Merge pull request #14 from PBXg33k/feature/claims

Audience claim fix and updates too match RFC
kleijnweb · Jan 26, 2017 · cdd018c · cdd018c
2 parents c3babf6 + f5c4db2
commit cdd018c
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 6 deletions.
diff --git a/composer.json b/composer.json
@@ -32,7 +32,8 @@
     "symfony/framework-bundle": "^2.6.0",
     "symfony/browser-kit": "^2.6.0",
     "symfony/form": "^2.6.0",
-    "satooshi/php-coveralls": "<1.0"
+    "satooshi/php-coveralls": "<1.0",
+    "mikey179/vfsStream": "^1.6"
   },
   "config": {
     "bin-dir": "bin"

diff --git a/src/Authenticator/JwtKey.php b/src/Authenticator/JwtKey.php
@@ -36,9 +36,9 @@ class JwtKey
     private $type = self::TYPE_HMAC;
 
     /**
-     * @var string
+     * @var array
      */
-    private $audience;
+    private $audience = [];
 
     /**
      * @var int
@@ -79,7 +79,7 @@ public function __construct(array $options)
         $defaults = [
             'kid'          => null,
             'issuer'       => null,
-            'audience'     => null,
+            'audience'     => [],
             'minIssueTime' => null,
             'leeway'       => 0,
             'type'         => $this->type,
@@ -161,7 +161,7 @@ public function validateClaims(array $claims)
         if ($this->minIssueTime && !isset($claims['iat'])) {
             throw new \InvalidArgumentException("Claim 'iat' is required");
         }
-        if ($this->audience && !isset($claims['aud'])) {
+        if (!empty($this->audience) && !isset($claims['aud'])) {
             throw new \InvalidArgumentException("Claim 'aud' is required");
         }
         if ((!isset($claims['sub']) || empty($claims['sub'])) && (!isset($claims['prn']) || empty($claims['prn']))) {
@@ -179,7 +179,12 @@ public function validateClaims(array $claims)
         if (isset($claims['iss']) && $claims['iss'] !== $this->issuer) {
             throw new \InvalidArgumentException("Issuer mismatch");
         }
-        if (isset($claims['aud']) && $claims['aud'] !== $this->audience) {
+        if (isset($claims['aud']) &&
+            (
+                (is_array($this->audience) && !in_array($claims['aud'], $this->audience))
+                || (!is_array($this->audience) && $claims['aud'] !== $this->audience)
+            )
+        ) {
             throw new \InvalidArgumentException("Audience mismatch");
         }
     }

diff --git a/src/DependencyInjection/Configuration.php b/src/DependencyInjection/Configuration.php
@@ -35,6 +35,9 @@ public function getConfigTreeBuilder()
                             ->scalarNode('secret')->end()
                             ->scalarNode('loader')->end()
                             ->scalarNode('type')->defaultValue('HS256')->end()
+                            ->arrayNode('audience')
+                                ->prototype('scalar')->end()
+                            ->end()
                         ->end()
                     ->end()
                 ->end()

diff --git a/src/Tests/Authenticator/JwtKeyTest.php b/src/Tests/Authenticator/JwtKeyTest.php
@@ -68,6 +68,15 @@ public function validateTokenWillCallVerifySignatureOnToken()
         $key->validateToken($this->createTokenMock($secret, $key));
     }
 
+    /**
+     * @test
+     */
+    public function willValidateIfAudienceIsConfiguredAndMatchedAny()
+    {
+        $key = new JwtKey(['secret'=> 'Buy the book', 'audience' => ['author', 'reader']]);
+        $key->validateClaims(['sub' => 'john', 'aud' => 'reader']);
+    }
+
     /**
      * @test
      */