Merge commit from fork

anicho123 · web-flow · commit 344e490c8a19 · 2025-12-16T17:47:36.000+05:30
feat: add validation for ID tokens used as access tokens and update t…
diff --git a/src/Exception/InvalidTokenException.php b/src/Exception/InvalidTokenException.php
@@ -37,6 +37,11 @@ final class InvalidTokenException extends Exception implements Auth0Exception
      */
     public const MSG_BAD_SIGNATURE_MISSING_KID = 'Cannot verify signature: JWKS did not contain the key specified by the token';
 
+    /**
+     * @var string
+     */
+    public const MSG_ID_TOKEN_USED_AS_ACCESS_TOKEN = 'ID token cannot be validated as an access token (detected nonce claim)';
+
     /**
      * @var string
      */
@@ -214,6 +219,12 @@ public static function badSignatureMissingKid(
         return new self(self::MSG_BAD_SIGNATURE_MISSING_KID, 0, $previous);
     }
 
+    public static function idTokenUsedAsAccessToken(
+        ?Throwable $previous = null,
+    ): self {
+        return new self(self::MSG_ID_TOKEN_USED_AS_ACCESS_TOKEN, 0, $previous);
+    }
+
     public static function jsonError(
         string $message,
         ?Throwable $previous = null,
diff --git a/src/Token.php b/src/Token.php
@@ -260,7 +260,15 @@ public function validate(
         $tokenOrganization ??= $this->configuration->getOrganization() ?? null;
         $tokenMaxAge ??= $this->configuration->getTokenMaxAge() ?? null;
         $tokenLeeway ??= $this->configuration->getTokenLeeway() ?? 60;
-        if ($this->type !== self::TYPE_ACCESS_TOKEN) {
+
+        if (self::TYPE_ACCESS_TOKEN === $this->type) {
+            if (null !== $this->getParser()->getClaim('nonce')) {
+                throw InvalidTokenException::idTokenUsedAsAccessToken();
+            }
+            if ([] === $tokenAudience) {
+                $tokenAudience[] = (string) $this->configuration->getClientId();
+            }
+        } else {
             $tokenAudience[] = (string) $this->configuration->getClientId();
         }
         $tokenAudience = array_unique($tokenAudience);
diff --git a/tests/Unit/Auth0Test.php b/tests/Unit/Auth0Test.php
@@ -567,7 +567,7 @@ public function defer(
 test('decode() can be used with access tokens', function (): void {
     $token = (new TokenGenerator())->withHs256([
         'iss' => 'https://' . $this->configuration['domain'] . '/'
-    ]);
+    ], '__test_client_secret__', [], TokenGenerator::TOKEN_ACCESS);
 
     $auth0 = new Auth0($this->configuration + [
         'tokenAlgorithm' => 'HS256',
@@ -586,6 +586,52 @@ public function defer(
     expect($decoded->getAudience())->toContain('__test_client_id__');
 });
 
+test('decode() rejects ID tokens when validating as access tokens', function (): void {
+    $idToken = (new TokenGenerator())->withHs256([
+        'iss' => 'https://' . $this->configuration['domain'] . '/',
+        'nonce' => '__test_nonce__',
+    ], '__test_client_secret__', [], TokenGenerator::TOKEN_ID);
+
+    $auth0 = new Auth0($this->configuration + [
+        'tokenAlgorithm' => 'HS256',
+    ]);
+
+    $auth0->decode($idToken,
+        null,
+        null,
+        null,
+        null,
+        null,
+        null,
+        Token::TYPE_ACCESS_TOKEN,
+    );
+})->throws(InvalidTokenException::class, InvalidTokenException::MSG_ID_TOKEN_USED_AS_ACCESS_TOKEN);
+
+test('decode() respects explicit audience for access tokens', function (): void {
+    $apiAudience = 'https://api.example.com';
+    $token = (new TokenGenerator())->withHs256([
+        'iss' => 'https://' . $this->configuration['domain'] . '/',
+        'aud' => $apiAudience
+    ], '__test_client_secret__', [], TokenGenerator::TOKEN_ACCESS);
+
+    $auth0 = new Auth0($this->configuration + [
+        'tokenAlgorithm' => 'HS256',
+        'audience' => [$apiAudience],
+    ]);
+
+    $decoded = $auth0->decode($token,
+        null,
+        null,
+        null,
+        null,
+        null,
+        null,
+        Token::TYPE_ACCESS_TOKEN,
+    );
+
+    expect($decoded->getAudience())->toEqual([$apiAudience]);
+});
+
 test('decode() can be used with logout tokens', function (): void {
     $mockLogoutToken = TokenGenerator::create(TokenGenerator::TOKEN_LOGOUT, TokenGenerator::ALG_HS256, [
         'iss' => 'https://' . $this->configuration['domain'] . '/'
diff --git a/tests/Unit/TokenTest.php b/tests/Unit/TokenTest.php
@@ -198,7 +198,7 @@ function(): SdkConfiguration {
         return $this->configuration;
     },
     fn() => TokenGenerator::create(TokenGenerator::TOKEN_ACCESS, TokenGenerator::ALG_HS256)
-]])->throws(InvalidTokenException::class, InvalidTokenException::MSG_LOGOUT_TOKEN_NONCE_PRESENT);
+]])->throws(InvalidTokenException::class, InvalidTokenException::MSG_MISSING_EVENTS_CLAIM);
 
 it('fails validating a Logout Token without `sub` or `sid` claims', function(
     SdkConfiguration $configuration
diff --git a/tests/Utilities/TokenGenerator.php b/tests/Utilities/TokenGenerator.php
@@ -26,7 +26,7 @@ protected static function getIdTokenClaims(
             'sid' => '__test_sid__',
             'iss' => 'https://domain.test/',
             'aud' => '__test_client_id__',
-            'nonce' => '__test_nonce__',
+            // 'nonce' => '__test_nonce__', Only ID tokens should have nonce claims
             'auth_time' => time() - 100,
             'exp' => time() + 1000,
             'iat' => time() - 1000,
