Improve OIDC Compliance #734
Conversation
| @@ -117,6 +117,33 @@ function wp_auth0_can_show_wp_login_form() { | |||
| return false; | |||
| } | |||
|
|
|||
| /** | |||
There was a problem hiding this comment.
Both of these functions were pulled from the old JWT library.
| @@ -4,7 +4,8 @@ | |||
| "homepage": "https://auth0.com/wordpress", | |||
| "license": "GPLv2", | |||
| "require": { | |||
| "php": "^7.0" | |||
| "php": "^7.0", | |||
| "lcobucci/jwt": "^3.3.0" | |||
There was a problem hiding this comment.
Previous library was not managed with Composer.
| @@ -0,0 +1,54 @@ | |||
| <?php | |||
There was a problem hiding this comment.
See this diff for changes from approved PHP SDK ones.
| @@ -0,0 +1,265 @@ | |||
| <?php | |||
There was a problem hiding this comment.
See this diff for changes from approved PHP SDK ones.
| @@ -0,0 +1,76 @@ | |||
| <?php | |||
There was a problem hiding this comment.
See this diff for changes from approved PHP SDK ones.
| @@ -0,0 +1,87 @@ | |||
| <?php | |||
There was a problem hiding this comment.
See this diff for changes from approved PHP SDK ones.
| @@ -0,0 +1,55 @@ | |||
| <?php | |||
There was a problem hiding this comment.
See this diff for changes from approved PHP SDK ones.
| $sigVerifier = new WP_Auth0_AsymmetricVerifier( $jwks ); | ||
| } elseif ( 'HS256' === $this->a0_options->get( 'client_signing_algorithm' ) ) { | ||
| $sigVerifier = new WP_Auth0_SymmetricVerifier( $this->a0_options->get( 'client_secret' ) ); | ||
| } |
There was a problem hiding this comment.
"else" scenario????
Also, you're doing $this->a0_options->get( 'client_signing_algorithm' ) twice. Seems like it can be extracted. Does it have performance impact?
| protected function checkSignature( Token $token ) : bool { | ||
| $tokenKid = $token->getHeader( 'kid', false ); | ||
| if ( ! array_key_exists( $tokenKid, $this->jwks ) ) { | ||
| throw new WP_Auth0_InvalidIdTokenException( 'ID token key ID "' . $tokenKid . '" was not found in the JWKS' ); |
There was a problem hiding this comment.
Should be
Could not find a public key for Key ID (kid) "${decoded.header.kid}"
It looks like that was mapped over from the PHP SDK. We'll extract this out into it's own library in Phase 2 so this is consistent everywhere. |
Changes
This update improves the SDK support for OpenID Connect. In particular, it modifies the sign in verification phase by substituting backchannel based checks with id_token validation.
Note to reviewers: This re-uses the majority of the PHP SDK token verifier work. Please see this draft PR to review the differences between the core verification classes. ~540 added lines are represented in that diff.
References
Testing
Manual testing:
Checklist