v3.1.1 -- Use latest auth0-php library.

gdbots · Jan 24, 2024 · c1d270e · c1d270e
1 parent f38c5c3
commit c1d270e
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 44 deletions.
diff --git a/CHANGELOG-3.x.md b/CHANGELOG-3.x.md
@@ -2,6 +2,9 @@
 This changelog references the relevant changes done in 3.x versions.
 
 
+## v3.1.1
+* Use latest auth0-php library.
+
 ## v3.1.0
 * Updates for symfony 6.4.x deprecations and typehint changes.
 

diff --git a/composer.json b/composer.json
@@ -12,8 +12,9 @@
   },
   "require-dev": {
     "phpunit/phpunit": "^10.5",
-    "auth0/auth0-php": "^7.9",
-    "gdbots/acme-schemas": "^3.0"
+    "auth0/auth0-php": "^8.11",
+    "gdbots/acme-schemas": "^3.0",
+    "nyholm/psr7": "^1.8"
   },
   "autoload": {
     "psr-4": {
@@ -27,5 +28,10 @@
   },
   "scripts": {
     "test": "vendor/bin/phpunit"
+  },
+  "config": {
+    "allow-plugins": {
+      "php-http/discovery": true
+    }
   }
 }
diff --git a/config/auth0_jwt.xml b/config/auth0_jwt.xml
@@ -27,7 +27,7 @@
     <service id="gdbots_iam.auth0_jwt_decoder" class="Gdbots\Bundle\IamBundle\Security\Auth0JwtDecoder">
       <argument type="service" id="cache.app"/>
       <argument>%env(AUTH0_AUDIENCE)%</argument>
-      <argument>https://%env(AUTH0_DOMAIN)%/</argument>
+      <argument>%env(AUTH0_DOMAIN)%</argument>
       <argument type="collection">
         <argument>%env(AUTH0_CURRENT_SIGNING_SECRET)%</argument>
         <argument>%env(AUTH0_NEXT_SIGNING_SECRET)%</argument>

diff --git a/src/Security/Auth0JwtDecoder.php b/src/Security/Auth0JwtDecoder.php
@@ -3,21 +3,14 @@
 
 namespace Gdbots\Bundle\IamBundle\Security;
 
+use Auth0\SDK\Auth0;
+use Auth0\SDK\Configuration\SdkConfiguration;
 use Auth0\SDK\Exception\InvalidTokenException;
-use Auth0\SDK\Helpers\JWKFetcher;
-use Auth0\SDK\Helpers\Tokens\AsymmetricVerifier;
-use Auth0\SDK\Helpers\Tokens\SymmetricVerifier;
-use Auth0\SDK\Helpers\Tokens\TokenVerifier;
 use Gdbots\Schemas\Pbjx\Enum\Code;
 use Psr\Cache\CacheItemPoolInterface;
-use Symfony\Component\Cache\Psr16Cache;
 
 class Auth0JwtDecoder implements JwtDecoder
 {
-    protected JWKFetcher $jwkFetcher;
-    protected string $audience;
-    protected string $issuer;
-
     /**
      * Signing keys used for verifying an HS256 jwt
      * which is only used in an Auth0 rule that enriches
@@ -27,47 +20,28 @@ class Auth0JwtDecoder implements JwtDecoder
      */
     protected array $keys;
 
-    public function __construct(CacheItemPoolInterface $cache, string $audience, string $issuer, array $keys)
-    {
-        $this->jwkFetcher = new JWKFetcher(new Psr16Cache($cache));
-        $this->audience = $audience;
-        $this->issuer = $issuer;
-        $this->keys = array_unique($keys);
-    }
+    protected Auth0 $auth0;
 
-    public function decode(string $jwt): array
+    public function __construct(CacheItemPoolInterface $cache, string $audience, string $domain, array $keys)
     {
-        $header = json_decode(base64_decode(explode('.', $jwt, 2)[0]), true) ?: [];
-        $alg = $header['alg'] ?? 'unknown';
-
-        switch ($alg) {
-            case 'RS256':
-                return $this->decodeRS256($jwt);
-
-            case 'HS256':
-                return $this->decodeHS256($jwt);
+        $this->auth0 = new Auth0([
+            'strategy' => SdkConfiguration::STRATEGY_API,
+            'audience' => [$audience],
+            'domain'   => $domain,
+        ]);
 
-            default:
-                throw new InvalidTokenException(sprintf('Unsupported alg [%s] provided.', $alg));
-        }
-    }
-
-    protected function decodeRS256(string $jwt): array
-    {
-        $jwks = $this->jwkFetcher->getKeys($this->issuer . '.well-known/jwks.json');
-        $signatureVerifier = new AsymmetricVerifier($jwks);
-        $tokenVerifier = new TokenVerifier($this->issuer, $this->audience, $signatureVerifier);
-        return $tokenVerifier->verify($jwt);
+        $this->auth0->configuration()->setTokenCache($cache);
+        $this->keys = array_unique($keys);
     }
 
-    protected function decodeHS256(string $jwt): array
+    public function decode(string $jwt): array
     {
         $exception = null;
         foreach ($this->keys as $key) {
+            $this->auth0->configuration()->setClientSecret($key);
             try {
-                $signatureVerifier = new SymmetricVerifier($key);
-                $tokenVerifier = new TokenVerifier($this->issuer, $this->audience, $signatureVerifier);
-                return $tokenVerifier->verify($jwt);
+                $token = $this->auth0->decode(token: $jwt, tokenType: \Auth0\SDK\Token::TYPE_ACCESS_TOKEN);
+                return $token->toArray();
             } catch (\Throwable $e) {
                 $message = str_replace($key, '***', $e->getMessage());
                 $exception = new InvalidTokenException($message, Code::UNAUTHENTICATED->value, $e);