diff --git a/CHANGELOG-3.x.md b/CHANGELOG-3.x.md index 46e40ff..2c67326 100644 --- a/CHANGELOG-3.x.md +++ b/CHANGELOG-3.x.md @@ -2,6 +2,9 @@ This changelog references the relevant changes done in 3.x versions. +## v3.1.1 +* Use latest auth0-php library. + ## v3.1.0 * Updates for symfony 6.4.x deprecations and typehint changes. diff --git a/composer.json b/composer.json index f252cb6..a404441 100755 --- a/composer.json +++ b/composer.json @@ -12,8 +12,9 @@ }, "require-dev": { "phpunit/phpunit": "^10.5", - "auth0/auth0-php": "^7.9", - "gdbots/acme-schemas": "^3.0" + "auth0/auth0-php": "^8.11", + "gdbots/acme-schemas": "^3.0", + "nyholm/psr7": "^1.8" }, "autoload": { "psr-4": { @@ -27,5 +28,10 @@ }, "scripts": { "test": "vendor/bin/phpunit" + }, + "config": { + "allow-plugins": { + "php-http/discovery": true + } } } diff --git a/config/auth0_jwt.xml b/config/auth0_jwt.xml index cfb7a7f..2f86da2 100644 --- a/config/auth0_jwt.xml +++ b/config/auth0_jwt.xml @@ -27,7 +27,7 @@ %env(AUTH0_AUDIENCE)% - https://%env(AUTH0_DOMAIN)%/ + %env(AUTH0_DOMAIN)% %env(AUTH0_CURRENT_SIGNING_SECRET)% %env(AUTH0_NEXT_SIGNING_SECRET)% diff --git a/src/Security/Auth0JwtDecoder.php b/src/Security/Auth0JwtDecoder.php index d4fce3d..80e9110 100644 --- a/src/Security/Auth0JwtDecoder.php +++ b/src/Security/Auth0JwtDecoder.php @@ -3,21 +3,14 @@ namespace Gdbots\Bundle\IamBundle\Security; +use Auth0\SDK\Auth0; +use Auth0\SDK\Configuration\SdkConfiguration; use Auth0\SDK\Exception\InvalidTokenException; -use Auth0\SDK\Helpers\JWKFetcher; -use Auth0\SDK\Helpers\Tokens\AsymmetricVerifier; -use Auth0\SDK\Helpers\Tokens\SymmetricVerifier; -use Auth0\SDK\Helpers\Tokens\TokenVerifier; use Gdbots\Schemas\Pbjx\Enum\Code; use Psr\Cache\CacheItemPoolInterface; -use Symfony\Component\Cache\Psr16Cache; class Auth0JwtDecoder implements JwtDecoder { - protected JWKFetcher $jwkFetcher; - protected string $audience; - protected string $issuer; - /** * Signing keys used for verifying an HS256 jwt * which is only used in an Auth0 rule that enriches @@ -27,47 +20,28 @@ class Auth0JwtDecoder implements JwtDecoder */ protected array $keys; - public function __construct(CacheItemPoolInterface $cache, string $audience, string $issuer, array $keys) - { - $this->jwkFetcher = new JWKFetcher(new Psr16Cache($cache)); - $this->audience = $audience; - $this->issuer = $issuer; - $this->keys = array_unique($keys); - } + protected Auth0 $auth0; - public function decode(string $jwt): array + public function __construct(CacheItemPoolInterface $cache, string $audience, string $domain, array $keys) { - $header = json_decode(base64_decode(explode('.', $jwt, 2)[0]), true) ?: []; - $alg = $header['alg'] ?? 'unknown'; - - switch ($alg) { - case 'RS256': - return $this->decodeRS256($jwt); - - case 'HS256': - return $this->decodeHS256($jwt); + $this->auth0 = new Auth0([ + 'strategy' => SdkConfiguration::STRATEGY_API, + 'audience' => [$audience], + 'domain' => $domain, + ]); - default: - throw new InvalidTokenException(sprintf('Unsupported alg [%s] provided.', $alg)); - } - } - - protected function decodeRS256(string $jwt): array - { - $jwks = $this->jwkFetcher->getKeys($this->issuer . '.well-known/jwks.json'); - $signatureVerifier = new AsymmetricVerifier($jwks); - $tokenVerifier = new TokenVerifier($this->issuer, $this->audience, $signatureVerifier); - return $tokenVerifier->verify($jwt); + $this->auth0->configuration()->setTokenCache($cache); + $this->keys = array_unique($keys); } - protected function decodeHS256(string $jwt): array + public function decode(string $jwt): array { $exception = null; foreach ($this->keys as $key) { + $this->auth0->configuration()->setClientSecret($key); try { - $signatureVerifier = new SymmetricVerifier($key); - $tokenVerifier = new TokenVerifier($this->issuer, $this->audience, $signatureVerifier); - return $tokenVerifier->verify($jwt); + $token = $this->auth0->decode(token: $jwt, tokenType: \Auth0\SDK\Token::TYPE_ACCESS_TOKEN); + return $token->toArray(); } catch (\Throwable $e) { $message = str_replace($key, '***', $e->getMessage()); $exception = new InvalidTokenException($message, Code::UNAUTHENTICATED->value, $e);