Rev 576 | Rev 578 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 576 | Rev 577 | ||
|---|---|---|---|
| Line 46... | Line 46... | ||
| 46 | } |
46 | } |
| 47 | $a = substr($a, 0, $len*2); |
47 | $a = substr($a, 0, $len*2); |
| 48 | return hex2bin($a); |
48 | return hex2bin($a); |
| 49 | } |
49 | } |
| 50 | 50 | ||
| 51 | // Content provider |
51 | // JWT handling |
| 52 | 52 | ||
| 53 | protected function getAuthContentStore() { |
53 | const JWT_GENERATOR_AJAX = 0; |
| - | 54 | //const JWT_GENERATOR_LOGIN = 1; |
|
| 54 | static $contentProvider = null; |
55 | const JWT_GENERATOR_MANUAL = 2; |
| 55 | 56 | ||
| 56 | if (is_null($contentProvider)) { |
57 | private function jwtGetBlacklistConfigKey($gen, $sub) { |
| 57 | if (isset($_REQUEST['OIDPLUS_AUTH_JWT'])) { |
58 | // Note: Needs to be <= 50 characters! |
| 58 | $contentProvider = new OIDplusAuthContentStoreJWT(); |
59 | return 'jwt_blacklist_gen('.$gen.')_sub('.trim(base64_encode(md5($sub,true)),'=').')'; |
| - | 60 | } |
|
| 59 | 61 | ||
| - | 62 | public function jwtBlacklist($gen, $sub) { |
|
| 60 | // Decode the JWT. In this step, the signature as well as EXP/NBF times will be checked |
63 | $cfg = $this->jwtGetBlacklistConfigKey($gen, $sub); |
| 61 | try { |
64 | $bl_time = time()-1; |
| - | 65 | ||
| - | 66 | $gen_desc = 'Unknown'; |
|
| - | 67 | if ($gen === self::JWT_GENERATOR_AJAX) $gen_desc = 'Automated AJAX calls'; |
|
| 62 | $contentProvider->loadJWT($_REQUEST['OIDPLUS_AUTH_JWT']); |
68 | //if ($gen === self::JWT_GENERATOR_LOGIN) $gen_desc = 'Login'; |
| - | 69 | if ($gen === self::JWT_GENERATOR_MANUAL) $gen_desc = 'Manually created'; |
|
| - | 70 | ||
| - | 71 | OIDplus::config()->prepareConfigKey($cfg, 'Revoke timestamp of all JWT tokens for $sub with generator $gen ($gen_desc)', $bl_time, OIDplusConfig::PROTECTION_HIDDEN, function($value) {}); |
|
| - | 72 | OIDplus::config()->setValue($cfg, $bl_time); |
|
| - | 73 | } |
|
| - | 74 | ||
| 63 | } catch (Exception $e) { |
75 | public function jwtGetBlacklistTime($gen, $sub) { |
| - | 76 | $cfg = $this->jwtGetBlacklistConfigKey($gen, $sub); |
|
| 64 | throw new OIDplusException(_L('The JWT token was rejected: %1',$e->getMessage())); |
77 | return OIDplus::config()->getValue($cfg,0); |
| 65 | } |
78 | } |
| 66 | 79 | ||
| - | 80 | protected function jwtSecurityCheck($contentProvider) { |
|
| 67 | // Check if the token is intended for us |
81 | // Check if the token is intended for us |
| 68 | if ($contentProvider->getValue('aud','') !== "http://oidplus.com") { |
82 | if ($contentProvider->getValue('aud','') !== "http://oidplus.com") { |
| 69 | throw new OIDplusException(_L('This JWT token is not valid')); |
83 | throw new OIDplusException(_L('Token has wrong audience')); |
| 70 | } |
84 | } |
| 71 | $gen = $contentProvider->getValue('oidplus_generator', -1); |
85 | $gen = $contentProvider->getValue('oidplus_generator', -1); |
| 72 | $sub = $contentProvider->getValue('sub', ''); |
86 | $sub = $contentProvider->getValue('sub', ''); |
| 73 | 87 | ||
| 74 | // Check if the token generator is allowed |
88 | // Check if the token generator is allowed |
| 75 | if ($gen === 0) { |
89 | if ($gen === self::JWT_GENERATOR_AJAX) { |
| 76 | if (($sub === 'admin') && !OIDplus::baseConfig()->getValue('JWT_ALLOW_AJAX_ADMIN', true)) { |
90 | if (($sub === 'admin') && !OIDplus::baseConfig()->getValue('JWT_ALLOW_AJAX_ADMIN', true)) { |
| 77 | // Generator: plugins/adminPages/910_automated_ajax_calls/OIDplusPageAdminAutomatedAJAXCalls.class.php |
91 | // Generator: plugins/adminPages/910_automated_ajax_calls/OIDplusPageAdminAutomatedAJAXCalls.class.php |
| 78 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_AJAX_ADMIN')); |
92 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_AJAX_ADMIN')); |
| 79 | } |
93 | } |
| 80 | else if (($sub !== 'admin') && !OIDplus::baseConfig()->getValue('JWT_ALLOW_AJAX_USER', true)) { |
94 | else if (($sub !== 'admin') && !OIDplus::baseConfig()->getValue('JWT_ALLOW_AJAX_USER', true)) { |
| 81 | // Generator: plugins/raPages/910_automated_ajax_calls/OIDplusPageRaAutomatedAJAXCalls.class.php |
95 | // Generator: plugins/raPages/910_automated_ajax_calls/OIDplusPageRaAutomatedAJAXCalls.class.php |
| 82 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_AJAX_USER')); |
96 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_AJAX_USER')); |
| 83 | } |
97 | } |
| 84 | } |
98 | } |
| 85 | /* else if ($gen === 1) { |
99 | /* else if ($gen === self::JWT_GENERATOR_LOGIN) { |
| 86 | // Reserved for future use (use JWT token in a cookie as alternative to PHP session): |
100 | // Reserved for future use (use JWT token in a cookie as alternative to PHP session): |
| 87 | if (($sub === 'admin') && !OIDplus::baseConfig()->getValue('JWT_ALLOW_LOGIN_ADMIN', true)) { |
101 | if (($sub === 'admin') && !OIDplus::baseConfig()->getValue('JWT_ALLOW_LOGIN_ADMIN', true)) { |
| 88 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_LOGIN_ADMIN')); |
102 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_LOGIN_ADMIN')); |
| 89 | } |
103 | } |
| 90 | else if (($sub !== 'admin') && !OIDplus::baseConfig()->getValue('JWT_ALLOW_LOGIN_USER', true)) { |
104 | else if (($sub !== 'admin') && !OIDplus::baseConfig()->getValue('JWT_ALLOW_LOGIN_USER', true)) { |
| 91 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_LOGIN_USER')); |
105 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_LOGIN_USER')); |
| 92 | } |
106 | } |
| 93 | } */ |
107 | } */ |
| 94 | else if ($gen === 2) { |
108 | else if ($gen === self::JWT_GENERATOR_MANUAL) { |
| 95 | // Generator 2 are "hand-crafted" tokens |
109 | // Generator 2 are "hand-crafted" tokens |
| 96 | if (!OIDplus::baseConfig()->getValue('JWT_ALLOW_MANUAL', true)) { |
110 | if (!OIDplus::baseConfig()->getValue('JWT_ALLOW_MANUAL', true)) { |
| 97 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_MANUAL')); |
111 | throw new OIDplusException(_L('The administrator has disabled this feature. (Base configuration setting %1).','JWT_ALLOW_MANUAL')); |
| 98 | } |
112 | } |
| 99 | } else { |
113 | } else { |
| 100 | throw new OIDplusException(_L('Token generator %1 not recognized',$gen)); |
114 | throw new OIDplusException(_L('Token generator %1 not recognized',$gen)); |
| 101 | } |
115 | } |
| 102 | 116 | ||
| 103 | // Make sure that the IAT (issued at time) isn't in a blacklisted timeframe |
117 | // Make sure that the IAT (issued at time) isn't in a blacklisted timeframe |
| 104 | // When an user believes that a token was compromised, then they can blacklist the tokens identified by their "iat" ("Issued at") property |
118 | // When an user believes that a token was compromised, then they can blacklist the tokens identified by their "iat" ("Issued at") property |
| 105 | $cfg = 'jwt_blacklist_gen('.$gen.')_sub('.trim(base64_encode(md5($sub,true)),'=').')'; |
- | |
| 106 | $bl_time = OIDplus::config()->getValue($cfg,0); |
119 | $bl_time = $this->jwtGetBlacklistTime($gen, $sub); |
| 107 | $iat = $contentProvider->getValue('iat',0); |
120 | $iat = $contentProvider->getValue('iat',0); |
| 108 | if ($iat <= $bl_time) { |
121 | if ($iat <= $bl_time) { |
| 109 | throw new OIDplusException(_L('The JWT token was blacklisted on %1. Please generate a new one',date('d F Y, H:i:s',$bl_time))); |
122 | throw new OIDplusException(_L('The JWT token was blacklisted on %1. Please generate a new one',date('d F Y, H:i:s',$bl_time))); |
| 110 | } |
123 | } |
| - | 124 | } |
|
| - | 125 | ||
| - | 126 | // Content provider |
|
| - | 127 | ||
| - | 128 | protected function getAuthContentStore() { |
|
| - | 129 | static $contentProvider = null; |
|
| - | 130 | ||
| - | 131 | if (is_null($contentProvider)) { |
|
| - | 132 | if (isset($_REQUEST['OIDPLUS_AUTH_JWT'])) { |
|
| - | 133 | $contentProvider = new OIDplusAuthContentStoreJWT(); |
|
| - | 134 | ||
| - | 135 | try { |
|
| - | 136 | // Decode the JWT. In this step, the signature as well as EXP/NBF times will be checked |
|
| - | 137 | $contentProvider->loadJWT($_REQUEST['OIDPLUS_AUTH_JWT']); |
|
| - | 138 | ||
| - | 139 | // Do various checks if the token is allowed and not blacklisted |
|
| - | 140 | $this->jwtSecurityCheck($contentProvider); |
|
| - | 141 | } catch (Exception $e) { |
|
| - | 142 | throw new OIDplusException(_L('The JWT token was rejected: %1',$e->getMessage())); |
|
| - | 143 | } |
|
| 111 | } else { |
144 | } else { |
| 112 | // Normal login via web-browser |
145 | // Normal login via web-browser |
| 113 | $contentProvider = new OIDplusAuthContentStoreSession(); |
146 | $contentProvider = new OIDplusAuthContentStoreSession(); |
| 114 | } |
147 | } |
| 115 | } |
148 | } |