Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!: allow firebase/php-jwt v6 #391

Merged
merged 20 commits into from
Apr 13, 2022
Merged
Show file tree
Hide file tree
Changes from 18 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
},
"require": {
"php": "^7.1||^8.0",
"firebase/php-jwt": "~5.0",
"firebase/php-jwt": "^5.5||^6.0",
"guzzlehttp/guzzle": "^6.2.1|^7.0",
"guzzlehttp/psr7": "^1.7|^2.0",
"psr/http-message": "^1.0",
Expand Down
102 changes: 80 additions & 22 deletions src/OAuth2.php
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
namespace Google\Auth;

use Firebase\JWT\JWT;
use Firebase\JWT\Key;
use Google\Auth\HttpHandler\HttpClientCache;
use Google\Auth\HttpHandler\HttpHandlerFactory;
use GuzzleHttp\Psr7\Query;
Expand Down Expand Up @@ -380,17 +381,18 @@ public function __construct(array $config)
* - otherwise returns the payload in the idtoken as a PHP object.
*
* The behavior of this method varies depending on the version of
* `firebase/php-jwt` you are using. In versions lower than 3.0.0, if
* `$publicKey` is null, the key is decoded without being verified. In
* newer versions, if a public key is not given, this method will throw an
* `\InvalidArgumentException`.
* `firebase/php-jwt` you are using. In versions 6.0 and above, you cannot
* provide multiple $allowed_algs, and instead must provide an array of Key
* objects as the $publicKey.
*
* @param string $publicKey The public key to use to authenticate the token
* @param array<string> $allowed_algs List of supported verification algorithms
* @param string|Key|Key[] $publicKey The public key to use to authenticate the token
* @param string|array<string> $allowed_algs algorithm or array of supported verification algorithms.
* Providing more than one algorithm will throw an exception.
* @throws \DomainException if the token is missing an audience.
* @throws \DomainException if the audience does not match the one set in
* the OAuth2 class instance.
* @throws \UnexpectedValueException If the token is invalid
* @throws \InvalidArgumentException If more than one value for allowed_algs is supplied
bshaffer marked this conversation as resolved.
Show resolved Hide resolved
* @throws \Firebase\JWT\SignatureInvalidException If the signature is invalid.
* @throws \Firebase\JWT\BeforeValidException If the token is not yet valid.
* @throws \Firebase\JWT\ExpiredException If the token has expired.
Expand Down Expand Up @@ -461,7 +463,7 @@ public function toJwt(array $config = [])
}
$assertion += $this->getAdditionalClaims();

return $this->jwtEncode(
return JWT::encode(
$assertion,
$this->getSigningKey(),
$this->getSigningAlgorithm(),
Expand Down Expand Up @@ -1441,30 +1443,86 @@ private function coerceUri($uri)

/**
* @param string $idToken
* @param string|array<string>|null $publicKey
* @param array<string> $allowedAlgs
* @param Key|Key[]|string|string[] $publicKey
* @param string|string[] $allowedAlgs
* @return object
*/
private function jwtDecode($idToken, $publicKey, $allowedAlgs)
{
return JWT::decode($idToken, $publicKey, $allowedAlgs);
$keys = $this->getFirebaseJwtKeys($publicKey, $allowedAlgs);

// Default exception if none are caught. We are using the same exception
// class and message from firebase/php-jwt to preserve backwards
// compatibility.
$e = new \InvalidArgumentException('Key may not be empty');
bshaffer marked this conversation as resolved.
Show resolved Hide resolved
foreach ($keys as $key) {
try {
return JWT::decode($idToken, $key);
} catch (\Exception $e) {
// try next alg
}
}
throw $e;
}

/**
* @param array<mixed> $assertion
* @param string $signingKey
* @param string $signingAlgorithm
* @param string $signingKeyId
* @return string
* @param Key|Key[]|string|string[] $publicKey
* @param string|string[] $allowedAlgs
* @return Key[]
*/
private function jwtEncode($assertion, $signingKey, $signingAlgorithm, $signingKeyId = null)
private function getFirebaseJwtKeys($publicKey, $allowedAlgs)
{
return JWT::encode(
$assertion,
$signingKey,
$signingAlgorithm,
$signingKeyId
);
// If $publicKey is instance of Key, return it
if ($publicKey instanceof Key) {
return [$publicKey];
}

// If $allowedAlgs is empty, $publicKey must be Key or Key[].
if (empty($allowedAlgs)) {
$pubKeys = [];
foreach ((array) $publicKey as $kid => $pubKey) {
if (!$pubKey instanceof Key) {
throw new \InvalidArgumentException(sprintf(
'When allowed algorithms is empty, the public key must'
. 'be an instance of %s or an array of %s objects',
Key::class,
Key::class
));
}
$pubKeys[$kid] = $pubKey;
}
return $pubKeys;
}

$allowedAlg = null;
if (is_string($allowedAlgs)) {
bshaffer marked this conversation as resolved.
Show resolved Hide resolved
$allowedAlg = $allowedAlg;
} elseif (is_array($allowedAlgs)) {
if (count($allowedAlgs) > 1) {
throw new \InvalidArgumentException(
'To have multiple allowed algorithms, You must provide an'
. ' array of Firebase\JWT\Key objects.'
. ' See https://github.com/firebase/php-jwt for more information.');
}
$allowedAlg = array_pop($allowedAlgs);
} else {
throw new \InvalidArgumentException('allowed algorithms must be a string or array.');
}

if (is_array($publicKey)) {
// When publicKey is greater than 1, create keys with the single alg.
$keys = [];
foreach ($publicKey as $kid => $pubkey) {
if ($pubkey instanceof Key) {
$keys[$kid] = $pubkey;
} else {
$keys[$kid] = new Key($pubkey, $allowedAlg);
}
}
return $keys;
}

return [new Key($publicKey, $allowedAlg)];
}

/**
Expand Down
4 changes: 2 additions & 2 deletions tests/Credentials/ServiceAccountCredentialsTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@

use DomainException;
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
use Google\Auth\ApplicationDefaultCredentials;
use Google\Auth\Credentials\ServiceAccountCredentials;
use Google\Auth\Credentials\ServiceAccountJwtAccessCredentials;
Expand Down Expand Up @@ -799,8 +800,7 @@ public function testJwtAccessFromApplicationDefault()
$this->assertArrayHasKey('authorization', $metadata);
$token = str_replace('Bearer ', '', $metadata['authorization'][0]);
$key = file_get_contents(__DIR__ . '/../fixtures3/key.pub');

$result = JWT::decode($token, $key, ['RS256']);
$result = JWT::decode($token, new Key($key, 'RS256'));

$this->assertEquals($authUri, $result->aud);
}
Expand Down
84 changes: 68 additions & 16 deletions tests/OAuth2Test.php
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@

use DomainException;
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
use Google\Auth\OAuth2;
use GuzzleHttp\Psr7\Query;
use GuzzleHttp\Psr7\Utils;
Expand Down Expand Up @@ -442,15 +443,15 @@ public function testFailsWithMissingSigningAlgorithm()
public function testCanHS256EncodeAValidPayloadWithSigningKeyId()
{
$testConfig = $this->signingMinimal;
$keys = array(
'example_key_id1' => 'example_key1',
'example_key_id2' => 'example_key2'
);
$testConfig['signingKey'] = $keys['example_key_id2'];
$keys = [
'example_key_id1' => new Key('example_key1', 'HS256'),
'example_key_id2' => new Key('example_key2', 'HS256'),
];
$testConfig['signingKey'] = $keys['example_key_id2']->getKeyMaterial();
$testConfig['signingKeyId'] = 'example_key_id2';
$o = new OAuth2($testConfig);
$payload = $o->toJwt();
$roundTrip = JWT::decode($payload, $keys, array('HS256'));
$roundTrip = JWT::decode($payload, $keys);
$this->assertEquals($roundTrip->iss, $testConfig['issuer']);
$this->assertEquals($roundTrip->aud, $testConfig['audience']);
$this->assertEquals($roundTrip->scope, $testConfig['scope']);
Expand All @@ -459,16 +460,16 @@ public function testCanHS256EncodeAValidPayloadWithSigningKeyId()
public function testFailDecodeWithoutSigningKeyId()
{
$testConfig = $this->signingMinimal;
$keys = array(
'example_key_id1' => 'example_key1',
'example_key_id2' => 'example_key2'
);
$testConfig['signingKey'] = $keys['example_key_id2'];
$keys = [
'example_key_id1' => new Key('example_key1', 'HS256'),
'example_key_id2' => new Key('example_key2', 'HS256'),
];
$testConfig['signingKey'] = $keys['example_key_id2']->getKeyMaterial();
$o = new OAuth2($testConfig);
$payload = $o->toJwt();

try {
JWT::decode($payload, $keys, array('HS256'));
JWT::decode($payload, $keys);
} catch (\Exception $e) {
// Workaround: In old JWT versions throws DomainException
$this->assertTrue(
Expand All @@ -485,7 +486,7 @@ public function testCanHS256EncodeAValidPayload()
$testConfig = $this->signingMinimal;
$o = new OAuth2($testConfig);
$payload = $o->toJwt();
$roundTrip = JWT::decode($payload, $testConfig['signingKey'], array('HS256'));
$roundTrip = JWT::decode($payload, new Key($testConfig['signingKey'], 'HS256'));
$this->assertEquals($roundTrip->iss, $testConfig['issuer']);
$this->assertEquals($roundTrip->aud, $testConfig['audience']);
$this->assertEquals($roundTrip->scope, $testConfig['scope']);
Expand All @@ -500,7 +501,7 @@ public function testCanRS256EncodeAValidPayload()
$o->setSigningAlgorithm('RS256');
$o->setSigningKey($privateKey);
$payload = $o->toJwt();
$roundTrip = JWT::decode($payload, $publicKey, array('RS256'));
$roundTrip = JWT::decode($payload, new Key($publicKey, 'RS256'));
$this->assertEquals($roundTrip->iss, $testConfig['issuer']);
$this->assertEquals($roundTrip->aud, $testConfig['audience']);
$this->assertEquals($roundTrip->scope, $testConfig['scope']);
Expand All @@ -517,7 +518,7 @@ public function testCanHaveAdditionalClaims()
$o->setSigningAlgorithm('RS256');
$o->setSigningKey($privateKey);
$payload = $o->toJwt();
$roundTrip = JWT::decode($payload, $publicKey, array('RS256'));
$roundTrip = JWT::decode($payload, new Key($publicKey, 'RS256'));
$this->assertEquals($roundTrip->target_audience, $targetAud);
}
}
Expand Down Expand Up @@ -907,7 +908,7 @@ public function testFailsIfIdTokenIsInvalid()
$not_a_jwt = 'not a jot';
$o = new OAuth2($testConfig);
$o->setIdToken($not_a_jwt);
$o->verifyIdToken($this->publicKey);
$o->verifyIdToken($this->publicKey, ['RS256']);
}

public function testFailsIfAudienceIsMissing()
Expand Down Expand Up @@ -943,6 +944,57 @@ public function testFailsIfAudienceIsWrong()
$o->verifyIdToken($this->publicKey, ['RS256']);
}

public function testFailsWithStringPublicKeyAndAllowedAlgsGreaterThanOne()
{
$this->expectException(InvalidArgumentException::class);
$this->expectExceptionMessage('To have multiple allowed algorithms');

$testConfig = $this->verifyIdTokenMinimal;
$not_a_jwt = 'not a jot';
$o = new OAuth2($testConfig);
$o->setIdToken($not_a_jwt);
$o->verifyIdToken($this->publicKey, ['RS256', 'ES256']);
}

public function testFailsWithStringPublicKeyAndNoAllowedAlgs()
{
$this->expectException(InvalidArgumentException::class);
$this->expectExceptionMessage('When allowed algorithms is empty');

$testConfig = $this->verifyIdTokenMinimal;
$not_a_jwt = 'not a jot';
$o = new OAuth2($testConfig);
$o->setIdToken($not_a_jwt);
$o->verifyIdToken($this->publicKey, []);
}

public function testFailsWithStringInPublicKeyArrayAndNoAllowedAlgs()
{
$this->expectException(InvalidArgumentException::class);
$this->expectExceptionMessage('When allowed algorithms is empty');

$testConfig = $this->verifyIdTokenMinimal;
$not_a_jwt = 'not a jot';
$o = new OAuth2($testConfig);
$o->setIdToken($not_a_jwt);
$o->verifyIdToken([
new Key($this->publicKey, 'RS256'),
$this->publicKey,
], []);
}

public function testFailsWithInalidAllowedAlgs()
{
$this->expectException(InvalidArgumentException::class);
$this->expectExceptionMessage('allowed algorithms must be a string or array');

$testConfig = $this->verifyIdTokenMinimal;
$not_a_jwt = 'not a jot';
$o = new OAuth2($testConfig);
$o->setIdToken($not_a_jwt);
$o->verifyIdToken($this->publicKey, 123);
}

public function testShouldReturnAValidIdToken()
{
$testConfig = $this->verifyIdTokenMinimal;
Expand Down