Refactor jwt handling

[samuelwei]

List of common tasks a pull request require complete

• Changelog entry is added or the pull request don't alter library's functionality

Closes #484

Added

• Support for elliptic curves (ES256, ES384 & ES512), Closes Support for elliptic curve (EC) JWT token signature algorithms #450
• Support for EdDSA (only Ed25519), Closes Add support for EdDSA  #457
• getJtiFromBackChannel(), Closes Fix: Verfify jti claim exists on backchannel logout token #481
• getJWSClaims
• verifyJWSHeader

Changed

• Replaced custom jwt parsing and verifiction with https://packagist.org/packages/web-token/jwt-framework
• Bumped min php Version to 8.1
• Refactored fetchURL to return new custom Response class to improve testing
• Nonce claim must be present, Partially reverts Check nonce isset #280 (1)
• verifySignatures() method signuture, accepting JWS object instead of string
• Validate state before ID Token request., Closes Validate state before ID Token request #447

Removed

• getResponseCode(), replaced with new response method getStatus()
• getResponseContentType(), replaced with new response method getContentType()
• verifyJWTClaims(), replaced with individual checks using the ClaimCheckerManager, as the claims that have to be checked are too different across the different types of requests to move logic to a simple function
• validateIssuer(), replaced with IssuerChecker
• verifyJWTSignature(), replaced with verifyJWSSignature()

Fixed

• Missing iat claim verification, Closes Verify iat on verifyJWTClaims #476
• Exception when iss is missing, Closes Fix exception when iss is missing #477
• Missing check of events claim when verifying Logout Token claims, Closes Fix: Missing events claim check on backchannel logout #480
• Missing check of jti claim when verifying Logout Token claims, Closes Fix: Verfify jti claim exists on backchannel logout token #481
• Missing check of subject claim for unsigned UserInfo Responses, Closes Check subject on unsigned / unencrypted response #478

---

Comments

1: Nonce must be present, see https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation and https://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDTValidation as we always send a nonce to the OpenID Connect server (see https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L761)

[samuelwei]

@DeepDiver1975 This PR implements the changes discussed in #484 and a few other items, as listed above.

What are your thoughts? I also added a few new tests

Are you fine with creating the tokens/jwts during the tests, or should they all be pre-created and stored in fixtures ?

[LarsKollstedt]

I've testet this with php 8.1 on Ubuntu 22.04 against a kanidm 1.7.3 server. Because the Kanidm Cryptographic settings require ES256. It at least seems to work for me so far. ;-)