From 5832c8e3a8ba41a0f73cf7db329e3e78c791a8f2 Mon Sep 17 00:00:00 2001 From: Rick Lambrechts Date: Thu, 15 Sep 2022 23:00:26 +0200 Subject: [PATCH 1/3] Added support for private_key_jwt authentication method --- src/OpenIDConnectClient.php | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 2bad8b57..034a8696 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -215,6 +215,11 @@ class OpenIDConnectClient */ private $issuerValidator; + /** + * @var callable|null generator function for private key jwt client authentication + */ + private $privateKeyJwtGenerator; + /** * @var bool Allow OAuth 2 implicit flow; see http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth */ @@ -798,6 +803,12 @@ protected function requestTokens($code, $headers = array()) { unset($token_params['client_id']); } + // When there is a private key jwt generator and it is supported then use it as client authentication + if ($this->privateKeyJwtGenerator !== null && in_array('private_key_jwt', $token_endpoint_auth_methods_supported, true)) { + $token_params['client_assertion_type'] = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'; + $token_params['client_assertion'] = $this->privateKeyJwtGenerator($token_endpoint); + } + $ccm = $this->getCodeChallengeMethod(); $cv = $this->getCodeVerifier(); if (!empty($ccm) && !empty($cv)) { @@ -1453,6 +1464,18 @@ public function setIssuerValidator($issuerValidator) { $this->issuerValidator = $issuerValidator; } + /** + * Use this for private_key_jwt client authentication + * The given function should accept the token_endpoint string as the only argument + * and return a jwt signed with your private key according to: + * https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication + * + * @param callable $privateKeyJwtGenerator + */ + public function setPrivateKeyJwtGenerator($privateKeyJwtGenerator) { + $this->privateKeyJwtGenerator = $privateKeyJwtGenerator; + } + /** * @param bool $allowImplicitFlow */ @@ -1922,6 +1945,14 @@ public function getIssuerValidator() { return $this->issuerValidator; } + + /** + * @return callable + */ + public function getPrivateKeyJwtGenerator() { + return $this->privateKeyJwtGenerator; + } + /** * @return int */ From e535cbc49e0eab8e9923136ea24c9cd428a4f115 Mon Sep 17 00:00:00 2001 From: Rick Lambrechts Date: Thu, 15 Sep 2022 23:04:47 +0200 Subject: [PATCH 2/3] use __invoke for supporting older php versions --- src/OpenIDConnectClient.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 034a8696..dbb2c696 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -806,7 +806,7 @@ protected function requestTokens($code, $headers = array()) { // When there is a private key jwt generator and it is supported then use it as client authentication if ($this->privateKeyJwtGenerator !== null && in_array('private_key_jwt', $token_endpoint_auth_methods_supported, true)) { $token_params['client_assertion_type'] = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'; - $token_params['client_assertion'] = $this->privateKeyJwtGenerator($token_endpoint); + $token_params['client_assertion'] = $this->privateKeyJwtGenerator->__invoke($token_endpoint); } $ccm = $this->getCodeChallengeMethod(); From bddb3bf98eac5c1952946fe98df030ec8f3fa275 Mon Sep 17 00:00:00 2001 From: Rick Lambrechts Date: Fri, 16 Sep 2022 16:23:22 +0200 Subject: [PATCH 3/3] Updated changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b2d8ccaa..8af3bf6e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). ## [unreleased] +* Added support for `private_key_jwt` Client Authentication method #322 ## [0.9.8]