Merge branch 'add-support-for-private-key-jwt' into handle-applicatio…

…n-jwt # Conflicts: # CHANGELOG.md
jumbojett · Oct 6, 2022 · ec92e27 · ec92e27
2 parents f3196f3 + bddb3bf
commit ec92e27
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ## [unreleased]
 * Support for signed and encrypted UserInfo response. #305
 * Support for signed and encrypted ID Token. #305
+* Added support for `private_key_jwt` Client Authentication method #322
 
 ## [0.9.8]
 

diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -222,6 +222,11 @@ class OpenIDConnectClient
      */
     private $issuerValidator;
 
+    /**
+     * @var callable|null generator function for private key jwt client authentication
+     */
+    private $privateKeyJwtGenerator;
+
     /**
      * @var bool Allow OAuth 2 implicit flow; see http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
      */
@@ -811,6 +816,12 @@ protected function requestTokens($code, $headers = array()) {
             unset($token_params['client_id']);
         }
 
+        // When there is a private key jwt generator and it is supported then use it as client authentication
+        if ($this->privateKeyJwtGenerator !== null && in_array('private_key_jwt', $token_endpoint_auth_methods_supported, true)) {
+            $token_params['client_assertion_type'] = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
+            $token_params['client_assertion'] = $this->privateKeyJwtGenerator->__invoke($token_endpoint);
+        }
+
         $ccm = $this->getCodeChallengeMethod();
         $cv = $this->getCodeVerifier();
         if (!empty($ccm) && !empty($cv)) {
@@ -1520,6 +1531,18 @@ public function setIssuerValidator($issuerValidator) {
         $this->issuerValidator = $issuerValidator;
     }
 
+    /**
+     * Use this for private_key_jwt client authentication
+     * The given function should accept the token_endpoint string as the only argument
+     * and return a jwt signed with your private key according to:
+     * https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
+     *
+     * @param callable $privateKeyJwtGenerator
+     */
+    public function setPrivateKeyJwtGenerator($privateKeyJwtGenerator) {
+        $this->privateKeyJwtGenerator = $privateKeyJwtGenerator;
+    }
+
     /**
      * @param bool $allowImplicitFlow
      */
@@ -1999,6 +2022,14 @@ public function getIssuerValidator() {
         return $this->issuerValidator;
     }
 
+
+    /**
+     * @return callable
+     */
+    public function getPrivateKeyJwtGenerator() {
+        return $this->privateKeyJwtGenerator;
+    }
+
     /**
      * @return int
      */