuerChecker` #488
-- `verifyJWTSignature()`, replaced with `verifyJWS()` #488
+- `verifyJWTSignature()`, replaced with `verifyJWSSignature()` #488
 
 ## [1.0.1] - 2024-09-13
 
diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -57,6 +57,7 @@
 use Jose\Component\Signature\Serializer\CompactSerializer;
 use Jose\Component\Signature\Serializer\JWSSerializerManager;
 use Symfony\Component\Clock\Clock;
+use Throwable;
 
 use function bin2hex;
 use function is_object;
@@ -426,10 +427,10 @@ public function authenticate(): bool
                 $id_token = $this->handleJweResponse($id_token);
             }
 
-            $jws = $this->jwsSerializerManager->unserialize($id_token);
+            $jws = $this->unserializeJWS($id_token);
 
             // Verify header
-            $this->headerCheckerManager->check($jws, 0, ['alg']);
+            $this->verifyJWSHeader($jws);
 
             // Verify the signature
             $this->verifySignatures($jws);
@@ -449,7 +450,7 @@ public function authenticate(): bool
             $this->tokenResponse = $token_json;
 
             // Get claims from JWT
-            $claims = json_decode($jws->getPayload());
+            $claims = $this->getJWSClaims($jws);
 
             if (!$this->verifyIdTokenClaims($claims)) {
                 throw new OpenIDConnectClientException('Unable to verify JWT claims');
@@ -486,10 +487,10 @@ public function authenticate(): bool
                 $id_token = $this->handleJweResponse($id_token);
             }
 
-            $jws = $this->jwsSerializerManager->unserialize($id_token);
+            $jws = $this->unserializeJWS($id_token);
 
             // Verify header
-            $this->headerCheckerManager->check($jws, 0, ['alg']);
+            $this->verifyJWSHeader($jws);
 
             // Verify the signature
             $this->verifySignatures($jws);
@@ -503,7 +504,7 @@ public function authenticate(): bool
             }
 
             // Get claims from JWT
-            $claims = json_decode($jws->getPayload());
+            $claims = $this->getJWSClaims($jws);
 
             if (!$this->verifyIdTokenClaims($claims)) {
                 throw new OpenIDConnectClientException('Unable to verify JWT claims');
@@ -607,16 +608,16 @@ public function verifyLogoutToken(): bool
             $logout_token = $this->handleJweResponse($logout_token);
         }
 
-        $jws = $this->jwsSerializerManager->unserialize($logout_token);
+        $jws = $this->unserializeJWS($logout_token);
 
         // Verify header
-        $this->headerCheckerManager->check($jws, 0, ['alg']);
+        $this->verifyJWSHeader($jws);
 
         // Verify the signature
         $this->verifySignatures($jws);
 
         // Get claims from JWT
-        $claims = json_decode($jws->getPayload());
+        $claims = $this->getJWSClaims($jws);
 
         // Verify Logout Token Claims
         if (!$this->verifyLogoutTokenClaims($claims)) {
@@ -1194,12 +1195,23 @@ private function getJWK(string $alg, string $key): JWK
         );
     }
 
+    /**
+     * Returns the claims from a JWS object
+     *
+     * @param JWS $jws
+     * @return object
+     */
+    public function getJWSClaims(JWS $jws): object
+    {
+        return json_decode($jws->getPayload());
+    }
+
     /**
      * @param JWS $jws
      * @return bool
      * @throws OpenIDConnectClientException
      */
-    public function verifyJWS(JWS $jws): bool
+    public function verifyJWSSignature(JWS $jws): bool
     {
         $signature = $jws->getSignature(0);
         $alg = $signature->getProtectedHeaderParameter('alg');
@@ -1259,13 +1271,31 @@ public function verifyJWS(JWS $jws): bool
     }
 
     /**
-     * @param string $jwt encoded JWT
+     * Verifies the JWS header of a JWS object
+     *
+     * @param JWS $jws
+     * @param int $index
+     * @param array $mandatoryHeaderParameters
      * @return void
      * @throws OpenIDConnectClientException
      */
-    public function verifySignatures(JWS $jws)
+    public function verifyJWSHeader(JWS $jws, int $index = 0, array $mandatoryHeaderParameters = ['alg']): void
     {
-        if (!$this->verifyJWS($jws)) {
+        try {
+            $this->headerCheckerManager->check($jws, $index, $mandatoryHeaderParameters);
+        } catch (Throwable) {
+            throw new OpenIDConnectClientException('Unable to verify JWS header');
+        }
+    }
+
+    /**
+     * @param JWS $jws
+     * @return void
+     * @throws OpenIDConnectClientException
+     */
+    public function verifySignatures(JWS $jws): void
+    {
+        if (!$this->verifyJWSSignature($jws)) {
             throw new OpenIDConnectClientException('Unable to verify signature');
         }
     }
@@ -1277,6 +1307,17 @@ public function urlEncode(string $str): string
         return strtr($enc, '+/', '-_');
     }
 
+    /**
+     * Unserializes a JWS string into a JWS object
+     *
+     * @param string $jws
+     * @return JWS
+     */
+    public function unserializeJWS(string $jws): JWS
+    {
+        return $this->jwsSerializerManager->unserialize($jws);
+    }
+
     /**
      * @param string $jwt encoded JWT
      * @param int $section the section we would like to decode
@@ -1381,7 +1422,7 @@ private function getClaimsFromUserInfoResponse(Response $response)
                 }
             }
 
-            $jws = $this->jwsSerializerManager->unserialize($jwt);
+            $jws = $this->unserializeJWS($jwt);
 
             return $this->getClaimsFromSignedUserInfoResponse($jws);
 
@@ -1412,13 +1453,13 @@ private function getClaimsFromUnsignedUserInfoResponse($content)
     private function getClaimsFromSignedUserInfoResponse(JWS $jws)
     {
         // Verify header
-        $this->headerCheckerManager->check($jws, 0, ['alg']);
+        $this->verifyJWSHeader($jws);
 
         // Verify the signature
         $this->verifySignatures($jws);
 
         // Get claims from JWT
-        $claims = json_decode($jws->getPayload());
+        $claims = $this->getJWSClaims($jws);
 
         /*
          * The sub (subject) Claim MUST always be returned in the UserInfo Response.
diff --git a/tests/OpenIDConnectClientTest.php b/tests/OpenIDConnectClientTest.php
