WIP private_key_jwt

simplesamlphp · Sep 16, 2024 · 0da7a6a · 0da7a6a
1 parent 4420e31
commit 0da7a6a
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 39 deletions.
diff --git a/src/Controller/Federation/EntityStatementController.php b/src/Controller/Federation/EntityStatementController.php
@@ -15,11 +15,11 @@
 use SimpleSAML\Module\oidc\Utils\TimestampGenerator;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\ClientRegistrationTypesEnum;
-use SimpleSAML\OpenID\Codebooks\ContentTypeEnum;
-use SimpleSAML\OpenID\Codebooks\EntityTypeEnum;
+use SimpleSAML\OpenID\Codebooks\ContentTypesEnum;
+use SimpleSAML\OpenID\Codebooks\EntityTypesEnum;
 use SimpleSAML\OpenID\Codebooks\ErrorsEnum;
 use SimpleSAML\OpenID\Codebooks\HttpHeadersEnum;
-use SimpleSAML\OpenID\Codebooks\JwtTypeEnum;
+use SimpleSAML\OpenID\Codebooks\JwtTypesEnum;
 use SimpleSAML\OpenID\Codebooks\RequestAuthenticationMethodsEnum;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
@@ -66,7 +66,7 @@ public function configuration(): Response
         }
 
         $builder = $this->jsonWebTokenBuilderService->getFederationJwtBuilder()
-            ->withHeader(ClaimsEnum::Typ->value, JwtTypeEnum::EntityStatementJwt->value)
+            ->withHeader(ClaimsEnum::Typ->value, JwtTypesEnum::EntityStatementJwt->value)
             ->relatedTo($this->moduleConfig->getIssuer()) // This is entity configuration (statement about itself).
             ->expiresAt(
                 (TimestampGenerator::utcImmutable())->add($this->moduleConfig->getFederationEntityStatementDuration()),
@@ -77,7 +77,7 @@ public function configuration(): Response
             ->withClaim(
                 ClaimsEnum::Metadata->value,
                 [
-                    EntityTypeEnum::FederationEntity->value => [
+                    EntityTypesEnum::FederationEntity->value => [
                         // Common https://openid.net/specs/openid-federation-1_0.html#name-common-metadata-parameters
                         ...(array_filter(
                             [
@@ -104,7 +104,7 @@ public function configuration(): Response
                         //'jwks',
                     ],
                     // OP metadata with additional federation related claims.
-                    EntityTypeEnum::OpenIdProvider->value => [
+                    EntityTypesEnum::OpenIdProvider->value => [
                         ...$this->opMetadataService->getMetadata(),
                         ClaimsEnum::ClientRegistrationTypesSupported->value => [
                             ClientRegistrationTypesEnum::Automatic->value,
@@ -215,7 +215,7 @@ public function fetch(Request $request): Response
         }
 
         $builder = $this->jsonWebTokenBuilderService->getFederationJwtBuilder()
-            ->withHeader(ClaimsEnum::Typ->value, JwtTypeEnum::EntityStatementJwt->value)
+            ->withHeader(ClaimsEnum::Typ->value, JwtTypesEnum::EntityStatementJwt->value)
             ->relatedTo($subject)
             ->expiresAt(
                 (TimestampGenerator::utcImmutable())->add($this->moduleConfig->getFederationEntityStatementDuration()),
@@ -226,7 +226,7 @@ public function fetch(Request $request): Response
             ->withClaim(
                 ClaimsEnum::Metadata->value,
                 [
-                    EntityTypeEnum::OpenIdRelyingParty->value => [
+                    EntityTypesEnum::OpenIdRelyingParty->value => [
                         ClaimsEnum::ClientName->value => $client->getName(),
                         ClaimsEnum::ClientId->value => $client->getIdentifier(),
                         ClaimsEnum::RedirectUris->value => $client->getRedirectUris(),
@@ -270,7 +270,7 @@ protected function prepareEntityStatementResponse(string $entityStatementToken):
         return new Response(
             $entityStatementToken,
             200,
-            [HttpHeadersEnum::ContentType->value => ContentTypeEnum::ApplicationEntityStatementJwt->value,],
+            [HttpHeadersEnum::ContentType->value => ContentTypesEnum::ApplicationEntityStatementJwt->value,],
         );
     }
 

diff --git a/src/Controller/Federation/Test.php b/src/Controller/Federation/Test.php
@@ -6,7 +6,7 @@
 
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Utils\FederationCache;
-use SimpleSAML\OpenID\Codebooks\EntityTypeEnum;
+use SimpleSAML\OpenID\Codebooks\EntityTypesEnum;
 use SimpleSAML\OpenID\Core;
 use SimpleSAML\OpenID\Federation;
 use SimpleSAML\OpenID\Jwks;
@@ -69,7 +69,7 @@ public function __invoke(): Response
 
         $leafFederationJwks = $leaf->getJwks();
 
-        $resolvedMetadata = $trustChain->getResolvedMetadata(EntityTypeEnum::OpenIdRelyingParty);
+        $resolvedMetadata = $trustChain->getResolvedMetadata(EntityTypesEnum::OpenIdRelyingParty);
         $jwksUri = $resolvedMetadata['jwks_uri'] ?? null;
         $signedJwksUri = $resolvedMetadata['signed_jwks_uri'] ?? null;
 
@@ -88,7 +88,7 @@ public function __invoke(): Response
         );
 
         return new JsonResponse(
-            $trustChain->getResolvedMetadata(EntityTypeEnum::OpenIdRelyingParty),
+            $trustChain->getResolvedMetadata(EntityTypesEnum::OpenIdRelyingParty),
         );
     }
 }
diff --git a/src/Factories/ClientEntityFactory.php b/src/Factories/ClientEntityFactory.php
@@ -14,13 +14,13 @@
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
-use SimpleSAML\OpenID\Codebooks\ApplicationTypeEnum;
+use SimpleSAML\OpenID\Codebooks\ApplicationTypesEnum;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\GrantTypesEnum;
 use SimpleSAML\OpenID\Codebooks\ParamsEnum;
 use SimpleSAML\OpenID\Codebooks\ResponseTypesEnum;
 use SimpleSAML\OpenID\Codebooks\ScopesEnum;
-use SimpleSAML\OpenID\Codebooks\TokenEndpointAuthMethodEnum;
+use SimpleSAML\OpenID\Codebooks\TokenEndpointAuthMethodsEnum;
 
 class ClientEntityFactory
 {
@@ -164,15 +164,15 @@ protected function guessIsConfidential(
     ): bool {
         if (
             array_key_exists(ClaimsEnum::ApplicationType->value, $metadata) &&
-            $metadata[ClaimsEnum::ApplicationType->value] === ApplicationTypeEnum::Native->value
+            $metadata[ClaimsEnum::ApplicationType->value] === ApplicationTypesEnum::Native->value
         ) {
             // Native application type is strong indication of public client.
             return false;
         }
 
         if (
             array_key_exists(ClaimsEnum::TokenEndpointAuthMethod->value, $metadata) &&
-            $metadata[ClaimsEnum::TokenEndpointAuthMethod->value] === TokenEndpointAuthMethodEnum::None->value
+            $metadata[ClaimsEnum::TokenEndpointAuthMethod->value] === TokenEndpointAuthMethodsEnum::None->value
         ) {
             // Value 'none' for token auth method is strong indication of public client.
             return false;

diff --git a/src/Server/Grants/AuthCodeGrant.php b/src/Server/Grants/AuthCodeGrant.php
@@ -374,7 +374,6 @@ protected function getClientRedirectUri(OAuth2AuthorizationRequest $authorizatio
      *
      * @return \League\OAuth2\Server\ResponseTypes\ResponseTypeInterface
      *
-     * TODO refactor to request checkers
      * @throws \League\OAuth2\Server\Exception\OAuthServerException
      * @throws \JsonException
      *

diff --git a/src/Server/RequestRules/Rules/ClientIdRule.php b/src/Server/RequestRules/Rules/ClientIdRule.php
@@ -21,7 +21,7 @@
 use SimpleSAML\Module\oidc\Utils\FederationCache;
 use SimpleSAML\Module\oidc\Utils\JwksResolver;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
-use SimpleSAML\OpenID\Codebooks\EntityTypeEnum;
+use SimpleSAML\OpenID\Codebooks\EntityTypesEnum;
 use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum;
 use SimpleSAML\OpenID\Codebooks\ParamsEnum;
 use SimpleSAML\OpenID\Federation;
@@ -146,7 +146,7 @@ public function checkRule(
             );
         }
         try {
-            $clientMetadata = $trustChain->getResolvedMetadata(EntityTypeEnum::OpenIdRelyingParty);
+            $clientMetadata = $trustChain->getResolvedMetadata(EntityTypesEnum::OpenIdRelyingParty);
         } catch (Throwable $exception) {
             throw OidcServerException::invalidTrustChain(
                 'Error while trying to resolve relying party metadata: ' . $exception->getMessage(),

diff --git a/src/Services/OpMetadataService.php b/src/Services/OpMetadataService.php
@@ -7,6 +7,7 @@
 use SimpleSAML\Module\oidc\Codebooks\RoutesEnum;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
+use SimpleSAML\OpenID\Codebooks\TokenEndpointAuthMethodsEnum;
 
 /**
  * OpenID Provider Metadata Service - provides information about OIDC authentication server.
@@ -36,36 +37,41 @@ private function initMetadata(): void
         $signer = $this->moduleConfig->getProtocolSigner();
 
         $this->metadata = [];
-        // TODO mivanci Replace keys with enum values.
-        $this->metadata['issuer'] = $this->moduleConfig->getIssuer();
+        $this->metadata[ClaimsEnum::Issuer->value] = $this->moduleConfig->getIssuer();
         $this->metadata[ClaimsEnum::AuthorizationEndpoint->value] =
         $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdAuthorization->value);
-        $this->metadata['token_endpoint'] = $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdToken->value);
-        $this->metadata['userinfo_endpoint'] = $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdUserInfo->value);
-        $this->metadata['end_session_endpoint'] =
+        $this->metadata[ClaimsEnum::TokenEndpoint->value] =
+        $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdToken->value);
+        $this->metadata[ClaimsEnum::UserinfoEndpoint->value] =
+        $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdUserInfo->value);
+        $this->metadata[ClaimsEnum::EndSessionEndpoint->value] =
         $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdEndSession->value);
-        $this->metadata['jwks_uri'] = $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdJwks->value);
-        $this->metadata['scopes_supported'] = array_keys($this->moduleConfig->getOpenIDScopes());
-        $this->metadata['response_types_supported'] = ['code', 'token', 'id_token', 'id_token token'];
-        $this->metadata['subject_types_supported'] = ['public'];
-        $this->metadata['id_token_signing_alg_values_supported'] = [
+        $this->metadata[ClaimsEnum::JwksUri->value] = $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdJwks->value);
+        $this->metadata[ClaimsEnum::ScopesSupported->value] = array_keys($this->moduleConfig->getOpenIDScopes());
+        $this->metadata[ClaimsEnum::ResponseTypesSupported->value] = ['code', 'token', 'id_token', 'id_token token'];
+        $this->metadata[ClaimsEnum::SubjectTypesSupported->value] = ['public'];
+        $this->metadata[ClaimsEnum::IdTokenSigningAlgValuesSupported->value] = [
             $signer->algorithmId(),
         ];
-        $this->metadata['code_challenge_methods_supported'] = ['plain', 'S256'];
-        $this->metadata['token_endpoint_auth_methods_supported'] = ['client_secret_post', 'client_secret_basic'];
-        $this->metadata['request_parameter_supported'] = true;
-        $this->metadata['request_object_signing_alg_values_supported'] = [
+        $this->metadata[ClaimsEnum::CodeChallengeMethodsSupported->value] = ['plain', 'S256'];
+        $this->metadata[ClaimsEnum::TokenEndpointAuthMethodsSupported->value] = [
+            TokenEndpointAuthMethodsEnum::ClientSecretPost->value,
+            TokenEndpointAuthMethodsEnum::ClientSecretBasic->value,
+            TokenEndpointAuthMethodsEnum::PrivateKeyJwt->value,
+        ];
+        $this->metadata[ClaimsEnum::RequestParameterSupported->value] = true;
+        $this->metadata[ClaimsEnum::RequestObjectSigningAlgValuesSupported->value] = [
             'none',
             $signer->algorithmId(),
         ];
-        $this->metadata['request_uri_parameter_supported'] = false;
-        $this->metadata['grant_types_supported'] = ['authorization_code', 'refresh_token'];
-        $this->metadata['claims_parameter_supported'] = true;
+        $this->metadata[ClaimsEnum::RequestUriParameterSupported->value] = false;
+        $this->metadata[ClaimsEnum::GrantTypesSupported->value] = ['authorization_code', 'refresh_token'];
+        $this->metadata[ClaimsEnum::ClaimsParameterSupported->value] = true;
         if (!(empty($acrValuesSupported = $this->moduleConfig->getAcrValuesSupported()))) {
-            $this->metadata['acr_values_supported'] = $acrValuesSupported;
+            $this->metadata[ClaimsEnum::AcrValuesSupported->value] = $acrValuesSupported;
         }
-        $this->metadata['backchannel_logout_supported'] = true;
-        $this->metadata['backchannel_logout_session_supported'] = true;
+        $this->metadata[ClaimsEnum::BackChannelLogoutSupported->value] = true;
+        $this->metadata[ClaimsEnum::BackChannelLogoutSessionSupported->value] = true;
     }
 
     /**