From 7b94db5ccd5cb7685669525c729a259853f729f8 Mon Sep 17 00:00:00 2001 From: Ian Jenkins Date: Wed, 24 Nov 2021 16:00:47 +0000 Subject: [PATCH 1/3] Add failing test for null nonce on claims causing an exception --- phpunit.xml.dist | 28 ++++++++++++++++++++++++ tests/OpenIDConnectClientTest.php | 36 +++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 phpunit.xml.dist diff --git a/phpunit.xml.dist b/phpunit.xml.dist new file mode 100644 index 00000000..df8ef259 --- /dev/null +++ b/phpunit.xml.dist @@ -0,0 +1,28 @@ + + + + + ./tests + + + + + ./src + + ./vendor + ./tests + + + + diff --git a/tests/OpenIDConnectClientTest.php b/tests/OpenIDConnectClientTest.php index e08efea8..2ec80b1d 100644 --- a/tests/OpenIDConnectClientTest.php +++ b/tests/OpenIDConnectClientTest.php @@ -1,6 +1,7 @@ getRedirectURL()); } + + public function testAuthenticateDoesNotThrowExceptionIfClaimsIsMissingNonce() + { + $fakeClaims = new \StdClass(); + $fakeClaims->iss = 'fake-issuer'; + $fakeClaims->aud = 'fake-client-id'; + $fakeClaims->nonce = null; + + $_REQUEST['id_token'] = 'abc.123.xyz'; + $_REQUEST['state'] = false; + $_SESSION['openid_connect_state'] = false; + + /** @var OpenIDConnectClient | PHPUnit_Framework_MockObject_MockObject $client */ + $client = $this->getMockBuilder(OpenIDConnectClient::class)->setMethods(['decodeJWT', 'getProviderConfigValue', 'verifyJWTsignature'])->getMock(); + $client->method('decodeJWT')->willReturn($fakeClaims); + $client->method('getProviderConfigValue')->with('jwks_uri')->willReturn(true); + $client->method('verifyJWTsignature')->willReturn(true); + + $client->setClientID('fake-client-id'); + $client->setIssuer('fake-issuer'); + $client->setIssuerValidator(function() { + return true; + }); + $client->setAllowImplicitFlow(true); + $client->setProviderURL('https://jwt.io/'); + + try { + $authenticated = $client->authenticate(); + $this->assertTrue($authenticated); + } catch ( OpenIDConnectClientException $e ) { + if ( $e->getMessage() === 'Unable to verify JWT claims' ) { + self::fail( 'OpenIDConnectClientException was thrown when it should not have been.' ); + } + } + } } From 31913bfc361c0de89a2a0aa4a42424eaab6fc98d Mon Sep 17 00:00:00 2001 From: Ian Jenkins Date: Wed, 24 Nov 2021 16:02:51 +0000 Subject: [PATCH 2/3] Fix for claims containing a null nonce. Nonce is optional according to the open ID spec, so we shouldn't throw an exception if a nonce is null (or not set) within the claims. This was working previously but a change to how session keys are checked here: https://github.com/jumbojett/OpenID-Connect-PHP/pull/251 meant that the nonce check was now strict and `null !== false`. This fixes by checking first that the nonce is set before checking it matches the nonce in the session. --- src/OpenIDConnectClient.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 77530f45..7fbcdb23 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1026,7 +1026,7 @@ protected function verifyJWTclaims($claims, $accessToken = null) { } return (($this->issuerValidator->__invoke($claims->iss)) && (($claims->aud === $this->clientID) || in_array($this->clientID, $claims->aud, true)) - && ($claims->nonce === $this->getNonce()) + && (!isset($claims->nonce) || $claims->nonce === $this->getNonce()) && ( !isset($claims->exp) || ((gettype($claims->exp) === 'integer') && ($claims->exp >= time() - $this->leeway))) && ( !isset($claims->nbf) || ((gettype($claims->nbf) === 'integer') && ($claims->nbf <= time() + $this->leeway))) && ( !isset($claims->at_hash) || !isset($accessToken) || $claims->at_hash === $expected_at_hash ) From 9b04bf471813bb2bb44d74ffcefc6645bfa4681b Mon Sep 17 00:00:00 2001 From: Ian Jenkins Date: Wed, 24 Nov 2021 16:06:51 +0000 Subject: [PATCH 3/3] Add changelog entry for missing nonce issue --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 71a82272..a93d6ba8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/). ### Changed * signOut() Method parameter $accessToken -> $idToken to prevent confusion about access and id tokens usage. #127 +* Fixed issue where missing nonce within the claims was causing an exception. #280 ## [0.9.4]