Skip to content

Commit e77e20f

Browse files
DeepDiver1975DeepDiver1975
authored
Merge pull request #308 from jumbojett/feat/support-header-jwk
feat: verify JWT using JWK header
2 parents 6dbd282 + ca7429b commit e77e20f

File tree

2 files changed

+25
-6
lines changed

2 files changed

+25
-6
lines changed

CHANGELOG.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
44
The format is based on [Keep a Changelog](http://keepachangelog.com/)
55
and this project adheres to [Semantic Versioning](http://semver.org/).
66

7+
## [unreleased]
8+
9+
### Added
10+
11+
* Support for Self-Contained JWTs. #308
12+
* Support for RFC8693 Token Exchange Request. #275
13+
14+
### Fixed
15+
16+
* PHP 5.4 compatibility. #304
17+
* Use session_status(). #306
18+
719
## [0.9.6]
820

921
### Added

src/OpenIDConnectClient.php

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1051,14 +1051,11 @@ public function verifyJWTsignature($jwt) {
10511051
if (null === $header || !\is_object($header)) {
10521052
throw new OpenIDConnectClientException('Error decoding JSON from token header');
10531053
}
1054-
$payload = implode('.', $parts);
1055-
$jwks = json_decode($this->fetchURL($this->getProviderConfigValue('jwks_uri')));
1056-
if ($jwks === NULL) {
1057-
throw new OpenIDConnectClientException('Error decoding JSON from jwks_uri');
1058-
}
10591054
if (!isset($header->alg)) {
10601055
throw new OpenIDConnectClientException('Error missing signature type in token header');
10611056
}
1057+
1058+
$payload = implode('.', $parts);
10621059
switch ($header->alg) {
10631060
case 'RS256':
10641061
case 'PS256':
@@ -1067,8 +1064,18 @@ public function verifyJWTsignature($jwt) {
10671064
$hashtype = 'sha' . substr($header->alg, 2);
10681065
$signatureType = $header->alg === 'PS256' ? 'PSS' : '';
10691066

1067+
if (isset($header->jwk)) {
1068+
$jwk = $header->jwk;
1069+
} else {
1070+
$jwks = json_decode($this->fetchURL($this->getProviderConfigValue('jwks_uri')));
1071+
if ($jwks === NULL) {
1072+
throw new OpenIDConnectClientException('Error decoding JSON from jwks_uri');
1073+
}
1074+
$jwk = $this->getKeyForHeader($jwks->keys, $header);
1075+
}
1076+
10701077
$verified = $this->verifyRSAJWTsignature($hashtype,
1071-
$this->getKeyForHeader($jwks->keys, $header),
1078+
$jwk,
10721079
$payload, $signature, $signatureType);
10731080
break;
10741081
case 'HS256':

0 commit comments

Comments
 (0)