Merge branch 'master' into master

.github/dependabot.yml

@@ -0,0 +1,13 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/build.yml

@@ -14,20 +14,20 @@ jobs:
             fail-fast: false
             matrix:
                 os: [ubuntu-latest]
-                php: ['7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2']
+                php: ['7.0', '7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3']
 
         steps:
             - name: Checkout
-              uses: actions/checkout@v2
+              uses: actions/checkout@v4
             - name: Install PHP
               uses: shivammathur/setup-php@v2
               with:
                   php-version: ${{ matrix.php }}
             - name: Get composer cache directory
               id: composer-cache
-              run: echo "::set-output name=dir::$(composer config cache-files-dir)"
+              run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
             - name: Cache composer dependencies
-              uses: actions/cache@v1
+              uses: actions/cache@v4
               with:
                   path: ${{ steps.composer-cache.outputs.dir }}
                   key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}

CHANGELOG.md

@@ -4,7 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+[unreleased]
+- Updated CI to also test on PHP 8.3 #407
+- Updated readme PHP requirement to PHP 7.0+ #407
+- Added dependabot for GitHub Actions #407
+- Cast `$_SERVER['SERVER_PORT']` to integer to prevent adding 80 or 443 port to redirect URL. #403
+- Check subject when verifying JWT #406
 
 ### Fixed
 - Changed parameter #2 of http_build_query to empty string on requestTokenExchange to support PHP8.x

README.md

@@ -7,7 +7,7 @@ the OpenID Connect protocol to set up authentication.
 A special thanks goes to Justin Richer and Amanda Anganes for their help and support of the protocol.
 
 # Requirements #
- 1. PHP 5.4 or greater
+ 1. PHP 7.0 or greater
  2. CURL extension
  3. JSON extension
 
@@ -69,8 +69,8 @@ use Jumbojett\OpenIDConnectClient;
 $oidc = new OpenIDConnectClient('https://id.provider.com',
                                 'ClientIDHere',
                                 'ClientSecretHere');
-$oidc->providerConfigParam(array('token_endpoint'=>'https://id.provider.com/connect/token'));
-$oidc->addScope('my_scope');
+$oidc->providerConfigParam(['token_endpoint'=>'https://id.provider.com/connect/token']);
+$oidc->addScope(['my_scope']);
 
 // this assumes success (to validate check if the access_token property is there and a valid JWT) :
 $clientCredentialsToken = $oidc->requestClientCredentialsToken()->access_token;
@@ -85,12 +85,12 @@ use Jumbojett\OpenIDConnectClient;
 $oidc = new OpenIDConnectClient('https://id.provider.com',
                                 'ClientIDHere',
                                 'ClientSecretHere');
-$oidc->providerConfigParam(array('token_endpoint'=>'https://id.provider.com/connect/token'));
-$oidc->addScope('my_scope');
+$oidc->providerConfigParam(['token_endpoint'=>'https://id.provider.com/connect/token']);
+$oidc->addScope(['my_scope']);
 
 //Add username and password
-$oidc->addAuthParam(array('username'=>'<Username>'));
-$oidc->addAuthParam(array('password'=>'<Password>'));
+$oidc->addAuthParam(['username'=>'<Username>']);
+$oidc->addAuthParam(['password'=>'<Password>']);
 
 //Perform the auth and return the token (to validate check if the access_token property is there and a valid JWT) :
 $token = $oidc->requestResourceOwnerToken(TRUE)->access_token;
@@ -105,10 +105,9 @@ use Jumbojett\OpenIDConnectClient;
 $oidc = new OpenIDConnectClient('https://id.provider.com',
                                 'ClientIDHere',
                                 'ClientSecretHere');
-$oidc->setResponseTypes(array('id_token'));
-$oidc->addScope(array('openid'));
+$oidc->setResponseTypes(['id_token']);
 $oidc->setAllowImplicitFlow(true);
-$oidc->addAuthParam(array('response_mode' => 'form_post'));
+$oidc->addAuthParam(['response_mode' => 'form_post']);
 $oidc->setCertPath('/path/to/my.cert');
 $oidc->authenticate();
 $sub = $oidc->getVerifiedClaims('sub');
@@ -184,7 +183,7 @@ function handleLogout() {
                 session_commit();
                 session_id($session_id_to_destroy); // switches to that session
                 session_start();
-                $_SESSION = array(); // effectively ends the session
+                $_SESSION = []; // effectively ends the session
             }
         }
     }

src/OpenIDConnectClient.php

@@ -696,7 +696,7 @@ public function getRedirectURL(): string
         if (isset($_SERVER['HTTP_X_FORWARDED_PORT'])) {
             $port = (int)$_SERVER['HTTP_X_FORWARDED_PORT'];
         } elseif (isset($_SERVER['SERVER_PORT'])) {
-            $port = $_SERVER['SERVER_PORT'];
+            $port = (int)$_SERVER['SERVER_PORT'];
         } elseif ($protocol === 'https') {
             $port = 443;
         } else {
@@ -1206,6 +1206,7 @@ protected function verifyJWTClaims($claims, string $accessToken = null): bool
         }
         return (($this->validateIssuer($claims->iss))
             && (($claims->aud === $this->clientID) || in_array($this->clientID, $claims->aud, true))
+            && ($claims->sub === $this->getIdTokenPayload()->sub)
             && (!isset($claims->nonce) || $claims->nonce === $this->getNonce())
             && ( !isset($claims->exp) || ((is_int($claims->exp)) && ($claims->exp >= time() - $this->leeway)))
             && ( !isset($claims->nbf) || ((is_int($claims->nbf)) && ($claims->nbf <= time() + $this->leeway)))

tests/OpenIDConnectClientTest.php

@@ -26,6 +26,7 @@ public function testAuthenticateDoesNotThrowExceptionIfClaimsIsMissingNonce()
         $fakeClaims = new StdClass();
         $fakeClaims->iss = 'fake-issuer';
         $fakeClaims->aud = 'fake-client-id';
+        $fakeClaims->sub = 'fake-sub';
         $fakeClaims->nonce = null;
 
         $_REQUEST['id_token'] = 'abc.123.xyz';