Skip to content

Commit f97331a

Browse files
PothercaPotherca
committed
Change DPop::validateJwtDpop() to make ATH claim optional.
1 parent ea830b6 commit f97331a

File tree

2 files changed

+46
-11
lines changed

2 files changed

+46
-11
lines changed

src/Utils/DPop.php

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -157,6 +157,7 @@ public function makeJwkThumbprint($jwk) {
157157
* See also: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-7
158158
*
159159
* Validates the above part of the oauth dpop specification
160+
*
160161
* @param string $jwt JWT access token, raw
161162
* @param string $dpop DPoP token, raw
162163
* @param ServerRequestInterface $request Server Request
@@ -165,16 +166,17 @@ public function makeJwkThumbprint($jwk) {
165166
public function validateJwtDpop($jwt, $dpop, $request) {
166167
$this->validateDpop($dpop, $request);
167168
$jwtConfig = Configuration::forUnsecuredSigner();
168-
$dpopJWT = $jwtConfig->parser()->parse($dpop);
169-
170-
$ath = $dpopJWT->claims()->get('ath');
171-
if ($ath === null) {
172-
throw new InvalidTokenException('DPoP "ath" claim is missing');
173-
}
174-
175-
$hash = hash('sha256', $jwt);
176-
$encoded = Base64Url::encode($hash);
177-
return ($ath === $encoded);
169+
$jwtConfig->parser()->parse($dpop);
170+
171+
/**
172+
* @FIXME: ATH claim is not yet supported/required by the Solid OIDC specification.
173+
* Once the Solid spec catches up to the DPOP spec, not having an ATH is incorrect.
174+
* At that point, instead of returning "true", throw an exception:
175+
*
176+
* @see https://github.com/pdsinterop/php-solid-auth/issues/34
177+
*/
178+
// throw new InvalidTokenException('DPoP "ath" claim is missing');
179+
return true;
178180
}
179181

180182
/**

tests/unit/Utils/DPOPTest.php

Lines changed: 34 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -517,6 +517,36 @@ final public function testGetWebIdWithDpopWithoutSub(): void
517517
$dpop->getWebId($request);
518518
}
519519

520+
/**
521+
* @testdox Dpop SHOULD not complain WHEN asked to get WebId from Request with valid DPOP without "ath"
522+
*
523+
* @covers ::getWebId
524+
*
525+
* @uses \Pdsinterop\Solid\Auth\Utils\DPop::getDpopKey
526+
* @uses \Pdsinterop\Solid\Auth\Utils\DPop::validateDpop
527+
* @uses \Pdsinterop\Solid\Auth\Utils\DPop::validateJwtDpop
528+
*/
529+
final public function testGetWebIdWithDpopWithoutOptionalAth(): void
530+
{
531+
unset($this->dpop['payload']['ath']);
532+
$token = $this->sign($this->dpop);
533+
534+
$mockJtiValidator = $this->createMockJtiValidator();
535+
$mockJtiValidator->expects($this->once())
536+
->method('validate')
537+
->willReturn(true)
538+
;
539+
$dpop = new DPop($mockJtiValidator);
540+
541+
$request = new ServerRequest(array(
542+
'HTTP_AUTHORIZATION' => "dpop {$this->accessToken['token']}",
543+
'HTTP_DPOP' => $token['token'],
544+
),array(), $this->url);
545+
546+
$webId = $dpop->getWebId($request);
547+
548+
$this->assertEquals(self::MOCK_SUBJECT, $webId);
549+
}
520550
/**
521551
* @testdox Dpop SHOULD complain WHEN asked to get WebId from Request with valid DPOP without "ath"
522552
*
@@ -526,8 +556,11 @@ final public function testGetWebIdWithDpopWithoutSub(): void
526556
* @uses \Pdsinterop\Solid\Auth\Utils\DPop::validateDpop
527557
* @uses \Pdsinterop\Solid\Auth\Utils\DPop::validateJwtDpop
528558
*/
529-
final public function testGetWebIdWithDpopWithoutAth(): void
559+
final public function testGetWebIdWithDpopWithoutRequiredAth(): void
530560
{
561+
/*/ @see https://github.com/pdsinterop/php-solid-auth/issues/34 /*/
562+
$this->markTestSkipped('ATH claim is not yet supported/required by the Solid OIDC specification.');
563+
531564
unset($this->dpop['payload']['ath']);
532565
$token = $this->sign($this->dpop);
533566

0 commit comments

Comments
 (0)