Rev 1298 | Rev 1301 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 1298 | Rev 1300 | ||
---|---|---|---|
Line 159... | Line 159... | ||
159 | if (($has_ra) && !OIDplus::baseConfig()->getValue('JWT_ALLOW_LOGIN_USER', true)) { |
159 | if (($has_ra) && !OIDplus::baseConfig()->getValue('JWT_ALLOW_LOGIN_USER', true)) { |
160 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_LOGIN_USER')); |
160 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_LOGIN_USER')); |
161 | } |
161 | } |
162 | } |
162 | } |
163 | else if ($gen === self::JWT_GENERATOR_MANUAL) { |
163 | else if ($gen === self::JWT_GENERATOR_MANUAL) { |
164 | // Generator 2 are "hand-crafted" tokens |
164 | // Generator: "hand-crafted" tokens |
- | 165 | if (($has_admin) && !OIDplus::baseConfig()->getValue('JWT_ALLOW_MANUAL_ADMIN', false)) { |
|
- | 166 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_MANUAL_ADMIN')); |
|
- | 167 | } |
|
165 | if (!OIDplus::baseConfig()->getValue('JWT_ALLOW_MANUAL', false)) { |
168 | if (($has_ra) && !OIDplus::baseConfig()->getValue('JWT_ALLOW_MANUAL_USER', false)) { |
166 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_MANUAL')); |
169 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_MANUAL_USER')); |
167 | } |
170 | } |
168 | } else { |
171 | } else { |
169 | throw new OIDplusException(_L('Token generator %1 not recognized',$gen)); |
172 | throw new OIDplusException(_L('Token generator %1 not recognized',$gen)); |
170 | } |
173 | } |
171 | 174 | ||
Line 192... | Line 195... | ||
192 | } |
195 | } |
193 | } |
196 | } |
194 | 197 | ||
195 | // Optional feature: Limit the JWT to a specific IP address |
198 | // Optional feature: Limit the JWT to a specific IP address |
196 | // Currently not used in OIDplus |
199 | // Currently not used in OIDplus |
197 | $ip = $contentProvider->getValue('ip',''); |
200 | $ip = $contentProvider->getValue('oidplus_limit_ip',''); |
198 | if ($ip !== '') { |
201 | if ($ip !== '') { |
199 | if (isset($_SERVER['REMOTE_ADDR']) && ($ip !== $_SERVER['REMOTE_ADDR'])) { |
202 | if (isset($_SERVER['REMOTE_ADDR']) && ($ip !== $_SERVER['REMOTE_ADDR'])) { |
200 | throw new OIDplusException(_L('Your IP address is not allowed to use this token')); |
203 | throw new OIDplusException(_L('Your IP address is not allowed to use this token')); |
201 | } |
204 | } |
202 | } |
205 | } |
Line 439... | Line 442... | ||
439 | * @return string |
442 | * @return string |
440 | * @throws OIDplusException |
443 | * @throws OIDplusException |
441 | */ |
444 | */ |
442 | public function getJWTToken(): string { |
445 | public function getJWTToken(): string { |
443 | $payload = $this->content; |
446 | $payload = $this->content; |
- | 447 | $payload["oidplus_ssh"] = self::getSsh(); // SSH = Server Secret Hash |
|
444 | $payload["iss"] = OIDplus::getEditionInfo()['jwtaud']; |
448 | $payload["iss"] = OIDplus::getEditionInfo()['jwtaud']; |
445 | $payload["aud"] = OIDplus::getEditionInfo()['jwtaud']; |
449 | $payload["aud"] = OIDplus::getEditionInfo()['jwtaud']; |
446 | $payload["jti"] = gen_uuid(); |
450 | $payload["jti"] = gen_uuid(); |
447 | $payload["iat"] = time(); |
451 | $payload["iat"] = time(); |
448 | $payload["oidplus_ssh"] = self::getSsh(); // SSH = Server Secret Hash |
- | |
449 | 452 | ||
450 | if (OIDplus::getPkiStatus()) { |
453 | if (OIDplus::getPkiStatus()) { |
451 | $privKey = OIDplus::getSystemPrivateKey(); |
454 | $privKey = OIDplus::getSystemPrivateKey(); |
452 | return \Firebase\JWT\JWT::encode($payload, $privKey, 'RS256'); // RSA+SHA256 is hardcoded in getPkiStatus() generation |
455 | return \Firebase\JWT\JWT::encode($payload, $privKey, 'RS256'); // RSA+SHA256 is hardcoded in getPkiStatus() generation |
453 | } else { |
456 | } else { |