diff --git a/src/Controller/Federation/EntityStatementController.php b/src/Controller/Federation/EntityStatementController.php index 77f00f4a..9c24dba8 100644 --- a/src/Controller/Federation/EntityStatementController.php +++ b/src/Controller/Federation/EntityStatementController.php @@ -15,11 +15,11 @@ use SimpleSAML\Module\oidc\Utils\TimestampGenerator; use SimpleSAML\OpenID\Codebooks\ClaimsEnum; use SimpleSAML\OpenID\Codebooks\ClientRegistrationTypesEnum; -use SimpleSAML\OpenID\Codebooks\ContentTypeEnum; -use SimpleSAML\OpenID\Codebooks\EntityTypeEnum; +use SimpleSAML\OpenID\Codebooks\ContentTypesEnum; +use SimpleSAML\OpenID\Codebooks\EntityTypesEnum; use SimpleSAML\OpenID\Codebooks\ErrorsEnum; use SimpleSAML\OpenID\Codebooks\HttpHeadersEnum; -use SimpleSAML\OpenID\Codebooks\JwtTypeEnum; +use SimpleSAML\OpenID\Codebooks\JwtTypesEnum; use SimpleSAML\OpenID\Codebooks\RequestAuthenticationMethodsEnum; use Symfony\Component\HttpFoundation\JsonResponse; use Symfony\Component\HttpFoundation\Request; @@ -66,7 +66,7 @@ public function configuration(): Response } $builder = $this->jsonWebTokenBuilderService->getFederationJwtBuilder() - ->withHeader(ClaimsEnum::Typ->value, JwtTypeEnum::EntityStatementJwt->value) + ->withHeader(ClaimsEnum::Typ->value, JwtTypesEnum::EntityStatementJwt->value) ->relatedTo($this->moduleConfig->getIssuer()) // This is entity configuration (statement about itself). ->expiresAt( (TimestampGenerator::utcImmutable())->add($this->moduleConfig->getFederationEntityStatementDuration()), @@ -77,7 +77,7 @@ public function configuration(): Response ->withClaim( ClaimsEnum::Metadata->value, [ - EntityTypeEnum::FederationEntity->value => [ + EntityTypesEnum::FederationEntity->value => [ // Common https://openid.net/specs/openid-federation-1_0.html#name-common-metadata-parameters ...(array_filter( [ @@ -104,7 +104,7 @@ public function configuration(): Response //'jwks', ], // OP metadata with additional federation related claims. - EntityTypeEnum::OpenIdProvider->value => [ + EntityTypesEnum::OpenIdProvider->value => [ ...$this->opMetadataService->getMetadata(), ClaimsEnum::ClientRegistrationTypesSupported->value => [ ClientRegistrationTypesEnum::Automatic->value, @@ -215,7 +215,7 @@ public function fetch(Request $request): Response } $builder = $this->jsonWebTokenBuilderService->getFederationJwtBuilder() - ->withHeader(ClaimsEnum::Typ->value, JwtTypeEnum::EntityStatementJwt->value) + ->withHeader(ClaimsEnum::Typ->value, JwtTypesEnum::EntityStatementJwt->value) ->relatedTo($subject) ->expiresAt( (TimestampGenerator::utcImmutable())->add($this->moduleConfig->getFederationEntityStatementDuration()), @@ -226,7 +226,7 @@ public function fetch(Request $request): Response ->withClaim( ClaimsEnum::Metadata->value, [ - EntityTypeEnum::OpenIdRelyingParty->value => [ + EntityTypesEnum::OpenIdRelyingParty->value => [ ClaimsEnum::ClientName->value => $client->getName(), ClaimsEnum::ClientId->value => $client->getIdentifier(), ClaimsEnum::RedirectUris->value => $client->getRedirectUris(), @@ -270,7 +270,7 @@ protected function prepareEntityStatementResponse(string $entityStatementToken): return new Response( $entityStatementToken, 200, - [HttpHeadersEnum::ContentType->value => ContentTypeEnum::ApplicationEntityStatementJwt->value,], + [HttpHeadersEnum::ContentType->value => ContentTypesEnum::ApplicationEntityStatementJwt->value,], ); } diff --git a/src/Controller/Federation/Test.php b/src/Controller/Federation/Test.php index 387f8a34..f114ddd4 100644 --- a/src/Controller/Federation/Test.php +++ b/src/Controller/Federation/Test.php @@ -6,7 +6,7 @@ use SimpleSAML\Module\oidc\Services\LoggerService; use SimpleSAML\Module\oidc\Utils\FederationCache; -use SimpleSAML\OpenID\Codebooks\EntityTypeEnum; +use SimpleSAML\OpenID\Codebooks\EntityTypesEnum; use SimpleSAML\OpenID\Core; use SimpleSAML\OpenID\Federation; use SimpleSAML\OpenID\Jwks; @@ -69,7 +69,7 @@ public function __invoke(): Response $leafFederationJwks = $leaf->getJwks(); - $resolvedMetadata = $trustChain->getResolvedMetadata(EntityTypeEnum::OpenIdRelyingParty); + $resolvedMetadata = $trustChain->getResolvedMetadata(EntityTypesEnum::OpenIdRelyingParty); $jwksUri = $resolvedMetadata['jwks_uri'] ?? null; $signedJwksUri = $resolvedMetadata['signed_jwks_uri'] ?? null; @@ -88,7 +88,7 @@ public function __invoke(): Response ); return new JsonResponse( - $trustChain->getResolvedMetadata(EntityTypeEnum::OpenIdRelyingParty), + $trustChain->getResolvedMetadata(EntityTypesEnum::OpenIdRelyingParty), ); } } diff --git a/src/Factories/ClientEntityFactory.php b/src/Factories/ClientEntityFactory.php index 9d28a9aa..e5231644 100644 --- a/src/Factories/ClientEntityFactory.php +++ b/src/Factories/ClientEntityFactory.php @@ -14,13 +14,13 @@ use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException; use SimpleSAML\Module\oidc\Utils\ClaimTranslatorExtractor; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\OpenID\Codebooks\ApplicationTypeEnum; +use SimpleSAML\OpenID\Codebooks\ApplicationTypesEnum; use SimpleSAML\OpenID\Codebooks\ClaimsEnum; use SimpleSAML\OpenID\Codebooks\GrantTypesEnum; use SimpleSAML\OpenID\Codebooks\ParamsEnum; use SimpleSAML\OpenID\Codebooks\ResponseTypesEnum; use SimpleSAML\OpenID\Codebooks\ScopesEnum; -use SimpleSAML\OpenID\Codebooks\TokenEndpointAuthMethodEnum; +use SimpleSAML\OpenID\Codebooks\TokenEndpointAuthMethodsEnum; class ClientEntityFactory { @@ -164,7 +164,7 @@ protected function guessIsConfidential( ): bool { if ( array_key_exists(ClaimsEnum::ApplicationType->value, $metadata) && - $metadata[ClaimsEnum::ApplicationType->value] === ApplicationTypeEnum::Native->value + $metadata[ClaimsEnum::ApplicationType->value] === ApplicationTypesEnum::Native->value ) { // Native application type is strong indication of public client. return false; @@ -172,7 +172,7 @@ protected function guessIsConfidential( if ( array_key_exists(ClaimsEnum::TokenEndpointAuthMethod->value, $metadata) && - $metadata[ClaimsEnum::TokenEndpointAuthMethod->value] === TokenEndpointAuthMethodEnum::None->value + $metadata[ClaimsEnum::TokenEndpointAuthMethod->value] === TokenEndpointAuthMethodsEnum::None->value ) { // Value 'none' for token auth method is strong indication of public client. return false; diff --git a/src/Server/Grants/AuthCodeGrant.php b/src/Server/Grants/AuthCodeGrant.php index 8c8eb525..60e44098 100644 --- a/src/Server/Grants/AuthCodeGrant.php +++ b/src/Server/Grants/AuthCodeGrant.php @@ -374,7 +374,6 @@ protected function getClientRedirectUri(OAuth2AuthorizationRequest $authorizatio * * @return \League\OAuth2\Server\ResponseTypes\ResponseTypeInterface * - * TODO refactor to request checkers * @throws \League\OAuth2\Server\Exception\OAuthServerException * @throws \JsonException * diff --git a/src/Server/RequestRules/Rules/ClientIdRule.php b/src/Server/RequestRules/Rules/ClientIdRule.php index ccf6cd9b..e9a23ace 100644 --- a/src/Server/RequestRules/Rules/ClientIdRule.php +++ b/src/Server/RequestRules/Rules/ClientIdRule.php @@ -21,7 +21,7 @@ use SimpleSAML\Module\oidc\Utils\FederationCache; use SimpleSAML\Module\oidc\Utils\JwksResolver; use SimpleSAML\Module\oidc\Utils\RequestParamsResolver; -use SimpleSAML\OpenID\Codebooks\EntityTypeEnum; +use SimpleSAML\OpenID\Codebooks\EntityTypesEnum; use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum; use SimpleSAML\OpenID\Codebooks\ParamsEnum; use SimpleSAML\OpenID\Federation; @@ -146,7 +146,7 @@ public function checkRule( ); } try { - $clientMetadata = $trustChain->getResolvedMetadata(EntityTypeEnum::OpenIdRelyingParty); + $clientMetadata = $trustChain->getResolvedMetadata(EntityTypesEnum::OpenIdRelyingParty); } catch (Throwable $exception) { throw OidcServerException::invalidTrustChain( 'Error while trying to resolve relying party metadata: ' . $exception->getMessage(), diff --git a/src/Services/OpMetadataService.php b/src/Services/OpMetadataService.php index 77bd73db..a6a222bb 100644 --- a/src/Services/OpMetadataService.php +++ b/src/Services/OpMetadataService.php @@ -7,6 +7,7 @@ use SimpleSAML\Module\oidc\Codebooks\RoutesEnum; use SimpleSAML\Module\oidc\ModuleConfig; use SimpleSAML\OpenID\Codebooks\ClaimsEnum; +use SimpleSAML\OpenID\Codebooks\TokenEndpointAuthMethodsEnum; /** * OpenID Provider Metadata Service - provides information about OIDC authentication server. @@ -36,36 +37,41 @@ private function initMetadata(): void $signer = $this->moduleConfig->getProtocolSigner(); $this->metadata = []; - // TODO mivanci Replace keys with enum values. - $this->metadata['issuer'] = $this->moduleConfig->getIssuer(); + $this->metadata[ClaimsEnum::Issuer->value] = $this->moduleConfig->getIssuer(); $this->metadata[ClaimsEnum::AuthorizationEndpoint->value] = $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdAuthorization->value); - $this->metadata['token_endpoint'] = $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdToken->value); - $this->metadata['userinfo_endpoint'] = $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdUserInfo->value); - $this->metadata['end_session_endpoint'] = + $this->metadata[ClaimsEnum::TokenEndpoint->value] = + $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdToken->value); + $this->metadata[ClaimsEnum::UserinfoEndpoint->value] = + $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdUserInfo->value); + $this->metadata[ClaimsEnum::EndSessionEndpoint->value] = $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdEndSession->value); - $this->metadata['jwks_uri'] = $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdJwks->value); - $this->metadata['scopes_supported'] = array_keys($this->moduleConfig->getOpenIDScopes()); - $this->metadata['response_types_supported'] = ['code', 'token', 'id_token', 'id_token token']; - $this->metadata['subject_types_supported'] = ['public']; - $this->metadata['id_token_signing_alg_values_supported'] = [ + $this->metadata[ClaimsEnum::JwksUri->value] = $this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdJwks->value); + $this->metadata[ClaimsEnum::ScopesSupported->value] = array_keys($this->moduleConfig->getOpenIDScopes()); + $this->metadata[ClaimsEnum::ResponseTypesSupported->value] = ['code', 'token', 'id_token', 'id_token token']; + $this->metadata[ClaimsEnum::SubjectTypesSupported->value] = ['public']; + $this->metadata[ClaimsEnum::IdTokenSigningAlgValuesSupported->value] = [ $signer->algorithmId(), ]; - $this->metadata['code_challenge_methods_supported'] = ['plain', 'S256']; - $this->metadata['token_endpoint_auth_methods_supported'] = ['client_secret_post', 'client_secret_basic']; - $this->metadata['request_parameter_supported'] = true; - $this->metadata['request_object_signing_alg_values_supported'] = [ + $this->metadata[ClaimsEnum::CodeChallengeMethodsSupported->value] = ['plain', 'S256']; + $this->metadata[ClaimsEnum::TokenEndpointAuthMethodsSupported->value] = [ + TokenEndpointAuthMethodsEnum::ClientSecretPost->value, + TokenEndpointAuthMethodsEnum::ClientSecretBasic->value, + TokenEndpointAuthMethodsEnum::PrivateKeyJwt->value, + ]; + $this->metadata[ClaimsEnum::RequestParameterSupported->value] = true; + $this->metadata[ClaimsEnum::RequestObjectSigningAlgValuesSupported->value] = [ 'none', $signer->algorithmId(), ]; - $this->metadata['request_uri_parameter_supported'] = false; - $this->metadata['grant_types_supported'] = ['authorization_code', 'refresh_token']; - $this->metadata['claims_parameter_supported'] = true; + $this->metadata[ClaimsEnum::RequestUriParameterSupported->value] = false; + $this->metadata[ClaimsEnum::GrantTypesSupported->value] = ['authorization_code', 'refresh_token']; + $this->metadata[ClaimsEnum::ClaimsParameterSupported->value] = true; if (!(empty($acrValuesSupported = $this->moduleConfig->getAcrValuesSupported()))) { - $this->metadata['acr_values_supported'] = $acrValuesSupported; + $this->metadata[ClaimsEnum::AcrValuesSupported->value] = $acrValuesSupported; } - $this->metadata['backchannel_logout_supported'] = true; - $this->metadata['backchannel_logout_session_supported'] = true; + $this->metadata[ClaimsEnum::BackChannelLogoutSupported->value] = true; + $this->metadata[ClaimsEnum::BackChannelLogoutSessionSupported->value] = true; } /**