Skip to content

Commit

Permalink
Accept multiple issuers
Browse files Browse the repository at this point in the history
 - support issuers accounts.google.com and https://accounts.google.com/ by default.
  • Loading branch information
ecoopnet authored and bshaffer committed Oct 16, 2015
1 parent a07f458 commit 043fab5
Showing 1 changed file with 12 additions and 4 deletions.
16 changes: 12 additions & 4 deletions src/Google/Auth/OAuth2.php
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ class Google_Auth_OAuth2 extends Google_Auth_Abstract
const AUTH_TOKEN_LIFETIME_SECS = 300; // five minutes in seconds
const MAX_TOKEN_LIFETIME_SECS = 86400; // one day in seconds
const OAUTH2_ISSUER = 'accounts.google.com';
const OAUTH2_ISSUER_HTTPS = 'https://accounts.google.com';

/** @var Google_Auth_AssertionCredentials $assertionCredentials */
private $assertionCredentials;
Expand Down Expand Up @@ -488,7 +489,12 @@ public function verifyIdToken($id_token = null, $audience = null)
$audience = $this->client->getClassConfig($this, 'client_id');
}

return $this->verifySignedJwtWithCerts($id_token, $certs, $audience, self::OAUTH2_ISSUER);
return $this->verifySignedJwtWithCerts(
$id_token,
$certs,
$audience,
array(self::OAUTH2_ISSUER, self::OAUTH2_ISSUER_HTTPS)
);
}

/**
Expand Down Expand Up @@ -595,13 +601,15 @@ public function verifySignedJwtWithCerts(
);
}

// support HTTP and HTTPS issuers
// @see https://developers.google.com/identity/sign-in/web/backend-auth
$iss = $payload['iss'];
if ($issuer && $iss != $issuer) {
if ($issuer && !in_array($iss, (array) $issuer)) {
throw new Google_Auth_Exception(
sprintf(
"Invalid issuer, %s != %s: %s",
"Invalid issuer, %s not in %s: %s",
$iss,
$issuer,
"[".implode(",", $issuers)."]",
$json_body
)
);
Expand Down

0 comments on commit 043fab5

Please sign in to comment.