WebSVN – oidplus – Diff – /trunk/includes/classes/OIDplusAuthContentStoreJWT.class.php



                OIDplus::config()->setValue($cfg, $bl_time);
        }
 
        /**
         * @param int $gen OIDplusAuthContentStoreJWT::JWT_GENERATOR_...
         * @param string $sub E-Mail-Adress of RA or 'admin'
         * @return int
         * @throws OIDplusException
         */
        public static function jwtGetBlacklistTime(int $gen, string $sub): int {
                $cfg = self::jwtGetBlacklistConfigKey($gen, $sub);

         * @return void
         * @throws OIDplusException
         */
        private static function jwtSecurityCheck(OIDplusAuthContentStoreJWT $contentProvider, int $validGenerators=null) {
                // Check if the token is intended for us
                // Note 'aud' is mandatory for OIDplus, so we do not check for exists()
                if ($contentProvider->getValue('aud','') !== $contentProvider->getAudIss()) {
                        throw new OIDplusException(_L('Token has wrong audience: Given %1 but expected %2.', $contentProvider->getValue('aud',''), $contentProvider->getAudIss()));
                }
 
                // Note CLAIM_SSH is mandatory for OIDplus, so we do not check for exists()
                if ($contentProvider->getValue(self::CLAIM_SSH, '') !== self::getSsh()) {
                        throw new OIDplusException(_L('"Server Secret" was changed; therefore the JWT is not valid anymore'));
                }
 
                // Note CLAIM_GENERATOR is mandatory for OIDplus, so we do not check for exists()
                $gen = $contentProvider->getValue(self::CLAIM_GENERATOR, -1);
 
                $has_admin = $contentProvider->isAdminLoggedIn();
                $has_ra = $contentProvider->raNumLoggedIn() > 0;
 

                $payload = $this->content;
                $payload[self::CLAIM_SSH] = self::getSsh(); // SSH = Server Secret Hash
                // see also https://www.iana.org/assignments/jwt/jwt.xhtml#claims for some generic claims
                if (!isset($payload["iss"])) $payload["iss"] = $this->getAudIss();
                if (!isset($payload["aud"])) $payload["aud"] = $this->getAudIss();
                $payload["jti"] = gen_uuid(); // always set/renew it; therefore not checking isset()
                $payload["iat"] = time(); // always set/renew it; therefore not checking isset()
                if (!isset($payload["nbf"])) $payload["nbf"] = time();
                if (!isset($payload["exp"])) $payload["exp"] = time()+3600/*1h*/;
 
                if (!isset($payload[self::CLAIM_TRACE])) {
                        // "Trace" can be used for later updates

Subversion Repositories oidplus

oidplus/trunk/includes/classes/OIDplusAuthContentStoreJWT.class.php – Rev 1318 → 1321

Rev 1318		Rev 1321
Line 124...		Line 124...
124	OIDplus::config()->setValue($cfg, $bl_time);	124	OIDplus::config()->setValue($cfg, $bl_time);
125	}	125	}
126		126
127	/**	127	/**
128	* @param int $gen OIDplusAuthContentStoreJWT::JWT_GENERATOR_...	128	* @param int $gen OIDplusAuthContentStoreJWT::JWT_GENERATOR_...
129	* @param string $sub	129	* @param string $sub E-Mail-Adress of RA or 'admin'
130	* @return int	130	* @return int
131	* @throws OIDplusException	131	* @throws OIDplusException
132	*/	132	*/
133	public static function jwtGetBlacklistTime(int $gen, string $sub): int {	133	public static function jwtGetBlacklistTime(int $gen, string $sub): int {
134	$cfg = self::jwtGetBlacklistConfigKey($gen, $sub);	134	$cfg = self::jwtGetBlacklistConfigKey($gen, $sub);
Line 152...		Line 152...
152	* @return void	152	* @return void
153	* @throws OIDplusException	153	* @throws OIDplusException
154	*/	154	*/
155	private static function jwtSecurityCheck(OIDplusAuthContentStoreJWT $contentProvider, int $validGenerators=null) {	155	private static function jwtSecurityCheck(OIDplusAuthContentStoreJWT $contentProvider, int $validGenerators=null) {
156	// Check if the token is intended for us	156	// Check if the token is intended for us
157	// Note 'aud' is mandatory, so we do not check for exists()	157	// Note 'aud' is mandatory for OIDplus, so we do not check for exists()
158	if ($contentProvider->getValue('aud','') !== $contentProvider->getAudIss()) {	158	if ($contentProvider->getValue('aud','') !== $contentProvider->getAudIss()) {
159	throw new OIDplusException(_L('Token has wrong audience: Given %1 but expected %2.', $contentProvider->getValue('aud',''), $contentProvider->getAudIss()));	159	throw new OIDplusException(_L('Token has wrong audience: Given %1 but expected %2.', $contentProvider->getValue('aud',''), $contentProvider->getAudIss()));
160	}	160	}
161		161
162	// Note CLAIM_SSH is mandatory, so we do not check for exists()	162	// Note CLAIM_SSH is mandatory for OIDplus, so we do not check for exists()
163	if ($contentProvider->getValue(self::CLAIM_SSH, '') !== self::getSsh()) {	163	if ($contentProvider->getValue(self::CLAIM_SSH, '') !== self::getSsh()) {
164	throw new OIDplusException(_L('"Server Secret" was changed; therefore the JWT is not valid anymore'));	164	throw new OIDplusException(_L('"Server Secret" was changed; therefore the JWT is not valid anymore'));
165	}	165	}
166		166
167	// Note CLAIM_GENERATOR is mandatory, so we do not check for exists()	167	// Note CLAIM_GENERATOR is mandatory for OIDplus, so we do not check for exists()
168	$gen = $contentProvider->getValue(self::CLAIM_GENERATOR, -1);	168	$gen = $contentProvider->getValue(self::CLAIM_GENERATOR, -1);
169		169
170	$has_admin = $contentProvider->isAdminLoggedIn();	170	$has_admin = $contentProvider->isAdminLoggedIn();
171	$has_ra = $contentProvider->raNumLoggedIn() > 0;	171	$has_ra = $contentProvider->raNumLoggedIn() > 0;
172		172
Line 669...		Line 669...
669	$payload = $this->content;	669	$payload = $this->content;
670	$payload[self::CLAIM_SSH] = self::getSsh(); // SSH = Server Secret Hash	670	$payload[self::CLAIM_SSH] = self::getSsh(); // SSH = Server Secret Hash
671	// see also https://www.iana.org/assignments/jwt/jwt.xhtml#claims for some generic claims	671	// see also https://www.iana.org/assignments/jwt/jwt.xhtml#claims for some generic claims
672	if (!isset($payload["iss"])) $payload["iss"] = $this->getAudIss();	672	if (!isset($payload["iss"])) $payload["iss"] = $this->getAudIss();
673	if (!isset($payload["aud"])) $payload["aud"] = $this->getAudIss();	673	if (!isset($payload["aud"])) $payload["aud"] = $this->getAudIss();
674	$payload["jti"] = gen_uuid();	674	$payload["jti"] = gen_uuid(); // always set/renew it; therefore not checking isset()
675	$payload["iat"] = time();	675	$payload["iat"] = time(); // always set/renew it; therefore not checking isset()
676	if (!isset($payload["nbf"])) $payload["nbf"] = time();	676	if (!isset($payload["nbf"])) $payload["nbf"] = time();
677	if (!isset($payload["exp"])) $payload["exp"] = time()+3600/1h/;	677	if (!isset($payload["exp"])) $payload["exp"] = time()+3600/1h/;
678		678
679	if (!isset($payload[self::CLAIM_TRACE])) {	679	if (!isset($payload[self::CLAIM_TRACE])) {
680	// "Trace" can be used for later updates	680	// "Trace" can be used for later updates