Update idtoken (#42)

* Add signer configuration option. Default algorithm is RS256

* Add ISS

Author: sgomez

config-templates/module_oidc.php

@@ -24,6 +24,12 @@
     // Tag to run storage cleanup script using the cron module...
     'cron_tag' => 'hourly',
 
+    // Set token signer
+    // See Lcobucci\JWT\Signer algorithms in https://github.com/lcobucci/jwt/tree/master/src/Signer
+    'signer' => \Lcobucci\JWT\Signer\Rsa\Sha256::class,
+    // 'signer' => \Lcobucci\JWT\Signer\Hmac\Sha256::class,
+    // 'signer' => \Lcobucci\JWT\Signer\Ecdsa\Sha256::class,
+
     // this is the auth source used for authentication,
     'auth' => 'default-sp',
     // useridattr is the attribute-name that contains the userid as returned from idp

lib/Controller/ClientEditController.php

@@ -71,7 +71,8 @@ public function __invoke(ServerRequest $request)
         $client = $this->getClientFromRequest($request);
 
         $form = $this->formFactory->build(ClientForm::class);
-        $formAction = sprintf("%s/clients/edit.php?client_id=%s",
+        $formAction = sprintf(
+            "%s/clients/edit.php?client_id=%s",
             $this->configurationService->getOpenIdConnectModuleURL(),
             $client->getIdentifier()
         ) ;

lib/Factories/IdTokenResponseFactory.php

@@ -14,7 +14,6 @@
 
 namespace SimpleSAML\Modules\OpenIDConnect\Factories;
 
-use Lcobucci\JWT\Builder;
 use SimpleSAML\Modules\OpenIDConnect\ClaimTranslatorExtractor;
 use SimpleSAML\Modules\OpenIDConnect\Repositories\UserRepository;
 use SimpleSAML\Modules\OpenIDConnect\Server\ResponseTypes\IdTokenResponse;
@@ -49,17 +48,10 @@ public function __construct(
 
     public function build(): IdTokenResponse
     {
-        $builder = (new Builder())
-            ->issuedBy($this->configurationService->getSimpleSAMLSelfURLHost())
-            ->withHeader('kid', 'oidc')
-        ;
-
-        $token = new IdTokenResponse(
+        return new IdTokenResponse(
             $this->userRepository,
             $this->claimTranslatorExtractor,
-            $builder
+            $this->configurationService
         );
-
-        return $token;
     }
 }

lib/Server/ResponseTypes/IdTokenResponse.php

@@ -16,14 +16,14 @@
 
 use Lcobucci\JWT\Builder;
 use Lcobucci\JWT\Signer\Key;
-use Lcobucci\JWT\Signer\Rsa\Sha256;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use League\OAuth2\Server\Entities\UserEntityInterface;
 use League\OAuth2\Server\ResponseTypes\BearerTokenResponse;
 use OpenIDConnectServer\ClaimExtractor;
 use OpenIDConnectServer\Entities\ClaimSetInterface;
 use OpenIDConnectServer\Repositories\IdentityProviderInterface;
+use SimpleSAML\Modules\OpenIDConnect\Services\ConfigurationService;
 
 /**
  * Class IdTokenResponse.
@@ -45,18 +45,18 @@ class IdTokenResponse extends BearerTokenResponse
      */
     protected $claimExtractor;
     /**
-     * @var Builder
+     * @var ConfigurationService
      */
-    private $builder;
+    private $configurationService;
 
     public function __construct(
         IdentityProviderInterface $identityProvider,
         ClaimExtractor $claimExtractor,
-        Builder $builder
+        ConfigurationService $configurationService
     ) {
         $this->identityProvider = $identityProvider;
         $this->claimExtractor = $claimExtractor;
-        $this->builder = $builder;
+        $this->configurationService = $configurationService;
     }
 
     /**
@@ -78,12 +78,7 @@ protected function getExtraParams(AccessTokenEntityInterface $accessToken)
         }
 
         // Add required id_token claims
-        $builder = $this->builder
-            ->permittedFor($accessToken->getClient()->getIdentifier())
-            ->issuedAt(time())
-            ->expiresAt($accessToken->getExpiryDateTime()->getTimestamp())
-            ->relatedTo($userEntity->getIdentifier())
-        ;
+        $builder = $this->getBuilder($accessToken, $userEntity);
 
         // Need a claim factory here to reduce the number of claims by provided scope.
         $claims = $this->claimExtractor->extract($accessToken->getScopes(), $userEntity->getClaims());
@@ -92,14 +87,29 @@ protected function getExtraParams(AccessTokenEntityInterface $accessToken)
             $builder->withClaim($claimName, $claimValue);
         }
 
-        $key = new Key($this->privateKey->getKeyPath(), $this->privateKey->getPassPhrase());
-        $token = $builder->getToken(new Sha256(), $key);
+        $token = $builder->getToken(
+            $this->configurationService->getSigner(),
+            new Key($this->privateKey->getKeyPath(), $this->privateKey->getPassPhrase())
+        );
 
         return [
             'id_token' => (string) $token,
         ];
     }
 
+    protected function getBuilder(AccessTokenEntityInterface $accessToken, UserEntityInterface $userEntity)
+    {
+        return (new Builder())
+            ->issuedBy($this->configurationService->getSimpleSAMLSelfURLHost())
+            ->permittedFor($accessToken->getClient()->getIdentifier())
+            ->identifiedBy($accessToken->getIdentifier())
+            ->canOnlyBeUsedAfter(\time())
+            ->expiresAt($accessToken->getExpiryDateTime()->getTimestamp())
+            ->relatedTo($userEntity->getIdentifier())
+            ->issuedAt(\time())
+            ->withHeader('kid', '0');
+    }
+
     /**
      * @param ScopeEntityInterface[] $scopes
      *

lib/Services/ConfigurationService.php

@@ -14,6 +14,8 @@
 
 namespace SimpleSAML\Modules\OpenIDConnect\Services;
 
+use Lcobucci\JWT\Signer;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
 use SimpleSAML\Configuration;
 use SimpleSAML\Error\ConfigurationError;
 use SimpleSAML\Module;
@@ -118,4 +120,19 @@ function ($scope, $name) {
             }
         );
     }
+
+    public function getSigner(): Signer
+    {
+        /** @psalm-var class-string $signerClassname */
+        $signerClassname = (string) $this->getOpenIDConnectConfiguration()->getString('signer', Sha256::class);
+
+        $class = new \ReflectionClass($signerClassname);
+        $signer = $class->newInstance();
+
+        if (!$signer instanceof Signer) {
+            return new Sha256();
+        }
+
+        return $signer;
+    }
 }