Skip to content

Commit 7f35dd7

Browse files
vincentchalamonnicolas-grekas
vincentchalamon
authored and
nicolas-grekas
committed
[Security] Validate aud and iss claims on OidcTokenHandler
1 parent 4419c6d commit 7f35dd7

File tree

2 files changed

+19
-20
lines changed

2 files changed

+19
-20
lines changed

AccessToken/Oidc/OidcTokenHandler.php

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -41,10 +41,11 @@ final class OidcTokenHandler implements AccessTokenHandlerInterface
4141
public function __construct(
4242
private Algorithm $signatureAlgorithm,
4343
private JWK $jwk,
44-
private ?LoggerInterface $logger = null,
45-
private ClockInterface $clock = new Clock(),
44+
private string $audience,
45+
private array $issuers,
4646
private string $claim = 'sub',
47-
private ?string $audience = null
47+
private ?LoggerInterface $logger = null,
48+
private ClockInterface $clock = new Clock()
4849
) {
4950
}
5051

@@ -80,10 +81,9 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
8081
new Checker\IssuedAtChecker(0, false, $this->clock),
8182
new Checker\NotBeforeChecker(0, false, $this->clock),
8283
new Checker\ExpirationTimeChecker(0, false, $this->clock),
84+
new Checker\AudienceChecker($this->audience),
85+
new Checker\IssuerChecker($this->issuers),
8386
];
84-
if ($this->audience) {
85-
$checkers[] = new Checker\AudienceChecker($this->audience);
86-
}
8787
$claimCheckerManager = new ClaimCheckerManager($checkers);
8888
// if this check fails, an InvalidClaimException is thrown
8989
$claimCheckerManager->check($claims);

Tests/AccessToken/Oidc/OidcTokenHandlerTest.php

Lines changed: 13 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,6 @@
1818
use Jose\Component\Signature\Serializer\CompactSerializer;
1919
use PHPUnit\Framework\TestCase;
2020
use Psr\Log\LoggerInterface;
21-
use Symfony\Component\Clock\Clock;
2221
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
2322
use Symfony\Component\Security\Core\User\OidcUser;
2423
use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenHandler;
@@ -41,7 +40,7 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp
4140
'iat' => $time,
4241
'nbf' => $time,
4342
'exp' => $time + 3600,
44-
'iss' => 'https://www.example.com/',
43+
'iss' => 'https://www.example.com',
4544
'aud' => self::AUDIENCE,
4645
'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f',
4746
'email' => 'foo@example.com',
@@ -55,10 +54,10 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp
5554
$userBadge = (new OidcTokenHandler(
5655
new ES256(),
5756
$this->getJWK(),
58-
$loggerMock,
59-
new Clock(),
57+
self::AUDIENCE,
58+
['https://www.example.com'],
6059
$claim,
61-
self::AUDIENCE
60+
$loggerMock,
6261
))->getUserBadgeFrom($token);
6362
$actualUser = $userBadge->getUserLoader()();
6463

@@ -89,10 +88,10 @@ public function testThrowsAnErrorIfTokenIsInvalid(string $token)
8988
(new OidcTokenHandler(
9089
new ES256(),
9190
$this->getJWK(),
92-
$loggerMock,
93-
new Clock(),
91+
self::AUDIENCE,
92+
['https://www.example.com'],
9493
'sub',
95-
self::AUDIENCE
94+
$loggerMock,
9695
))->getUserBadgeFrom($token);
9796
}
9897

@@ -106,7 +105,7 @@ public static function getInvalidTokens(): iterable
106105
'iat' => time() - 3600,
107106
'nbf' => time() - 3600,
108107
'exp' => time() - 3590,
109-
'iss' => 'https://www.example.com/',
108+
'iss' => 'https://www.example.com',
110109
'aud' => self::AUDIENCE,
111110
'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f',
112111
'email' => 'foo@example.com',
@@ -118,7 +117,7 @@ public static function getInvalidTokens(): iterable
118117
'iat' => time(),
119118
'nbf' => time(),
120119
'exp' => time() + 3590,
121-
'iss' => 'https://www.example.com/',
120+
'iss' => 'https://www.example.com',
122121
'aud' => 'invalid',
123122
'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f',
124123
'email' => 'foo@example.com',
@@ -139,7 +138,7 @@ public function testThrowsAnErrorIfUserPropertyIsMissing()
139138
'iat' => $time,
140139
'nbf' => $time,
141140
'exp' => $time + 3600,
142-
'iss' => 'https://www.example.com/',
141+
'iss' => 'https://www.example.com',
143142
'aud' => self::AUDIENCE,
144143
'sub' => 'e21bf182-1538-406e-8ccb-e25a17aba39f',
145144
];
@@ -148,10 +147,10 @@ public function testThrowsAnErrorIfUserPropertyIsMissing()
148147
(new OidcTokenHandler(
149148
new ES256(),
150149
self::getJWK(),
151-
$loggerMock,
152-
new Clock(),
150+
self::AUDIENCE,
151+
['https://www.example.com'],
153152
'email',
154-
self::AUDIENCE
153+
$loggerMock,
155154
))->getUserBadgeFrom($token);
156155
}
157156

0 commit comments

Comments
 (0)