feat: add idtoken to refresh_token grant

smarcet · smarcet · commit 021bee3da4f6 · 2024-07-23T12:34:26.000-03:00
Change-Id: I8a772f58192cce9e7da6fffceff5bad19e55caed
diff --git a/app/Services/OAuth2/TokenService.php b/app/Services/OAuth2/TokenService.php
@@ -1338,9 +1338,9 @@ public function clearAccessTokensForRefreshToken($value, $is_hashed = false)
     }
 
     /**
-     * @param string $nonce
      * @param string $client_id
      * @param AccessToken|null $access_token
+     * @param string|null $nonce
      * @param AuthorizationCode|null $auth_code
      * @return IBasicJWT
      * @throws AbsentClientException
@@ -1351,14 +1351,16 @@ public function clearAccessTokensForRefreshToken($value, $is_hashed = false)
      */
     public function createIdToken
     (
-        $nonce,
-        $client_id,
+        string $client_id,
         AccessToken $access_token = null,
-        AuthorizationCode $auth_code = null
-    )
+        ?string $nonce = null,
+        ?AuthorizationCode $auth_code = null
+    ):IBasicJWT
     {
+        Log::debug(sprintf("TokenService::createIdToken client id is %s", $client_id));
+
         $issuer = $this->configuration_service->getSiteUrl();
-        if (empty($issuer)) throw new ConfigurationException('missing idp url');
+        if (empty($issuer)) throw new ConfigurationException('Missing IDP URL.');
 
         $client = $this->client_repository->getClientById($client_id);
         $id_token_lifetime = $this->configuration_service->getConfigValue('OAuth2.IdToken.Lifetime');
@@ -1368,7 +1370,7 @@ public function createIdToken
             (
                 sprintf
                 (
-                    "client id %d does not exists!",
+                    "Client id %d does not exists.",
                     $client_id
                 )
             );
@@ -1378,7 +1380,13 @@ public function createIdToken
 
         if (is_null($user)) {
             $user_id = $this->principal_service->get()->getUserId();
-            Log::debug(sprintf("user id is %s", $user_id));
+            Log::debug(sprintf("TokenService::createIdToken user id is %s from principal service", $user_id));
+            $user = $this->auth_service->getUserById($user_id);
+        }
+
+        if(is_null($user) && !is_null($access_token)){
+            $user_id = $access_token->getUserId();
+            Log::debug(sprintf("TokenService::createIdToken user id is %s from access token", $user_id));
             $user = $this->auth_service->getUserById($user_id);
         }
 
@@ -1428,6 +1436,7 @@ public function createIdToken
         if (!is_null($sig_alg) && !is_null($auth_code))
             $this->buildAuthCodeHashClaim($auth_code, $sig_alg, $claim_set);
 
+        // auth_time claim
         $this->buildAuthTimeClaim($claim_set);
 
         return $this->id_token_builder->buildJWT($claim_set, $id_token_response_info, $client);
diff --git a/app/libs/OAuth2/Factories/OAuth2AccessTokenFragmentResponseFactory.php b/app/libs/OAuth2/Factories/OAuth2AccessTokenFragmentResponseFactory.php
@@ -63,9 +63,9 @@ static public function build
 
                 $id_token = $token_service->createIdToken
                 (
-                    $request->getNonce(),
                     $request->getClientId(),
-                    $access_token
+                    $access_token,
+                    $request->getNonce()
                 );
             }
 
diff --git a/app/libs/OAuth2/Factories/OAuth2AccessTokenResponseFactory.php b/app/libs/OAuth2/Factories/OAuth2AccessTokenResponseFactory.php
@@ -72,9 +72,9 @@ static public function build
 
                     $id_token = $token_service->createIdToken
                     (
-                        $auth_code->getNonce(),
                         $auth_code->getClientId(),
-                        $access_token
+                        $access_token,
+                        $auth_code->getNonce()
                     );
                 }
 
@@ -86,9 +86,9 @@ static public function build
 
                 $id_token = $token_service->createIdToken
                 (
-                    $auth_code->getNonce(),
                     $auth_code->getClientId(),
-                    $access_token
+                    $access_token,
+                    $auth_code->getNonce()
                 );
             }
 
diff --git a/app/libs/OAuth2/GrantTypes/HybridGrantType.php b/app/libs/OAuth2/GrantTypes/HybridGrantType.php
@@ -204,12 +204,11 @@ protected function buildResponse(OAuth2AuthorizationRequest $request, $has_forme
 
         if (in_array(OAuth2Protocol::OAuth2Protocol_ResponseType_IdToken, $request->getResponseType(false)))
         {
-
             $id_token = $this->token_service->createIdToken
             (
-                $request->getNonce(),
                 $request->getClientId(),
                 $access_token,
+                $request->getNonce(),
                 $auth_code
             );
         }
diff --git a/app/libs/OAuth2/GrantTypes/PasswordlessGrantType.php b/app/libs/OAuth2/GrantTypes/PasswordlessGrantType.php
@@ -381,9 +381,9 @@ public function completeFlow(OAuth2Request $request)
 
             $id_token = $this->token_service->createIdToken
             (
-                $otp->getNonce(),
                 $this->client->getClientId(),
-                $access_token
+                $access_token,
+                $otp->getNonce()
             );
 
             $refresh_token = $access_token->getRefreshToken();
diff --git a/app/libs/OAuth2/GrantTypes/RefreshBearerTokenGrantType.php b/app/libs/OAuth2/GrantTypes/RefreshBearerTokenGrantType.php
@@ -19,12 +19,13 @@
 use OAuth2\Exceptions\UseRefreshTokenException;
 use OAuth2\Models\IClient;
 use OAuth2\Repositories\IClientRepository;
+use OAuth2\Responses\OAuth2AccessTokenResponse;
+use OAuth2\Responses\OAuth2IdTokenResponse;
 use OAuth2\Services\ITokenService;
 use OAuth2\OAuth2Protocol;
 use OAuth2\Requests\OAuth2RefreshAccessTokenRequest;
 use OAuth2\Requests\OAuth2Request;
 use OAuth2\Requests\OAuth2TokenRequest;
-use OAuth2\Responses\OAuth2AccessTokenResponse;
 use OAuth2\Responses\OAuth2Response;
 use OAuth2\Services\IClientService;
 use Utils\Services\ILogService;
@@ -169,15 +170,43 @@ public function completeFlow(OAuth2Request $request)
             $new_refresh_token = $this->token_service->createRefreshToken($access_token, true);
         }
 
-        $response = new OAuth2AccessTokenResponse
+        // add id token on response ( new id token )
+        // see https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
+        // considerations
+        // 1. if the ID Token contains an auth_time Claim, its value MUST represent the time of the original
+        //    authentication - not the time that the new ID token is issued.
+        // 2. it SHOULD NOT have a nonce Claim, even when the ID Token issued at the time of the original authentication
+        //   contained nonce; however, if it is present, its value MUST be the same as in the ID Token issued at the
+        //  time of the original authentication
+        $id_token = null;
+
+        $access_token_scopes = explode(' ', $access_token->getScope());
+        if(in_array(OAuth2Protocol::OpenIdConnect_Scope,$access_token_scopes)) {
+
+            $id_token = $this->token_service->createIdToken
+            (
+                $this->current_client->getClientId(),
+                $access_token
+            );
+        }
+
+        if(!is_null($id_token))
+            return new OAuth2IdTokenResponse
+            (
+                $access_token->getValue(),
+                $access_token->getLifetime(),
+                $id_token->toCompactSerialization(),
+                !is_null($new_refresh_token) ? $new_refresh_token->getValue() : null,
+                $scope
+            );
+
+        return new OAuth2AccessTokenResponse
         (
             $access_token->getValue(),
             $access_token->getLifetime(),
             !is_null($new_refresh_token) ? $new_refresh_token->getValue() : null,
             $scope
         );
-
-        return $response;
     }
 
     /**
diff --git a/app/libs/OAuth2/Services/ITokenService.php b/app/libs/OAuth2/Services/ITokenService.php
@@ -179,21 +179,20 @@ public function invalidateRefreshToken(string $value, bool $is_hashed = false, ?
      */
     public function revokeRefreshToken(string $value, bool $is_hashed = false, ?User $current_user = null);
 
-
     /**
-     * @param string $nonce
      * @param string $client_id
      * @param AccessToken|null $access_token
-     * @param AuthorizationCode $auth_code
+     * @param AuthorizationCode|null $auth_code
+     * @param string|null $nonce
      * @return IBasicJWT
      */
     public function createIdToken
     (
-        $nonce,
-        $client_id,
-        AccessToken $access_token    = null,
-        AuthorizationCode $auth_code = null
-    );
+        string $client_id,
+        ?AccessToken $access_token = null,
+        ?string $nonce = null,
+        ?AuthorizationCode $auth_code = null
+    ):IBasicJWT;
 
     /**
      * @param OAuth2PasswordlessAuthenticationRequest $request
diff --git a/database/seeds/TestSeeder.php b/database/seeds/TestSeeder.php
@@ -235,7 +235,7 @@ private function createTestUsers(){
                 'first_name' => 'Sebastian',
                 'last_name' => 'Marcet',
                 'email' => 'sebastian@tipit.net',
-                'password' => '1qaz2wsx',
+                'password' => '1Qaz2wsx!',
                 'password_enc' => \Auth\AuthHelper::AlgSHA1_V2_4,
                 'gender' => 'male',
                 'address1' => 'Av. Siempre Viva 111',
@@ -256,7 +256,7 @@ private function createTestUsers(){
                 'first_name' => 'Sebastian',
                 'last_name' => 'Marcet IDN',
                 'email' => 'hei@やる.ca',
-                'password' => '1qaz2wsx',
+                'password' => '1Qaz2wsx!',
                 'password_enc' => \Auth\AuthHelper::AlgSHA1_V2_4,
                 'gender' => 'male',
                 'address1' => 'Av. Siempre Viva 111',
@@ -277,7 +277,7 @@ private function createTestUsers(){
                 'first_name' => 'Márton',
                 'last_name' => 'Kiss',
                 'email' => 'mkiss@tipit.net',
-                'password' => '1qaz2wsx',
+                'password' => '1Qaz2wsx!',
                 'password_enc' => \Auth\AuthHelper::AlgSHA1_V2_4,
                 'gender' => 'male',
                 'address1' => 'Av. Siempre Viva 111',
@@ -298,7 +298,7 @@ private function createTestUsers(){
                 'first_name' => '付',
                 'last_name' => '金刚',
                 'email' => 'fujg573@tipit.net',
-                'password' => '1qaz2wsx',
+                'password' => '1Qaz2wsx!',
                 'password_enc' => \Auth\AuthHelper::AlgSHA1_V2_4,
                 'gender' => 'male',
                 'address1' => 'Av. Siempre Viva 111',
@@ -319,7 +319,7 @@ private function createTestUsers(){
                 'first_name' => 'Bharath',
                 'last_name' => 'Kumar M R',
                 'email' => 'mrbharathee@tipit.net',
-                'password' => '1qaz2wsx',
+                'password' => '1Qaz2wsx!',
                 'password_enc' => \Auth\AuthHelper::AlgSHA1_V2_4,
                 'gender' => 'male',
                 'address1' => 'Av. Siempre Viva 111',
@@ -340,7 +340,7 @@ private function createTestUsers(){
                 'first_name' => '大塚',
                 'last_name' => '元央',
                 'email' => 'yuanying@tipit.net',
-                'password' => '1qaz2wsx',
+                'password' => '1Qaz2wsx!',
                 'password_enc' => \Auth\AuthHelper::AlgSHA1_V2_4,
                 'gender' => 'male',
                 'address1' => 'Av. Siempre Viva 111',
@@ -361,7 +361,7 @@ private function createTestUsers(){
                 'first_name' => 'Ian Y.',
                 'last_name' => 'Choi',
                 'email' => 'ianyrchoi@gmail.com',
-                'password' => '1qaz2wsx',
+                'password' => '1Qaz2wsx!',
                 'password_enc' => \Auth\AuthHelper::AlgSHA1_V2_4,
                 'gender' => 'male',
                 'address1' => 'Av. Siempre Viva 111',
@@ -385,7 +385,7 @@ private function createTestUsers(){
             EntityManager::persist($user);
             $raw_password = $payload['password'];
             if(!$user->checkPassword($raw_password))
-                throw new Exception("password verification failed !!!");
+                throw new \Exception("password verification failed !!!");
         }
         EntityManager::flush();
     }
diff --git a/tests/OIDCPasswordlessTest.php b/tests/OIDCPasswordlessTest.php
@@ -621,6 +621,11 @@ public function testCodeInlineFlowComplete()
 
         $this->assertTrue(!empty($refresh_token));
 
+        $id_token = $response->id_token;
+
+        $this->assertTrue(!empty($id_token));
+
+
         $params = [
             'refresh_token' => $refresh_token,
             'grant_type' => OAuth2Protocol::OAuth2Protocol_GrantType_RefreshToken,
@@ -643,9 +648,11 @@ public function testCodeInlineFlowComplete()
         //get new access token and new refresh token...
         $new_access_token = $response->access_token;
         $new_refresh_token = $response->refresh_token;
+        $new_id_token = $response->id_token;
 
         $this->assertTrue(!empty($new_access_token));
         $this->assertTrue(!empty($new_refresh_token));
+        $this->assertTrue(!empty($new_id_token));
 
     }
 

Original file line number	Diff line number	Diff line change
`@@ -63,9 +63,9 @@ static public function build`
`63`	`63`
`64`	`64`	`$id_token = $token_service->createIdToken`
`65`	`65`	`(`
`66`		`- $request->getNonce(),`
`67`	`66`	`$request->getClientId(),`
`68`		`- $access_token`
	`67`	`+ $access_token,`
	`68`	`+ $request->getNonce()`
`69`	`69`	`);`
`70`	`70`	`}`
`71`	`71`
Original file line number	Diff line number	Diff line change
`@@ -72,9 +72,9 @@ static public function build`
`72`	`72`
`73`	`73`	`$id_token = $token_service->createIdToken`
`74`	`74`	`(`
`75`		`- $auth_code->getNonce(),`
`76`	`75`	`$auth_code->getClientId(),`
`77`		`- $access_token`
	`76`	`+ $access_token,`
	`77`	`+ $auth_code->getNonce()`
`78`	`78`	`);`
`79`	`79`	`}`
`80`	`80`
`@@ -86,9 +86,9 @@ static public function build`
`86`	`86`
`87`	`87`	`$id_token = $token_service->createIdToken`
`88`	`88`	`(`
`89`		`- $auth_code->getNonce(),`
`90`	`89`	`$auth_code->getClientId(),`
`91`		`- $access_token`
	`90`	`+ $access_token,`
	`91`	`+ $auth_code->getNonce()`
`92`	`92`	`);`
`93`	`93`	`}`
`94`	`94`
Original file line number	Diff line number	Diff line change
`@@ -204,12 +204,11 @@ protected function buildResponse(OAuth2AuthorizationRequest $request, $has_forme`
`204`	`204`
`205`	`205`	`if (in_array(OAuth2Protocol::OAuth2Protocol_ResponseType_IdToken, $request->getResponseType(false)))`
`206`	`206`	`{`
`207`		`-`
`208`	`207`	`$id_token = $this->token_service->createIdToken`
`209`	`208`	`(`
`210`		`- $request->getNonce(),`
`211`	`209`	`$request->getClientId(),`
`212`	`210`	`$access_token,`
	`211`	`+ $request->getNonce(),`
`213`	`212`	`$auth_code`
`214`	`213`	`);`
`215`	`214`	`}`