OIDC Userinfo: Fixed issues with validation logic from changes

ssddanbrown · ssddanbrown · commit 8b14a701a479 · 2024-04-19T16:43:51.000+01:00
Also updated test to suit validation changes
diff --git a/app/Access/Oidc/OidcIdToken.php b/app/Access/Oidc/OidcIdToken.php
@@ -11,7 +11,7 @@ class OidcIdToken extends OidcJwtWithClaims implements ProvidesClaims
      */
     public function validate(string $clientId): bool
     {
-        parent::validateCommonClaims();
+        parent::validateCommonTokenDetails($clientId);
         $this->validateTokenClaims($clientId);
 
         return true;
diff --git a/app/Access/Oidc/OidcJwtWithClaims.php b/app/Access/Oidc/OidcJwtWithClaims.php
@@ -59,11 +59,11 @@ protected function base64UrlDecode(string $encoded): string
      *
      * @throws OidcInvalidTokenException
      */
-    public function validateCommonTokenDetails(): bool
+    public function validateCommonTokenDetails(string $clientId): bool
     {
         $this->validateTokenStructure();
         $this->validateTokenSignature();
-        $this->validateCommonClaims();
+        $this->validateCommonClaims($clientId);
 
         return true;
     }
@@ -151,7 +151,7 @@ protected function validateTokenSignature(): void
      *
      * @throws OidcInvalidTokenException
      */
-    protected function validateCommonClaims(): void
+    protected function validateCommonClaims(string $clientId): void
     {
         // 1. The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery)
         // MUST exactly match the value of the iss (issuer) Claim.
@@ -167,7 +167,7 @@ protected function validateCommonClaims(): void
         }
 
         $aud = is_string($this->payload['aud']) ? [$this->payload['aud']] : $this->payload['aud'];
-        if (!in_array($this->payload['aud'], $aud, true)) {
+        if (!in_array($clientId, $aud, true)) {
             throw new OidcInvalidTokenException('Token audience value did not match the expected client_id');
         }
     }
diff --git a/app/Access/Oidc/OidcService.php b/app/Access/Oidc/OidcService.php
@@ -253,7 +253,7 @@ protected function getUserDetailsFromToken(OidcIdToken $idToken, OidcAccessToken
             );
 
             try {
-                $response->validate($idToken->getClaim('sub'));
+                $response->validate($idToken->getClaim('sub'), $settings->clientId);
             } catch (OidcInvalidTokenException $exception) {
                 throw new OidcException("Userinfo endpoint response validation failed with error: {$exception->getMessage()}");
             }
diff --git a/app/Access/Oidc/OidcUserinfoResponse.php b/app/Access/Oidc/OidcUserinfoResponse.php
@@ -25,10 +25,10 @@ public function __construct(ResponseInterface $response, string $issuer, array $
     /**
      * @throws OidcInvalidTokenException
      */
-    public function validate(string $idTokenSub): bool
+    public function validate(string $idTokenSub, string $clientId): bool
     {
         if (!is_null($this->jwt)) {
-            $this->jwt->validateCommonTokenDetails();
+            $this->jwt->validateCommonTokenDetails($clientId);
         }
 
         $sub = $this->getClaim('sub');
diff --git a/tests/Unit/OidcIdTokenTest.php b/tests/Unit/OidcIdTokenTest.php
@@ -113,7 +113,7 @@ public function test_token_claim_error_cases()
             // 2. aud claim present
             ['Missing token audience value', ['aud' => null]],
             // 2. aud claim validates all values against those expected (Only expect single)
-            ['Token audience value has 2 values, Expected 1', ['aud' => ['abc', 'def']]],
+            ['Token audience value has 2 values, Expected 1', ['aud' => ['xxyyzz.aaa.bbccdd.123', 'def']]],
             // 2. aud claim matches client id
             ['Token audience value did not match the expected client_id', ['aud' => 'xxyyzz.aaa.bbccdd.456']],
             // 4. azp claim matches client id if present

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ class OidcIdToken extends OidcJwtWithClaims implements ProvidesClaims`
`11`	`11`	`*/`
`12`	`12`	`public function validate(string $clientId): bool`
`13`	`13`	`{`
`14`		`- parent::validateCommonClaims();`
	`14`	`+ parent::validateCommonTokenDetails($clientId);`
`15`	`15`	`$this->validateTokenClaims($clientId);`
`16`	`16`
`17`	`17`	`return true;`
Original file line number	Diff line number	Diff line change
`@@ -59,11 +59,11 @@ protected function base64UrlDecode(string $encoded): string`
`59`	`59`	`*`
`60`	`60`	`* @throws OidcInvalidTokenException`
`61`	`61`	`*/`
`62`		`- public function validateCommonTokenDetails(): bool`
	`62`	`+ public function validateCommonTokenDetails(string $clientId): bool`
`63`	`63`	`{`
`64`	`64`	`$this->validateTokenStructure();`
`65`	`65`	`$this->validateTokenSignature();`
`66`		`- $this->validateCommonClaims();`
	`66`	`+ $this->validateCommonClaims($clientId);`
`67`	`67`
`68`	`68`	`return true;`
`69`	`69`	`}`
`@@ -151,7 +151,7 @@ protected function validateTokenSignature(): void`
`151`	`151`	`*`
`152`	`152`	`* @throws OidcInvalidTokenException`
`153`	`153`	`*/`
`154`		`- protected function validateCommonClaims(): void`
	`154`	`+ protected function validateCommonClaims(string $clientId): void`
`155`	`155`	`{`
`156`	`156`	`// 1. The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery)`
`157`	`157`	`// MUST exactly match the value of the iss (issuer) Claim.`
`@@ -167,7 +167,7 @@ protected function validateCommonClaims(): void`
`167`	`167`	`}`
`168`	`168`
`169`	`169`	`$aud = is_string($this->payload['aud']) ? [$this->payload['aud']] : $this->payload['aud'];`
`170`		`- if (!in_array($this->payload['aud'], $aud, true)) {`
	`170`	`+ if (!in_array($clientId, $aud, true)) {`
`171`	`171`	`throw new OidcInvalidTokenException('Token audience value did not match the expected client_id');`
`172`	`172`	`}`
`173`	`173`	`}`
Original file line number	Diff line number	Diff line change
`@@ -253,7 +253,7 @@ protected function getUserDetailsFromToken(OidcIdToken $idToken, OidcAccessToken`
`253`	`253`	`);`
`254`	`254`
`255`	`255`	`try {`
`256`		`- $response->validate($idToken->getClaim('sub'));`
	`256`	`+ $response->validate($idToken->getClaim('sub'), $settings->clientId);`
`257`	`257`	`} catch (OidcInvalidTokenException $exception) {`
`258`	`258`	`throw new OidcException("Userinfo endpoint response validation failed with error: {$exception->getMessage()}");`
`259`	`259`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,10 +25,10 @@ public function __construct(ResponseInterface $response, string $issuer, array $`
`25`	`25`	`/**`
`26`	`26`	`* @throws OidcInvalidTokenException`
`27`	`27`	`*/`
`28`		`- public function validate(string $idTokenSub): bool`
	`28`	`+ public function validate(string $idTokenSub, string $clientId): bool`
`29`	`29`	`{`
`30`	`30`	`if (!is_null($this->jwt)) {`
`31`		`- $this->jwt->validateCommonTokenDetails();`
	`31`	`+ $this->jwt->validateCommonTokenDetails($clientId);`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`$sub = $this->getClaim('sub');`