Total Complexity | 63 |
Total Lines | 463 |
Duplicated Lines | 0 % |
Changes | 7 | ||
Bugs | 1 | Features | 0 |
Complex classes like IdTokenBuilder often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
While breaking up the class, it is a good idea to analyze how other classes use IdTokenBuilder, and based on these observations, apply Extract Interface, too.
1 | <?php |
||
34 | class IdTokenBuilder |
||
35 | { |
||
36 | /** |
||
37 | * @var string |
||
38 | */ |
||
39 | private $issuer; |
||
40 | |||
41 | /** |
||
42 | * @var Client |
||
43 | */ |
||
44 | private $client; |
||
45 | |||
46 | /** |
||
47 | * @var UserAccount |
||
48 | */ |
||
49 | private $userAccount; |
||
50 | |||
51 | /** |
||
52 | * @var string |
||
53 | */ |
||
54 | private $redirectUri; |
||
55 | |||
56 | /** |
||
57 | * @var UserInfo |
||
58 | */ |
||
59 | private $userinfo; |
||
60 | |||
61 | /** |
||
62 | * @var JWKSet |
||
63 | */ |
||
64 | private $signatureKeys; |
||
65 | |||
66 | /** |
||
67 | * @var int |
||
68 | */ |
||
69 | private $lifetime; |
||
70 | |||
71 | /** |
||
72 | * @var string |
||
73 | */ |
||
74 | private $scope; |
||
75 | |||
76 | /** |
||
77 | * @var array |
||
78 | */ |
||
79 | private $requestedClaims = []; |
||
80 | |||
81 | /** |
||
82 | * @var string |
||
83 | */ |
||
84 | private $claimsLocales; |
||
85 | |||
86 | /** |
||
87 | * @var null|AccessTokenId |
||
88 | */ |
||
89 | private $accessTokenId; |
||
90 | |||
91 | /** |
||
92 | * @var null|AuthorizationCodeId |
||
93 | */ |
||
94 | private $authorizationCodeId; |
||
95 | |||
96 | /** |
||
97 | * @var string |
||
98 | */ |
||
99 | private $nonce; |
||
100 | |||
101 | /** |
||
102 | * @var bool |
||
103 | */ |
||
104 | private $withAuthenticationTime = false; |
||
105 | |||
106 | /** |
||
107 | * @var JWSBuilder |
||
108 | */ |
||
109 | private $jwsBuilder; |
||
110 | |||
111 | /** |
||
112 | * @var string |
||
113 | */ |
||
114 | private $signatureAlgorithm; |
||
115 | |||
116 | /** |
||
117 | * @var JWEBuilder |
||
118 | */ |
||
119 | private $jweBuilder; |
||
120 | |||
121 | /** |
||
122 | * @var string |
||
123 | */ |
||
124 | private $keyEncryptionAlgorithm; |
||
125 | |||
126 | /** |
||
127 | * @var string |
||
128 | */ |
||
129 | private $contentEncryptionAlgorithm; |
||
130 | |||
131 | /** |
||
132 | * @var \DateTimeImmutable |
||
133 | */ |
||
134 | private $expiresAt; |
||
135 | |||
136 | /** |
||
137 | * @var null|JKUFactory |
||
138 | */ |
||
139 | private $jkuFactory; |
||
140 | |||
141 | /** |
||
142 | * @var null|AuthorizationCodeRepository |
||
143 | */ |
||
144 | private $authorizationCodeRepository; |
||
145 | |||
146 | public function __construct(string $issuer, UserInfo $userinfo, int $lifetime, Client $client, UserAccount $userAccount, string $redirectUri, ?JKUFactory $jkuFactory, ?AuthorizationCodeRepository $authorizationCodeRepository) |
||
147 | { |
||
148 | $this->issuer = $issuer; |
||
149 | $this->userinfo = $userinfo; |
||
150 | $this->lifetime = $lifetime; |
||
151 | $this->client = $client; |
||
152 | $this->userAccount = $userAccount; |
||
153 | $this->redirectUri = $redirectUri; |
||
154 | $this->jkuFactory = $jkuFactory; |
||
155 | $this->authorizationCodeRepository = $authorizationCodeRepository; |
||
156 | } |
||
157 | |||
158 | public function setAccessToken(AccessToken $accessToken): void |
||
159 | { |
||
160 | $this->accessTokenId = $accessToken->getId(); |
||
161 | $this->expiresAt = $accessToken->getExpiresAt(); |
||
162 | $this->scope = $accessToken->getParameter()->has('scope') ? $accessToken->getParameter()->get('scope') : null; |
||
163 | |||
164 | if ($accessToken->getMetadata()->has('authorization_code_id') && null !== $this->authorizationCodeRepository) { |
||
165 | $authorizationCodeId = new AuthorizationCodeId($accessToken->getMetadata()->get('authorization_code_id')); |
||
|
|||
166 | $authorizationCode = $this->authorizationCodeRepository->find($authorizationCodeId); |
||
167 | if (null === $authorizationCode) { |
||
168 | return; |
||
169 | } |
||
170 | $this->authorizationCodeId = $authorizationCodeId; |
||
171 | $queryParams = $authorizationCode->getQueryParameters(); |
||
172 | foreach (['nonce' => 'nonce', 'claims_locales' => 'claimsLocales'] as $k => $v) { |
||
173 | if (\array_key_exists($k, $queryParams)) { |
||
174 | $this->{$v} = $queryParams[$k]; |
||
175 | } |
||
176 | } |
||
177 | $this->withAuthenticationTime = \array_key_exists('max_age', $authorizationCode->getQueryParameters()); |
||
178 | } |
||
179 | } |
||
180 | |||
181 | public function withAccessTokenId(AccessTokenId $accessTokenId): void |
||
182 | { |
||
183 | $this->accessTokenId = $accessTokenId; |
||
184 | } |
||
185 | |||
186 | public function withAuthorizationCodeId(AuthorizationCodeId $authorizationCodeId): void |
||
187 | { |
||
188 | $this->authorizationCodeId = $authorizationCodeId; |
||
189 | } |
||
190 | |||
191 | public function withClaimsLocales(string $claimsLocales): void |
||
192 | { |
||
193 | $this->claimsLocales = $claimsLocales; |
||
194 | } |
||
195 | |||
196 | public function withAuthenticationTime(): void |
||
197 | { |
||
198 | $this->withAuthenticationTime = true; |
||
199 | } |
||
200 | |||
201 | public function withScope(string $scope): void |
||
202 | { |
||
203 | $this->scope = $scope; |
||
204 | } |
||
205 | |||
206 | public function withRequestedClaims(array $requestedClaims): void |
||
207 | { |
||
208 | $this->requestedClaims = $requestedClaims; |
||
209 | } |
||
210 | |||
211 | public function withNonce(string $nonce): void |
||
212 | { |
||
213 | $this->nonce = $nonce; |
||
214 | } |
||
215 | |||
216 | public function withExpirationAt(\DateTimeImmutable $expiresAt): void |
||
219 | } |
||
220 | |||
221 | public function withoutAuthenticationTime(): void |
||
222 | { |
||
223 | $this->withAuthenticationTime = false; |
||
224 | } |
||
225 | |||
226 | public function withSignature(JWSBuilder $jwsBuilder, JWKSet $signatureKeys, string $signatureAlgorithm): void |
||
227 | { |
||
228 | if (!\in_array($signatureAlgorithm, $jwsBuilder->getSignatureAlgorithmManager()->list(), true)) { |
||
229 | throw new InvalidArgumentException(\Safe\sprintf('Unsupported signature algorithm "%s". Please use one of the following one: %s', $signatureAlgorithm, implode(', ', $jwsBuilder->getSignatureAlgorithmManager()->list()))); |
||
230 | } |
||
231 | if (0 === $signatureKeys->count()) { |
||
232 | throw new InvalidArgumentException('The signature key set must contain at least one key.'); |
||
233 | } |
||
234 | $this->jwsBuilder = $jwsBuilder; |
||
235 | $this->signatureKeys = $signatureKeys; |
||
236 | $this->signatureAlgorithm = $signatureAlgorithm; |
||
237 | } |
||
238 | |||
239 | public function withEncryption(JWEBuilder $jweBuilder, string $keyEncryptionAlgorithm, string $contentEncryptionAlgorithm): void |
||
240 | { |
||
241 | if (!\in_array($keyEncryptionAlgorithm, $jweBuilder->getKeyEncryptionAlgorithmManager()->list(), true)) { |
||
242 | throw new InvalidArgumentException(\Safe\sprintf('Unsupported key encryption algorithm "%s". Please use one of the following one: %s', $keyEncryptionAlgorithm, implode(', ', $jweBuilder->getKeyEncryptionAlgorithmManager()->list()))); |
||
243 | } |
||
244 | if (!\in_array($contentEncryptionAlgorithm, $jweBuilder->getContentEncryptionAlgorithmManager()->list(), true)) { |
||
245 | throw new InvalidArgumentException(\Safe\sprintf('Unsupported content encryption algorithm "%s". Please use one of the following one: %s', $contentEncryptionAlgorithm, implode(', ', $jweBuilder->getContentEncryptionAlgorithmManager()->list()))); |
||
246 | } |
||
247 | $this->jweBuilder = $jweBuilder; |
||
248 | $this->keyEncryptionAlgorithm = $keyEncryptionAlgorithm; |
||
249 | $this->contentEncryptionAlgorithm = $contentEncryptionAlgorithm; |
||
250 | } |
||
251 | |||
252 | public function build(): string |
||
253 | { |
||
254 | if (null === $this->scope) { |
||
255 | throw new \LogicException('It is mandatory to set the scope.'); |
||
256 | } |
||
257 | $data = $this->userinfo->getUserinfo($this->client, $this->userAccount, $this->redirectUri, $this->requestedClaims, $this->scope, $this->claimsLocales); |
||
258 | //$data = $this->updateClaimsWithAmrAndAcrInfo($data, $this->userAccount); |
||
259 | $data = $this->updateClaimsWithAuthenticationTime($data, $this->requestedClaims); |
||
260 | $data = $this->updateClaimsWithNonce($data); |
||
261 | if (null !== $this->signatureAlgorithm) { |
||
262 | $data = $this->updateClaimsWithJwtClaims($data); |
||
263 | $data = $this->updateClaimsWithTokenHash($data); |
||
264 | $data = $this->updateClaimsAudience($data); |
||
265 | $result = $this->computeIdToken($data); |
||
266 | } else { |
||
267 | $result = \Safe\json_encode($data, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES); |
||
268 | } |
||
269 | |||
270 | if (null !== $this->keyEncryptionAlgorithm && null !== $this->contentEncryptionAlgorithm) { |
||
271 | $result = $this->tryToEncrypt($this->client, $result); |
||
272 | } |
||
273 | |||
274 | return $result; |
||
275 | } |
||
276 | |||
277 | private function updateClaimsWithJwtClaims(array $claims): array |
||
278 | { |
||
279 | if (null === $this->expiresAt) { |
||
280 | $this->expiresAt = (new \DateTimeImmutable())->setTimestamp(time() + $this->lifetime); |
||
281 | } |
||
282 | $claims += [ |
||
283 | 'iat' => time(), |
||
284 | 'nbf' => time(), |
||
285 | 'exp' => $this->expiresAt->getTimestamp(), |
||
286 | 'jti' => Base64Url::encode(random_bytes(16)), |
||
287 | 'iss' => $this->issuer, |
||
288 | ]; |
||
289 | |||
290 | return $claims; |
||
291 | } |
||
292 | |||
293 | private function updateClaimsWithAuthenticationTime(array $claims, array $requestedClaims): array |
||
294 | { |
||
295 | if ((true === $this->withAuthenticationTime || \array_key_exists('auth_time', $requestedClaims)) && null !== $this->userAccount->getLastLoginAt()) { |
||
296 | $claims['auth_time'] = $this->userAccount->getLastLoginAt(); |
||
297 | } |
||
298 | |||
299 | return $claims; |
||
300 | } |
||
301 | |||
302 | private function updateClaimsWithNonce(array $claims): array |
||
309 | } |
||
310 | |||
311 | private function updateClaimsAudience(array $claims): array |
||
312 | { |
||
313 | $claims['aud'] = [ |
||
314 | $this->client->getPublicId()->getValue(), |
||
315 | $this->issuer, |
||
316 | ]; |
||
317 | $claims['azp'] = $this->client->getPublicId()->getValue(); |
||
318 | |||
320 | } |
||
321 | |||
322 | private function computeIdToken(array $claims): string |
||
323 | { |
||
324 | $signatureKey = $this->getSignatureKey($this->signatureAlgorithm); |
||
336 | } |
||
337 | |||
338 | private function tryToEncrypt(Client $client, string $jwt): string |
||
339 | { |
||
340 | $clientKeySet = $this->getClientKeySet($client); |
||
341 | $keyEncryptionAlgorithm = $this->jweBuilder->getKeyEncryptionAlgorithmManager()->get($this->keyEncryptionAlgorithm); |
||
342 | $encryptionKey = $clientKeySet->selectKey('enc', $keyEncryptionAlgorithm); |
||
343 | if (null === $encryptionKey) { |
||
344 | throw new InvalidArgumentException('No encryption key available for the client.'); |
||
345 | } |
||
346 | $header = [ |
||
347 | 'typ' => 'JWT', |
||
348 | 'jti' => Base64Url::encode(random_bytes(16)), |
||
349 | 'alg' => $this->keyEncryptionAlgorithm, |
||
350 | 'enc' => $this->contentEncryptionAlgorithm, |
||
351 | ]; |
||
352 | $jwe = $this->jweBuilder |
||
353 | ->create() |
||
354 | ->withPayload($jwt) |
||
355 | ->withSharedProtectedHeader($header) |
||
356 | ->addRecipient($encryptionKey) |
||
357 | ->build() |
||
358 | ; |
||
359 | $serializer = new JweCompactSerializer(); |
||
360 | |||
361 | return $serializer->serialize($jwe, 0); |
||
362 | } |
||
363 | |||
364 | private function getSignatureKey(string $signatureAlgorithm): JWK |
||
365 | { |
||
366 | $keys = $this->signatureKeys; |
||
367 | if ($this->client->has('client_secret')) { |
||
368 | $jwk = new JWK([ |
||
369 | 'kty' => 'oct', |
||
370 | 'use' => 'sig', |
||
371 | 'k' => Base64Url::encode($this->client->get('client_secret')), |
||
372 | ]); |
||
373 | $keys = $keys->with($jwk); |
||
374 | } |
||
375 | $algorithm = $this->jwsBuilder->getSignatureAlgorithmManager()->get($signatureAlgorithm); |
||
376 | if ('none' === $algorithm->name()) { |
||
377 | return new JWK(['kty' => 'none', 'alg' => 'none', 'use' => 'sig']); |
||
378 | } |
||
379 | $signatureKey = $keys->selectKey('sig', $algorithm); |
||
380 | if (null === $signatureKey) { |
||
381 | throw new InvalidArgumentException('Unable to find a key to sign the ID Token. Please verify the selected key set contains suitable keys.'); |
||
382 | } |
||
383 | |||
384 | return $signatureKey; |
||
385 | } |
||
386 | |||
387 | private function getHeaders(JWK $signatureKey, string $signatureAlgorithm): array |
||
388 | { |
||
389 | $header = [ |
||
390 | 'typ' => 'JWT', |
||
391 | 'alg' => $signatureAlgorithm, |
||
392 | ]; |
||
393 | if ($signatureKey->has('kid')) { |
||
394 | $header['kid'] = $signatureKey->get('kid'); |
||
395 | } |
||
396 | |||
397 | return $header; |
||
398 | } |
||
399 | |||
400 | private function updateClaimsWithTokenHash(array $claims): array |
||
401 | { |
||
402 | if ('none' === $this->signatureAlgorithm) { |
||
403 | return $claims; |
||
404 | } |
||
405 | if (null !== $this->accessTokenId) { |
||
406 | $claims['at_hash'] = $this->getHash($this->accessTokenId->getValue()); |
||
407 | } |
||
408 | if (null !== $this->authorizationCodeId) { |
||
409 | $claims['c_hash'] = $this->getHash($this->authorizationCodeId->getValue()); |
||
410 | } |
||
411 | |||
412 | return $claims; |
||
413 | } |
||
414 | |||
415 | private function getHash(string $tokenId): string |
||
418 | } |
||
419 | |||
420 | private function getHashMethod(): string |
||
442 | } |
||
443 | |||
444 | private function getHashSize(): int |
||
445 | { |
||
446 | $map = [ |
||
447 | 'HS256' => 16, |
||
448 | 'ES256' => 16, |
||
449 | 'RS256' => 16, |
||
450 | 'PS256' => 16, |
||
451 | 'HS384' => 24, |
||
452 | 'ES384' => 24, |
||
453 | 'RS384' => 24, |
||
454 | 'PS384' => 24, |
||
455 | 'HS512' => 32, |
||
456 | 'ES512' => 32, |
||
457 | 'RS512' => 32, |
||
458 | 'PS512' => 32, |
||
459 | ]; |
||
460 | |||
461 | if (!\array_key_exists($this->signatureAlgorithm, $map)) { |
||
462 | throw new InvalidArgumentException(\Safe\sprintf('Algorithm "%s" is not supported', $this->signatureAlgorithm)); |
||
463 | } |
||
464 | |||
465 | return $map[$this->signatureAlgorithm]; |
||
466 | } |
||
467 | |||
468 | private function getClientKeySet(Client $client): JWKSet |
||
497 | } |
||
498 | } |
||
499 |