Skip to content

Commit

Permalink
Merge branch 'master' into features/allow-client_secret_basic-on-requ…
Browse files Browse the repository at this point in the history
…est-token
  • Loading branch information
Magentron authored Apr 3, 2023
2 parents 90b959b + e46f108 commit 5b3bd9a
Show file tree
Hide file tree
Showing 3 changed files with 266 additions and 130 deletions.
226 changes: 107 additions & 119 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,190 +1,178 @@
# Changelog
All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](http://keepachangelog.com/)
and this project adheres to [Semantic Versioning](http://semver.org/).
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [unreleased]
* Update visibility of getWellKnownConfigValue to protected. #363
* Fixed issue on authentication for php8. #354
* Enabled `client_secret_basic` authentication on `requestClientCredentialsToken()` #347
* Support for signed and encrypted UserInfo response. #305
* Support for signed and encrypted ID Token. #305
* Update construct typehint in docblock. #364
* Fixed LogoutToken verification for single value aud claims #334

## [0.9.10]

## Fixed
### Added
- Support for signed and encrypted UserInfo response. #305
- Support for signed and encrypted ID Token. #305

* `private_key_jwt` and `client_secret_jwt` need to explicitly be enabled #331
## [0.9.10] - 2022-09-30

### Fixed
- `private_key_jwt` and `client_secret_jwt` need to explicitly be enabled #331

## [0.9.9]
## [0.9.9] - 2022-09-28

### Added
- Added support for back-channel logout. #302
- Added support for `private_key_jwt` Client Authentication method #322
- Added support for `client_secret_jwt` Client Authentication method #324
- Added PS512 encryption support #342

* Added support for back-channel logout. #302
* Added support for `private_key_jwt` Client Authentication method #322
* Added support for `client_secret_jwt` Client Authentication method #324
* Added PS512 encryption support #342

## Fixed

* Harden self-signed JWK header usage. #323

## [0.9.8]
### Fixed
- Harden self-signed JWK header usage. #323

## Fixed
## [0.9.8] - 2022-08-05

* Do not use PKCE if IdP does not support it. #317
### Fixed
- Do not use PKCE if IdP does not support it. #317

## [0.9.7]
## [0.9.7] - 2022-07-13

### Added

* Support for Self-Contained JWTs. #308
* Support for RFC8693 Token Exchange Request. #275
- Support for Self-Contained JWTs. #308
- Support for RFC8693 Token Exchange Request. #275

### Fixed
- PHP 5.4 compatibility. #304
- Use session_status(). #306

* PHP 5.4 compatibility. #304
* Use session_status(). #306

## [0.9.6]
## [0.9.6] - 2022-05-08

### Added

* Support for [phpseclib/phpseclib](https://phpseclib.com/) version **3**. #260
* Support client_secret on token endpoint with PKCE. #293
* Added new parameter to `requestTokens()` to pass custom HTTP headers #297
- Support for [phpseclib/phpseclib](https://phpseclib.com/) version **3**. #260
- Support client_secret on token endpoint with PKCE. #293
- Added new parameter to `requestTokens()` to pass custom HTTP headers #297

### Changed
- Allow serializing `OpenIDConnectClient` using `serialize()` #295

* Allow serializing `OpenIDConnectClient` using `serialize()` #295

## [0.9.5]
## [0.9.5] - 2021-11-24

### Changed
- signOut() Method parameter $accessToken -> $idToken to prevent confusion about access and id tokens usage. #127
- Fixed issue where missing nonce within the claims was causing an exception. #280

* signOut() Method parameter $accessToken -> $idToken to prevent confusion about access and id tokens usage. #127
* Fixed issue where missing nonce within the claims was causing an exception. #280

## [0.9.4]
## [0.9.4] - 2021-11-21

### Added
- Enabled `client_secret_basic` authentication on `refreshToken()` #215
- Basic auth support for requestResourceOwnerToken #271

* Enabled `client_secret_basic` authentication on `refreshToken()` #215
* Basic auth support for requestResourceOwnerToken #271

## [0.9.3]
## [0.9.3] - 2021-11-20

### Added
- getRedirectURL() will not log a warning for PHP 7.1+ #179
- it is now possible to disable upgrading from HTTP to HTTPS for development purposes by calling `setHttpUpgradeInsecureRequests(false)` #241
- bugfix in getSessionKey when _SESSION key does not exist #251
- Added scope parameter to refresh token request #225
- bugfix in `verifyJWTclaims` when $accessToken is empty and $claims->at_hash is not #276
- bugfix with the `empty` function in PHP 5.4 #267

* getRedirectURL() will not log a warning for PHP 7.1+ #179
* it is now possible to disable upgrading from HTTP to HTTPS for development purposes by calling `setHttpUpgradeInsecureRequests(false)` #241
* bugfix in getSessionKey when _SESSION key does not exist #251
* Added scope parameter to refresh token request #225
* bugfix in `verifyJWTclaims` when $accessToken is empty and $claims->at_hash is not #276
* bugfix with the `empty` function in PHP 5.4 #267

## [0.9.2]
## [0.9.2] - 2020-11-16

### Added
* Support for [PKCE](https://tools.ietf.org/html/rfc7636). Currently, the supported methods are 'plain' and 'S256'.
- Support for [PKCE](https://tools.ietf.org/html/rfc7636). Currently, the supported methods are 'plain' and 'S256'.

## [0.9.1]
## [0.9.1] - 2020-08-27

### Added
* Add support for MS Azure Active Directory B2C user flows
- Add support for MS Azure Active Directory B2C user flows

### Changed
* Fix at_hash verification #200
* Getters for public parameters #204
* Removed client ID query parameter when making a token request using Basic Auth
* Use of `random_bytes()` for token generation instead of `uniqid()`; polyfill for PHP < 7.0 provided.
- Fix at_hash verification #200
- Getters for public parameters #204
- Removed client ID query parameter when making a token request using Basic Auth
- Use of `random_bytes()` for token generation instead of `uniqid()`; polyfill for PHP < 7.0 provided.

### Removed
* Removed explicit content-length header - caused issues with proxy servers

- Removed explicit content-length header - caused issues with proxy servers

## [0.9.0]
## [0.9.0] - 2020-03-09

### Added
* php 7.4 deprecates array_key_exists on objects, use property_exists in getVerifiedClaims and requestUserInfo
* Adding a header to indicate JSON as the return type for userinfo endpoint #151
* ~Updated OpenIDConnectClient to conditionally verify nonce #146~
* Add possibility to change enc_type parameter for http_build_query #155
* Adding OAuth 2.0 Token Introspection #156
* Add optional parameters clientId/clientSecret for introspection #157 & #158
* Adding OAuth 2.0 Token Revocation #160
* Adding issuer validator #145
* Adding signing algorithm PS256 #180
* Check http status of request user info #186
* URL encode clientId and clientSecret when using basic authentication, according to https://tools.ietf.org/html/rfc6749#section-2.3.1 #192
* Adjust PHPDoc to state that null is also allowed #193
- php 7.4 deprecates array_key_exists on objects, use property_exists in getVerifiedClaims and requestUserInfo
- Adding a header to indicate JSON as the return type for userinfo endpoint #151
- ~Updated OpenIDConnectClient to conditionally verify nonce #146~
- Add possibility to change enc_type parameter for http_build_query #155
- Adding OAuth 2.0 Token Introspection #156
- Add optional parameters clientId/clientSecret for introspection #157 & #158
- Adding OAuth 2.0 Token Revocation #160
- Adding issuer validator #145
- Adding signing algorithm PS256 #180
- Check http status of request user info #186
- URL encode clientId and clientSecret when using basic authentication, according to https://tools.ietf.org/html/rfc6749#section-2.3.1 #192
- Adjust PHPDoc to state that null is also allowed #193

### Changed
* Bugfix/code cleanup #152
* Cleanup PHPDoc #46e5b59
* Replace unnecessary double quotes with single quotes #2a76b57
* Use original function names instead of aliases #1f37892
* Remove unnecessary default values #5ab801e
* Explicit declare field $redirectURL #9187c0b
* Remove unused code #1e65384
* Fix indent #e9cdf56
* Cleanup conditional code flow for better readability #107f3fb
* Added strict type comparisons #167
* Bugfix: required `openid` scope was omitted when additional scopes were registered using `addScope` method. This resulted in failing OpenID process.

## [0.8.0]
- Bugfix/code cleanup #152
- Cleanup PHPDoc #46e5b59
- Replace unnecessary double quotes with single quotes #2a76b57
- Use original function names instead of aliases #1f37892
- Remove unnecessary default values #5ab801e
- Explicit declare field $redirectURL #9187c0b
- Remove unused code #1e65384
- Fix indent #e9cdf56
- Cleanup conditional code flow for better readability #107f3fb
- Added strict type comparisons #167
- Bugfix: required `openid` scope was omitted when additional scopes were registered using `addScope` method. This resulted in failing OpenID process.

## [0.8.0] - 2019-01-02

### Added
* Fix `verifyJWTsignature()`: verify JWT to prevent php errors and warnings on invalid token
- Fix `verifyJWTsignature()`: verify JWT to prevent php errors and warnings on invalid token

### Changed
* Decouple session manipulation, it's allow use of other session libraries #134
* Broaden version requirements of the phpseclib/phpseclib package. #144
- Decouple session manipulation, it's allow use of other session libraries #134
- Broaden version requirements of the phpseclib/phpseclib package. #144

## [0.7.0]
## [0.7.0] - 2018-10-15

### Added
* Add "license" field to composer.json #138
* Ensure key_alg is set when getting key #139
* Add option to send additional registration parameters like post_logout_redirect_uris. #140
- Add "license" field to composer.json #138
- Ensure key_alg is set when getting key #139
- Add option to send additional registration parameters like post_logout_redirect_uris. #140

### Changed
* disabled autoload for Crypt_RSA + make refreshToken() method tolerant for errors #137
- disabled autoload for Crypt_RSA + make refreshToken() method tolerant for errors #137

### Removed
*

## [0.6.0]
## [0.6.0] - 2018-07-17

### Added
* Added five minutes leeway due to clock skew between openidconnect server and client.
* Fix save access_token from request in implicit flow authentication #129
* `verifyJWTsignature()` method private -> public #126
* Support for providers where provider/login URL is not the same as the issuer URL. #125
* Support for providers that has a different login URL from the issuer URL, for instance Azure Active Directory. Here, the provider URL is on the format: https://login.windows.net/(tenant-id), while the issuer claim actually is on the format: https://sts.windows.net/(tenant-id).
- Added five minutes leeway due to clock skew between openidconnect server and client.
- Fix save access_token from request in implicit flow authentication #129
- `verifyJWTsignature()` method private -> public #126
- Support for providers where provider/login URL is not the same as the issuer URL. #125
- Support for providers that has a different login URL from the issuer URL, for instance Azure Active Directory. Here, the provider URL is on the format: https://login.windows.net/(tenant-id), while the issuer claim actually is on the format: https://sts.windows.net/(tenant-id).

### Changed
* refreshToken method update #124

### Removed
*

## [0.5.0]
## Added
* Implement Azure AD B2C Implicit Workflow
- refreshToken method update #124

## [0.4.1]
## Changed
* Documentation updates for include path.
## [0.5.0] - 2018-04-09

## [0.4]
### Added
* Timeout is configurable via setTimeout method. This addresses issue #94.
* Add the ability to authenticate using the Resource Owner flow (with or without the Client ID and ClientSecret). This addresses issue #98
* Add support for HS256, HS512 and HS384 signatures
* Removed unused calls to $this->getProviderConfigValue("token_endpoint_
- Implement Azure AD B2C Implicit Workflow

## [0.4.1] - 2018-02-16

### Changed
- Documentation updates for include path.

### Removed
## [0.4.0] - 2018-02-15

### Added
- Timeout is configurable via setTimeout method. This addresses issue #94.
- Add the ability to authenticate using the Resource Owner flow (with or without the Client ID and ClientSecret). This addresses issue #98
- Add support for HS256, HS512 and HS384 signatures
- Removed unused calls to $this->getProviderConfigValue("token_endpoint_
23 changes: 12 additions & 11 deletions src/OpenIDConnectClient.php
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ class OpenIDConnectClient
protected $idToken;

/**
* @var string stores the token response
* @var object stores the token response
*/
private $tokenResponse;

Expand Down Expand Up @@ -272,11 +272,10 @@ class OpenIDConnectClient
private $token_endpoint_auth_methods_supported = ['client_secret_basic'];

/**
* @param $provider_url string optional
*
* @param $client_id string optional
* @param $client_secret string optional
* @param null $issuer
* @param string|null $provider_url optional
* @param string|null $client_id optional
* @param string|null $client_secret optional
* @param string|null $issuer
*/
public function __construct($provider_url = null, $client_id = null, $client_secret = null, $issuer = null) {
$this->setProviderURL($provider_url);
Expand Down Expand Up @@ -338,7 +337,7 @@ public function authenticate() {
}

// Do an OpenID Connect session check
if ($_REQUEST['state'] !== $this->getState()) {
if (!isset($_REQUEST['state']) || ($_REQUEST['state'] !== $this->getState())) {
throw new OpenIDConnectClientException('Unable to determine state');
}

Expand Down Expand Up @@ -401,7 +400,7 @@ public function authenticate() {
}

// Do an OpenID Connect session check
if ($_REQUEST['state'] !== $this->getState()) {
if (!isset($_REQUEST['state']) || ($_REQUEST['state'] !== $this->getState())) {
throw new OpenIDConnectClientException('Unable to determine state');
}

Expand Down Expand Up @@ -564,7 +563,9 @@ public function verifyLogoutTokenClaims($claims)
return false;
}
// Validate the aud
if ((!$claims->aud === $this->clientID) || (!in_array($this->clientID, $claims->aud, true))) {
$auds = $claims->aud;
$auds = is_array( $auds ) ? $auds : [ $auds ];
if (!in_array($this->clientID, $auds, true)) {
return false;
}
// Validate the iat. At this point we can return true if it is ok
Expand Down Expand Up @@ -640,7 +641,7 @@ protected function getProviderConfigValue($param, $default = null) {
* @return string
*
*/
private function getWellKnownConfigValue($param, $default = null) {
protected function getWellKnownConfigValue($param, $default = null) {

// If the configuration value is not available, attempt to fetch it from a well known config endpoint
// This is also known as auto "discovery"
Expand Down Expand Up @@ -1936,7 +1937,7 @@ public function getIdTokenPayload() {
}

/**
* @return string
* @return object
*/
public function getTokenResponse() {
return $this->tokenResponse;
Expand Down
Loading

0 comments on commit 5b3bd9a

Please sign in to comment.