Auth0::exchange() assumes a valid id_token

[macdaddyaz]

I am running into an error from the Auth0\SDK\Auth0::exchange() method. In the following snippet, it attempts to pull the id_token out of the code_exchange response:

        $idToken = false;
        if (isset($response['id_token'])) {
            $idToken = $response['id_token'];
        }

If there is no id_token, then the $idToken variable is just left with the value false. It then passes that value directly to the setIdToken method, which is not prepared to handle a non-JWT value. This results in the script throwing an exception:

[2019-01-28 18:11:49] local.ERROR: Wrong number of segments {"exception":"[object] (Auth0\\SDK\\Exception\\InvalidTokenException(code: 0): Wrong number of segments at /path/to/project/vendor/auth0/auth0-php/src/JWTVerifier.php:176)

It seems that the fix could be as simple as:

        $this->setAccessToken($accessToken);
        if ($idToken) { // Guard the setIdToken method
            $this->setIdToken($idToken);
        }
        $this->setRefreshToken($refreshToken);

[joshcanhelp]

@macdaddyaz - You're correct, this should definitely be more careful about that call. Happy to put through a PR and release to fix that.

That said, this works fine for a default setup. Can you provide me with the code you're using to generate a token response without an ID token?

[macdaddyaz]

Well, that's a different matter entirely 😁 I'm using an auth code that is getting pushed to my app after an IdP-initiated SAML handshake. I actually have an open ticket to find out why that code is not associated with any scopes (including openid or profile). So it isn't my code per se that is getting such a token.

However, I could see someone legitimately needing a pure access token, like if they are only trying to invoke some API on the user's behalf. In that case, they might invoke login with an audience and some custom scopes, but not the openid scope (because the API isn't going to invoke the /userinfo endpoint). So that would be a case where the exchange would not return an ID token.

[joshcanhelp]

OK, that makes sense. I wanted to see what your specific case is but we can recreate it with exactly what you explained in your second paragraph:

// login.php
$auth0 = new Auth0( [
    'domain'        => AUTH0_DOMAIN,
    'client_id'     => AUTH0_CLIENT_ID,
    'client_secret' => AUTH0_CLIENT_SECRET,
    'redirect_uri'  => 'https://localhost/callback.php',
    'audience'      => 'https://api.identifier',
    'scope'         => 'read:messages',
] );
$auth0->login();

// callback.php
$auth0 = new Auth0( [
    'domain'        => AUTH0_DOMAIN,
    'client_id'     => AUTH0_CLIENT_ID,
    'client_secret' => AUTH0_CLIENT_SECRET,
] );
$auth0->getUser();

... throws:

Fatal error: Uncaught Auth0\SDK\Exception\InvalidTokenException: Wrong number of segments in /Users/josh/Sites/php-auth0/auth0/src/JWTVerifier.php on line 176

Thanks again for the report, I'll get a PR in for that ASAP.

[joshcanhelp]

Fixed in master! We have a couple more tasks to do for the next minor and we'll get this out.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.