Skip to content

Commit

Permalink
adds tests + fixes bugs for multiple issuers
Browse files Browse the repository at this point in the history
  • Loading branch information
bshaffer committed Oct 16, 2015
1 parent 043fab5 commit 3ae19bb
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 3 deletions.
2 changes: 1 addition & 1 deletion src/Google/Auth/OAuth2.php
Original file line number Diff line number Diff line change
Expand Up @@ -609,7 +609,7 @@ public function verifySignedJwtWithCerts(
sprintf(
"Invalid issuer, %s not in %s: %s",
$iss,
"[".implode(",", $issuers)."]",
"[".implode(",", (array) $issuer)."]",
$json_body
)
);
Expand Down
47 changes: 45 additions & 2 deletions tests/general/AuthTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -149,18 +149,61 @@ public function testVerifySignedJwtWithCerts()
}

// Checks that the id token fails to verify with the expected message.
private function checkIdTokenFailure($id_token, $msg)
private function checkIdTokenFailure($id_token, $msg, $issuer = null)
{
$certs = $this->getSignonCerts();
$oauth2 = new Google_Auth_OAuth2($this->getClient());
try {
$oauth2->verifySignedJwtWithCerts($id_token, $certs, "client_id");
$oauth2->verifySignedJwtWithCerts($id_token, $certs, "client_id", $issuer);
$this->fail("Should have thrown for $id_token");
} catch (Google_Auth_Exception $e) {
$this->assertContains($msg, $e->getMessage());
}
}

public function testVerifySignedJwtWithMultipleIssuers()
{
$id_token = $this->makeSignedJwt(
array(
"iss" => "system.gserviceaccount.com",
"aud" => "client_id",
"sub" => self::USER_ID,
"iat" => time(),
"exp" => time() + 3600
)
);
$certs = $this->getSignonCerts();
$oauth2 = new Google_Auth_OAuth2($this->getClient());
$ticket = $oauth2->verifySignedJwtWithCerts(
$id_token,
$certs,
"client_id",
['system.gserviceaccount.com', 'https://system.gserviceaccount.com']
);
$this->assertEquals(self::USER_ID, $ticket->getUserId());
// Check that payload and envelope got filled in.
$attributes = $ticket->getAttributes();
$this->assertEquals("JWT", $attributes["envelope"]["typ"]);
$this->assertEquals("client_id", $attributes["payload"]["aud"]);
}

public function testVerifySignedJwtWithBadIssuer()
{
$id_token = $this->makeSignedJwt(
array(
"iss" => "fake.gserviceaccount.com",
"aud" => "client_id",
"sub" => self::USER_ID,
"iat" => time(),
"exp" => time() + 3600
)
);

$issuers = ['system.gserviceaccount.com', 'https://system.gserviceaccount.com'];
$this->checkIdTokenFailure($id_token, 'Invalid issuer', $issuers[0]);
$this->checkIdTokenFailure($id_token, 'Invalid issuer', $issuers);
}

public function testVerifySignedJwtWithBadJwt()
{
$this->checkIdTokenFailure("foo", "Wrong number of segments");
Expand Down

0 comments on commit 3ae19bb

Please sign in to comment.