fix: Fix $jwt not defined and nonce validation in Implicit Flow

maicol07 · maicol07 · commit bd202c310674 · 2022-02-02T19:14:50.000+01:00
diff --git a/src/Traits/ImplictFlow.php b/src/Traits/ImplictFlow.php
@@ -33,16 +33,17 @@ private function implictFlow(Request $request, string $id_token): bool
         }
         Session::remove('oidc_state');
 
-        $this->validateJWT($id_token);
+        $jwt = $this->jwt()->parser()->parse($id_token);
+        $this->validateJWT($jwt);
 
-        // Save the id token
-        $this->id_token = $id_token;
-
-        if ($this->enable_nonce && $request->get('nonce') === Session::get('oidc_nonce')) {
-            return true;
+        if ($this->enable_nonce && Session::get('oidc_nonce') !== $jwt->claims()->get('nonce')) {
+            throw new ClientException("Generated nonce is not equal to the one returned by the server.");
         }
         Session::remove('oidc_nonce');
 
-        throw new ClientException('Unable to verify JWT claims');
+        // Save the id token
+        $this->id_token = $id_token;
+
+        return true;
     }
 }
diff --git a/src/Traits/JWT.php b/src/Traits/JWT.php
@@ -46,10 +46,12 @@ trait JWT
     private bool $jwt_plain_key;
     private int $leeway;
 
-    private function validateJWT(string $id_token): void
+    private function validateJWT(string|\Lcobucci\JWT\Token $jwt): void
     {
         try {
-            $jwt = $this->jwt()->parser()->parse($id_token);
+            if (is_string($jwt)) {
+                $jwt = $this->jwt()->parser()->parse($jwt);
+            }
             $claims = $jwt->claims();
             if (!(
                 $claims->has(RegisteredClaims::EXPIRATION_TIME)
diff --git a/src/Traits/Token.php b/src/Traits/Token.php
@@ -140,7 +140,8 @@ private function token(Request $request, string $code): bool
             throw new ClientException('User did not authorize openid scope.');
         }
 
-        $this->validateJWT($token_response->get('id_token'));
+        $jwt = $this->jwt()->parser()->parse($token_response->get('id_token'));
+        $this->validateJWT($jwt);
 
         if ($this->enable_nonce && Session::get('oidc_nonce') !== $jwt->claims()->get('nonce')) {
             throw new ClientException("Generated nonce is not equal to the one returned by the server.");

Original file line number	Diff line number	Diff line change
`@@ -33,16 +33,17 @@ private function implictFlow(Request $request, string $id_token): bool`
`33`	`33`	`}`
`34`	`34`	`Session::remove('oidc_state');`
`35`	`35`
`36`		`- $this->validateJWT($id_token);`
	`36`	`+ $jwt = $this->jwt()->parser()->parse($id_token);`
	`37`	`+ $this->validateJWT($jwt);`
`37`	`38`
`38`		`- // Save the id token`
`39`		`- $this->id_token = $id_token;`
`40`		`-`
`41`		`- if ($this->enable_nonce && $request->get('nonce') === Session::get('oidc_nonce')) {`
`42`		`- return true;`
	`39`	`+ if ($this->enable_nonce && Session::get('oidc_nonce') !== $jwt->claims()->get('nonce')) {`
	`40`	`+ throw new ClientException("Generated nonce is not equal to the one returned by the server.");`
`43`	`41`	`}`
`44`	`42`	`Session::remove('oidc_nonce');`
`45`	`43`
`46`		`- throw new ClientException('Unable to verify JWT claims');`
	`44`	`+ // Save the id token`
	`45`	`+ $this->id_token = $id_token;`
	`46`	`+`
	`47`	`+ return true;`
`47`	`48`	`}`
`48`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -140,7 +140,8 @@ private function token(Request $request, string $code): bool`
`140`	`140`	`throw new ClientException('User did not authorize openid scope.');`
`141`	`141`	`}`
`142`	`142`
`143`		`- $this->validateJWT($token_response->get('id_token'));`
	`143`	`+ $jwt = $this->jwt()->parser()->parse($token_response->get('id_token'));`
	`144`	`+ $this->validateJWT($jwt);`
`144`	`145`
`145`	`146`	`if ($this->enable_nonce && Session::get('oidc_nonce') !== $jwt->claims()->get('nonce')) {`
`146`	`147`	`throw new ClientException("Generated nonce is not equal to the one returned by the server.");`