Rev 1318 | Rev 1345 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 1318 | Rev 1321 | ||
---|---|---|---|
Line 124... | Line 124... | ||
124 | OIDplus::config()->setValue($cfg, $bl_time); |
124 | OIDplus::config()->setValue($cfg, $bl_time); |
125 | } |
125 | } |
126 | 126 | ||
127 | /** |
127 | /** |
128 | * @param int $gen OIDplusAuthContentStoreJWT::JWT_GENERATOR_... |
128 | * @param int $gen OIDplusAuthContentStoreJWT::JWT_GENERATOR_... |
129 | * @param string $sub |
129 | * @param string $sub E-Mail-Adress of RA or 'admin' |
130 | * @return int |
130 | * @return int |
131 | * @throws OIDplusException |
131 | * @throws OIDplusException |
132 | */ |
132 | */ |
133 | public static function jwtGetBlacklistTime(int $gen, string $sub): int { |
133 | public static function jwtGetBlacklistTime(int $gen, string $sub): int { |
134 | $cfg = self::jwtGetBlacklistConfigKey($gen, $sub); |
134 | $cfg = self::jwtGetBlacklistConfigKey($gen, $sub); |
Line 152... | Line 152... | ||
152 | * @return void |
152 | * @return void |
153 | * @throws OIDplusException |
153 | * @throws OIDplusException |
154 | */ |
154 | */ |
155 | private static function jwtSecurityCheck(OIDplusAuthContentStoreJWT $contentProvider, int $validGenerators=null) { |
155 | private static function jwtSecurityCheck(OIDplusAuthContentStoreJWT $contentProvider, int $validGenerators=null) { |
156 | // Check if the token is intended for us |
156 | // Check if the token is intended for us |
157 | // Note 'aud' is mandatory, so we do not check for exists() |
157 | // Note 'aud' is mandatory for OIDplus, so we do not check for exists() |
158 | if ($contentProvider->getValue('aud','') !== $contentProvider->getAudIss()) { |
158 | if ($contentProvider->getValue('aud','') !== $contentProvider->getAudIss()) { |
159 | throw new OIDplusException(_L('Token has wrong audience: Given %1 but expected %2.', $contentProvider->getValue('aud',''), $contentProvider->getAudIss())); |
159 | throw new OIDplusException(_L('Token has wrong audience: Given %1 but expected %2.', $contentProvider->getValue('aud',''), $contentProvider->getAudIss())); |
160 | } |
160 | } |
161 | 161 | ||
162 | // Note CLAIM_SSH is mandatory, so we do not check for exists() |
162 | // Note CLAIM_SSH is mandatory for OIDplus, so we do not check for exists() |
163 | if ($contentProvider->getValue(self::CLAIM_SSH, '') !== self::getSsh()) { |
163 | if ($contentProvider->getValue(self::CLAIM_SSH, '') !== self::getSsh()) { |
164 | throw new OIDplusException(_L('"Server Secret" was changed; therefore the JWT is not valid anymore')); |
164 | throw new OIDplusException(_L('"Server Secret" was changed; therefore the JWT is not valid anymore')); |
165 | } |
165 | } |
166 | 166 | ||
167 | // Note CLAIM_GENERATOR is mandatory, so we do not check for exists() |
167 | // Note CLAIM_GENERATOR is mandatory for OIDplus, so we do not check for exists() |
168 | $gen = $contentProvider->getValue(self::CLAIM_GENERATOR, -1); |
168 | $gen = $contentProvider->getValue(self::CLAIM_GENERATOR, -1); |
169 | 169 | ||
170 | $has_admin = $contentProvider->isAdminLoggedIn(); |
170 | $has_admin = $contentProvider->isAdminLoggedIn(); |
171 | $has_ra = $contentProvider->raNumLoggedIn() > 0; |
171 | $has_ra = $contentProvider->raNumLoggedIn() > 0; |
172 | 172 | ||
Line 669... | Line 669... | ||
669 | $payload = $this->content; |
669 | $payload = $this->content; |
670 | $payload[self::CLAIM_SSH] = self::getSsh(); // SSH = Server Secret Hash |
670 | $payload[self::CLAIM_SSH] = self::getSsh(); // SSH = Server Secret Hash |
671 | // see also https://www.iana.org/assignments/jwt/jwt.xhtml#claims for some generic claims |
671 | // see also https://www.iana.org/assignments/jwt/jwt.xhtml#claims for some generic claims |
672 | if (!isset($payload["iss"])) $payload["iss"] = $this->getAudIss(); |
672 | if (!isset($payload["iss"])) $payload["iss"] = $this->getAudIss(); |
673 | if (!isset($payload["aud"])) $payload["aud"] = $this->getAudIss(); |
673 | if (!isset($payload["aud"])) $payload["aud"] = $this->getAudIss(); |
674 | $payload["jti"] = gen_uuid(); |
674 | $payload["jti"] = gen_uuid(); // always set/renew it; therefore not checking isset() |
675 | $payload["iat"] = time(); |
675 | $payload["iat"] = time(); // always set/renew it; therefore not checking isset() |
676 | if (!isset($payload["nbf"])) $payload["nbf"] = time(); |
676 | if (!isset($payload["nbf"])) $payload["nbf"] = time(); |
677 | if (!isset($payload["exp"])) $payload["exp"] = time()+3600/*1h*/; |
677 | if (!isset($payload["exp"])) $payload["exp"] = time()+3600/*1h*/; |
678 | 678 | ||
679 | if (!isset($payload[self::CLAIM_TRACE])) { |
679 | if (!isset($payload[self::CLAIM_TRACE])) { |
680 | // "Trace" can be used for later updates |
680 | // "Trace" can be used for later updates |