Loading classes/IdTokenBuilder.php +9 −4 Original line number Diff line number Diff line Loading @@ -12,16 +12,16 @@ class IdTokenBuilder { $this->locator = $locator; } public function getIdToken(AccessToken $accessToken): string { public function getIdToken(AccessToken $accessToken, $nonce = null): string { $keyPair = $this->locator->getJWKSDAO()->getNewestKeyPair(); $payload = $this->createPayloadArray($accessToken); $payload = $this->createPayloadArray($accessToken, $nonce); return JWT::encode($payload, $keyPair->privateKey, $keyPair->alg, $keyPair->keyId); } private function createPayloadArray(AccessToken $accessToken) { private function createPayloadArray(AccessToken $accessToken, $nonce = null) { $user = $this->locator->getUserDAO()->findUserById($accessToken->userId); Loading @@ -30,9 +30,14 @@ class IdTokenBuilder { 'sub' => $user->id, 'iat' => time(), 'exp' => time() + 3600, 'name' => $user->getCompleteName() 'name' => $user->getCompleteName(), 'aud' => $accessToken->clientId ); if ($nonce !== null) { $payloadArr['nonce'] = $nonce; } if (in_array("email", $accessToken->scope)) { $payloadArr['email'] = $user->getPrimaryEmail(); } Loading classes/JWKSHandler.php +2 −1 Original line number Diff line number Diff line Loading @@ -21,7 +21,8 @@ class JWKSHandler { $rsa->setPrivateKeyFormat(RSA::PRIVATE_FORMAT_PKCS1); $rsa->setPublicKeyFormat(RSA::PUBLIC_FORMAT_PKCS8); $result = $rsa->createKey(); // Guacamole needs a key of at least 2048 $result = $rsa->createKey(2048); $keyPair = new RSAKeyPair(); $keyPair->alg = 'RS256'; Loading classes/OAuth2RequestHandler.php +16 −5 Original line number Diff line number Diff line Loading @@ -36,8 +36,10 @@ class OAuth2RequestHandler { } $state = $params['state']; if ($state === null) { throw new BadRequestException("State is required"); $nonce = $params['nonce']; if ($state === null && $nonce === null) { throw new BadRequestException("State or nonce is required"); } // Storing OAuth2 data in session Loading @@ -45,6 +47,7 @@ class OAuth2RequestHandler { $oauth2Data->clientId = $client->client; $oauth2Data->redirectUrl = $client->redirectUrl; $oauth2Data->state = $state; $oauth2Data->nonce = $nonce; $scope = $params['scope']; if ($scope !== null) { Loading @@ -55,7 +58,7 @@ class OAuth2RequestHandler { $session->setOAuth2Data($oauth2Data); } public function getCodeResponseUrl(): string { public function getRedirectResponseUrl(): string { $session = $this->locator->getSession(); Loading @@ -70,9 +73,17 @@ class OAuth2RequestHandler { $this->locator->getAccessTokenDAO()->createAccessToken($accessToken); $state = $session->getOAuth2Data()->state; $nonce = $session->getOAuth2Data()->nonce; if ($state !== null) { // Authorization code grant flow $redirectUrl = $session->getOAuth2Data()->redirectUrl . '?code=' . $accessToken->code . '&scope=profile&state=' . $state; } else { // Implicit grant flow $idToken = $this->locator->getIdTokenBuilder()->getIdToken($accessToken, $nonce); $redirectUrl = $session->getOAuth2Data()->redirectUrl . "#id_token=" . $idToken; } return $redirectUrl; } Loading classes/login/LoginHandler.php +1 −1 Original line number Diff line number Diff line Loading @@ -75,7 +75,7 @@ class LoginHandler { if ($session->getOAuth2Data() !== null) { $session->setUser($user); $redirectUrl = $this->locator->getOAuth2RequestHandler()->getCodeResponseUrl(); $redirectUrl = $this->locator->getOAuth2RequestHandler()->getRedirectResponseUrl(); session_destroy(); return $redirectUrl; } Loading classes/model/OAuth2Data.php +1 −0 Original line number Diff line number Diff line Loading @@ -8,5 +8,6 @@ class OAuth2Data { public $redirectUrl; public $state; public $scope; public $nonce; } Loading
classes/IdTokenBuilder.php +9 −4 Original line number Diff line number Diff line Loading @@ -12,16 +12,16 @@ class IdTokenBuilder { $this->locator = $locator; } public function getIdToken(AccessToken $accessToken): string { public function getIdToken(AccessToken $accessToken, $nonce = null): string { $keyPair = $this->locator->getJWKSDAO()->getNewestKeyPair(); $payload = $this->createPayloadArray($accessToken); $payload = $this->createPayloadArray($accessToken, $nonce); return JWT::encode($payload, $keyPair->privateKey, $keyPair->alg, $keyPair->keyId); } private function createPayloadArray(AccessToken $accessToken) { private function createPayloadArray(AccessToken $accessToken, $nonce = null) { $user = $this->locator->getUserDAO()->findUserById($accessToken->userId); Loading @@ -30,9 +30,14 @@ class IdTokenBuilder { 'sub' => $user->id, 'iat' => time(), 'exp' => time() + 3600, 'name' => $user->getCompleteName() 'name' => $user->getCompleteName(), 'aud' => $accessToken->clientId ); if ($nonce !== null) { $payloadArr['nonce'] = $nonce; } if (in_array("email", $accessToken->scope)) { $payloadArr['email'] = $user->getPrimaryEmail(); } Loading
classes/JWKSHandler.php +2 −1 Original line number Diff line number Diff line Loading @@ -21,7 +21,8 @@ class JWKSHandler { $rsa->setPrivateKeyFormat(RSA::PRIVATE_FORMAT_PKCS1); $rsa->setPublicKeyFormat(RSA::PUBLIC_FORMAT_PKCS8); $result = $rsa->createKey(); // Guacamole needs a key of at least 2048 $result = $rsa->createKey(2048); $keyPair = new RSAKeyPair(); $keyPair->alg = 'RS256'; Loading
classes/OAuth2RequestHandler.php +16 −5 Original line number Diff line number Diff line Loading @@ -36,8 +36,10 @@ class OAuth2RequestHandler { } $state = $params['state']; if ($state === null) { throw new BadRequestException("State is required"); $nonce = $params['nonce']; if ($state === null && $nonce === null) { throw new BadRequestException("State or nonce is required"); } // Storing OAuth2 data in session Loading @@ -45,6 +47,7 @@ class OAuth2RequestHandler { $oauth2Data->clientId = $client->client; $oauth2Data->redirectUrl = $client->redirectUrl; $oauth2Data->state = $state; $oauth2Data->nonce = $nonce; $scope = $params['scope']; if ($scope !== null) { Loading @@ -55,7 +58,7 @@ class OAuth2RequestHandler { $session->setOAuth2Data($oauth2Data); } public function getCodeResponseUrl(): string { public function getRedirectResponseUrl(): string { $session = $this->locator->getSession(); Loading @@ -70,9 +73,17 @@ class OAuth2RequestHandler { $this->locator->getAccessTokenDAO()->createAccessToken($accessToken); $state = $session->getOAuth2Data()->state; $nonce = $session->getOAuth2Data()->nonce; if ($state !== null) { // Authorization code grant flow $redirectUrl = $session->getOAuth2Data()->redirectUrl . '?code=' . $accessToken->code . '&scope=profile&state=' . $state; } else { // Implicit grant flow $idToken = $this->locator->getIdTokenBuilder()->getIdToken($accessToken, $nonce); $redirectUrl = $session->getOAuth2Data()->redirectUrl . "#id_token=" . $idToken; } return $redirectUrl; } Loading
classes/login/LoginHandler.php +1 −1 Original line number Diff line number Diff line Loading @@ -75,7 +75,7 @@ class LoginHandler { if ($session->getOAuth2Data() !== null) { $session->setUser($user); $redirectUrl = $this->locator->getOAuth2RequestHandler()->getCodeResponseUrl(); $redirectUrl = $this->locator->getOAuth2RequestHandler()->getRedirectResponseUrl(); session_destroy(); return $redirectUrl; } Loading
classes/model/OAuth2Data.php +1 −0 Original line number Diff line number Diff line Loading @@ -8,5 +8,6 @@ class OAuth2Data { public $redirectUrl; public $state; public $scope; public $nonce; }
