Skip to content

Added support for private_key_jwt authentication method #322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Sep 28, 2022
Merged

Added support for private_key_jwt authentication method #322

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5832c8e
Added support for private_key_jwt authentication method
ricklambrechts Sep 15, 2022
e535cbc
use __invoke for supporting older php versions
ricklambrechts Sep 15, 2022
bddb3bf
Updated changelog
ricklambrechts Sep 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
and this project adheres to [Semantic Versioning](http://semver.org/).

## [unreleased]
* Added support for `private_key_jwt` Client Authentication method #322

## [0.9.8]

Expand Down
31 changes: 31 additions & 0 deletions src/OpenIDConnectClient.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,11 @@ class OpenIDConnectClient
*/
private $issuerValidator;

/**
* @var callable|null generator function for private key jwt client authentication
*/
private $privateKeyJwtGenerator;

/**
* @var bool Allow OAuth 2 implicit flow; see http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
*/
Expand Down Expand Up @@ -798,6 +803,12 @@ protected function requestTokens($code, $headers = array()) {
unset($token_params['client_id']);
}

// When there is a private key jwt generator and it is supported then use it as client authentication
if ($this->privateKeyJwtGenerator !== null && in_array('private_key_jwt', $token_endpoint_auth_methods_supported, true)) {
$token_params['client_assertion_type'] = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
$token_params['client_assertion'] = $this->privateKeyJwtGenerator->__invoke($token_endpoint);
}

$ccm = $this->getCodeChallengeMethod();
$cv = $this->getCodeVerifier();
if (!empty($ccm) && !empty($cv)) {
Expand Down Expand Up @@ -1453,6 +1464,18 @@ public function setIssuerValidator($issuerValidator) {
$this->issuerValidator = $issuerValidator;
}

/**
* Use this for private_key_jwt client authentication
* The given function should accept the token_endpoint string as the only argument
* and return a jwt signed with your private key according to:
* https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
*
* @param callable $privateKeyJwtGenerator
*/
public function setPrivateKeyJwtGenerator($privateKeyJwtGenerator) {
$this->privateKeyJwtGenerator = $privateKeyJwtGenerator;
}

/**
* @param bool $allowImplicitFlow
*/
Expand Down Expand Up @@ -1922,6 +1945,14 @@ public function getIssuerValidator() {
return $this->issuerValidator;
}


/**
* @return callable
*/
public function getPrivateKeyJwtGenerator() {
return $this->privateKeyJwtGenerator;
}

/**
* @return int
*/
Expand Down