http = $http; $this->cache = $cache; $this->jwt = $jwt ?: $this->getJwtService(); } /** * Verifies an id token and returns the authenticated apiLoginTicket. * Throws an exception if the id token is not valid. * The audience parameter can be used to control which id tokens are * accepted. By default, the id token must have been issued to this OAuth2 client. * * @param string $idToken the ID token in JWT format * @param string $audience Optional. The audience to verify against JWt "aud" * @return array the token payload, if successful */ public function verifyIdToken($idToken, $audience = null) { if (empty($idToken)) { throw new LogicException('id_token cannot be null'); } // set phpseclib constants if applicable $this->setPhpsecConstants(); // Check signature $certs = $this->getFederatedSignOnCerts(); foreach ($certs as $cert) { try { $args = [$idToken]; $publicKey = $this->getPublicKey($cert); if (class_exists(Key::class)) { $args[] = new Key($publicKey, 'RS256'); } else { $args[] = $publicKey; $args[] = ['RS256']; } $payload = \call_user_func_array([$this->jwt, 'decode'], $args); if (property_exists($payload, 'aud')) { if ($audience && $payload->aud != $audience) { return false; } } // support HTTP and HTTPS issuers // @see https://developers.google.com/identity/sign-in/web/backend-auth $issuers = array(self::OAUTH2_ISSUER, self::OAUTH2_ISSUER_HTTPS); if (!isset($payload->iss) || !in_array($payload->iss, $issuers)) { return false; } return (array) $payload; } catch (ExpiredException $e) { return false; } catch (ExpiredExceptionV3 $e) { return false; } catch (SignatureInvalidException $e) { // continue } catch (DomainException $e) { // continue } } return false; } private function getCache() { return $this->cache; } /** * Retrieve and cache a certificates file. * * @param $url string location * @throws \Google\Exception * @return array certificates */ private function retrieveCertsFromLocation($url) { // If we're retrieving a local file, just grab it. if (0 !== strpos($url, 'http')) { if (!$file = file_get_contents($url)) { throw new GoogleException( "Failed to retrieve verification certificates: '" . $url . "'." ); } return json_decode($file, true); } $response = $this->http->get($url); if ($response->getStatusCode() == 200) { return json_decode((string) $response->getBody(), true); } throw new GoogleException( sprintf( 'Failed to retrieve verification certificates: "%s".', $response->getBody()->getContents() ), $response->getStatusCode() ); } // Gets federated sign-on certificates to use for verifying identity tokens. // Returns certs as array structure, where keys are key ids, and values // are PEM encoded certificates. private function getFederatedSignOnCerts() { $certs = null; if ($cache = $this->getCache()) { $cacheItem = $cache->getItem('federated_signon_certs_v3'); $certs = $cacheItem->get(); } if (!$certs) { $certs = $this->retrieveCertsFromLocation( self::FEDERATED_SIGNON_CERT_URL ); if ($cache) { $cacheItem->expiresAt(new DateTime('+1 hour')); $cacheItem->set($certs); $cache->save($cacheItem); } } if (!isset($certs['keys'])) { throw new InvalidArgumentException( 'federated sign-on certs expects "keys" to be set' ); } return $certs['keys']; } private function getJwtService() { $jwtClass = 'JWT'; if (class_exists('\Firebase\JWT\JWT')) { $jwtClass = 'Firebase\JWT\JWT'; } if (property_exists($jwtClass, 'leeway') && $jwtClass::$leeway < 1) { // Ensures JWT leeway is at least 1 // @see https://github.com/google/google-api-php-client/issues/827 $jwtClass::$leeway = 1; } return new $jwtClass; } private function getPublicKey($cert) { $bigIntClass = $this->getBigIntClass(); $modulus = new $bigIntClass($this->jwt->urlsafeB64Decode($cert['n']), 256); $exponent = new $bigIntClass($this->jwt->urlsafeB64Decode($cert['e']), 256); $component = array('n' => $modulus, 'e' => $exponent); if (class_exists('phpseclib3\Crypt\RSA\PublicKey')) { /** @var PublicKey $loader */ $loader = PublicKeyLoader::load($component); return $loader->toString('PKCS8'); } $rsaClass = $this->getRsaClass(); $rsa = new $rsaClass(); $rsa->loadKey($component); return $rsa->getPublicKey(); } private function getRsaClass() { if (class_exists('phpseclib3\Crypt\RSA')) { return 'phpseclib3\Crypt\RSA'; } if (class_exists('phpseclib\Crypt\RSA')) { return 'phpseclib\Crypt\RSA'; } return 'Crypt_RSA'; } private function getBigIntClass() { if (class_exists('phpseclib3\Math\BigInteger')) { return 'phpseclib3\Math\BigInteger'; } if (class_exists('phpseclib\Math\BigInteger')) { return 'phpseclib\Math\BigInteger'; } return 'Math_BigInteger'; } private function getOpenSslConstant() { if (class_exists('phpseclib3\Crypt\AES')) { return 'phpseclib3\Crypt\AES::ENGINE_OPENSSL'; } if (class_exists('phpseclib\Crypt\RSA')) { return 'phpseclib\Crypt\RSA::MODE_OPENSSL'; } if (class_exists('Crypt_RSA')) { return 'CRYPT_RSA_MODE_OPENSSL'; } throw new Exception('Cannot find RSA class'); } /** * phpseclib calls "phpinfo" by default, which requires special * whitelisting in the AppEngine VM environment. This function * sets constants to bypass the need for phpseclib to check phpinfo * * @see phpseclib/Math/BigInteger * @see https://github.com/GoogleCloudPlatform/getting-started-php/issues/85 */ private function setPhpsecConstants() { if (filter_var(getenv('GAE_VM'), FILTER_VALIDATE_BOOLEAN)) { if (!defined('MATH_BIGINTEGER_OPENSSL_ENABLED')) { define('MATH_BIGINTEGER_OPENSSL_ENABLED', true); } if (!defined('CRYPT_RSA_MODE')) { define('CRYPT_RSA_MODE', constant($this->getOpenSslConstant())); } } } }