auth0 · joshcanhelp · Oct 8, 2018 · Sep 5, 2018 · Sep 27, 2018 · Oct 2, 2018
diff --git a/composer.json b/composer.json
@@ -37,9 +37,7 @@
     "test": "SHELL_INTERACTIVE=1 vendor/bin/phpunit --colors=always --coverage-text",
     "test-ci": "vendor/bin/phpunit --colors=always --coverage-clover=build/coverage.xml",
     "phpcs": "\"vendor/bin/phpcs\"",
-    "phpcs-path": "SHELL_INTERACTIVE=1 ./vendor/bin/phpcs",
     "phpcbf": "\"vendor/bin/phpcbf\"",
-    "phpcbf-path": "SHELL_INTERACTIVE=1 ./vendor/bin/phpcbf",
     "sniffs": "\"vendor/bin/phpcs\" -e",
     "config-phpcs": "Dealerdirect\\Composer\\Plugin\\Installers\\PHPCodeSniffer\\Plugin::run"
   }

diff --git a/src/API/Helpers/TokenGenerator.php b/src/API/Helpers/TokenGenerator.php
@@ -1,104 +1,69 @@
-<?php namespace Auth0\SDK\API\Helpers;
+<?php
+namespace Auth0\SDK\API\Helpers;
 
 use Firebase\JWT\JWT;
 
+/**
+ * Class TokenGenerator.
+ * Generates HS256 ID tokens.
+ *
+ * @package Auth0\SDK\API\Helpers
+ */
 class TokenGenerator
 {
-
     /**
-     *
-     * @var string
+     * Default token expiration time.
      */
-    protected $client_id;
+    const DEFAULT_LIFETIME = 3600;
 
     /**
+     * Audience for the ID token.
      *
      * @var string
      */
-    protected $client_secret;
+    protected $audience;
 
     /**
+     * Secret used to encode the token.
      *
      * @var string
      */
-    protected $secret_base64_encoded;
-
-     /**
-      * TokenGenerator Constructor.
-      *
-      * Configuration:
-      *     - client_id              (String)  Required. The id of the application, you can get this in the
-      *                                                  auth0 console
-      *     - client_secret          (String)  Required. The application secret, same comment as above
-      *     - secret_base64_encoded  (Bool)  Required. Is the secret Base64 encoded?
-      *
-      * @param array $credentials
-      */
-    public function __construct($credentials)
-    {
-        if (! isset($credentials['secret_base64_encoded'])) {
-            $credentials['secret_base64_encoded'] = true;
-        }
-
-        $this->client_id             = $credentials['client_id'];
-        $this->client_secret         = $credentials['client_secret'];
-        $this->secret_base64_encoded = $credentials['secret_base64_encoded'];
-    }
+    protected $secret;
 
     /**
+     * TokenGenerator constructor.
      *
-     * @param  string $input
-     * @return string
+     * @param string $audience ID token audience to set.
+     * @param string $secret   Token encryption secret to encode the token.
      */
-    protected function bstr2bin($input)
+    public function __construct($audience, $secret)
     {
-        // Unpack as a hexadecimal string
-        $value = $this->str2hex($input);
-
-        // Output binary representation
-        return base_convert($value, 16, 2);
+        $this->audience = $audience;
+        $this->secret   = $secret;
     }
 
     /**
+     * Create the ID token.
      *
-     * @param  string $input
-     * @return mixed
-     */
-    protected function str2hex($input)
-    {
-        $data = unpack('H*', $input);
-        return $data[1];
-    }
-
-    /**
+     * @param array   $scopes         Array of scopes to include.
+     * @param integer $lifetime       Lifetime of the token, in seconds.
+     * @param boolean $secret_encoded True to base64 decode the client secret.
      *
-     * @param  $scopes
-     * @param  integer $lifetime
      * @return string
      */
-    public function generate($scopes, $lifetime = 36000)
+    public function generate(array $scopes, $lifetime = self::DEFAULT_LIFETIME, $secret_encoded = true)
     {
-        $time = time();
-
-        $payload = [
+        $time           = time();
+        $payload        = [
             'iat' => $time,
-            'scopes' => $scopes
+            'scopes' => $scopes,
+            'exp' => $time + $lifetime,
+            'aud' => $this->audience,
         ];
+        $payload['jti'] = md5(json_encode($payload));
 
-        $jti = md5(json_encode($payload));
-
-        $payload['jti'] = $jti;
-        $payload['exp'] = $time + $lifetime;
-        $payload['aud'] = $this->client_id;
-
-        if ($this->secret_base64_encoded) {
-            $secret = base64_decode(strtr($this->client_secret, '-_', '+/'));
-        } else {
-            $secret = $this->client_secret;
-        }
-
-        $jwt = JWT::encode($payload, $secret);
+        $secret = $secret_encoded ? base64_decode(strtr($this->secret, '-_', '+/')) : $this->secret;
 
-        return $jwt;
+        return JWT::encode($payload, $secret);
     }
 }
diff --git a/src/Auth0.php b/src/Auth0.php
@@ -16,6 +16,7 @@
 use Auth0\SDK\API\Helpers\State\StateHandler;
 use Auth0\SDK\API\Helpers\State\SessionStateHandler;
 use Auth0\SDK\API\Helpers\State\DummyStateHandler;
+use Firebase\JWT\JWT;
 
 /**
  * Class Auth0
@@ -71,6 +72,14 @@ class Auth0
      */
     protected $clientSecret;
 
+    /**
+     * True if the client secret is base64 encoded, false if not.
+     * This information can be found in your Auth0 Application settings below the Client Secret field.
+     *
+     * @var boolean
+     */
+    protected $clientSecretEncoded;
+
     /**
      * Response mode
      *
@@ -173,6 +182,28 @@ class Auth0
      */
     protected $guzzleOptions;
 
+    /**
+     * Algorithm used for ID token validation.
+     * Can be "HS256" or "RS256" only.
+     *
+     * @var string
+     */
+    protected $idTokenAlg = null;
+
+    /**
+     * Valid audiences for ID tokens.
+     *
+     * @var array
+     */
+    protected $idTokenAud = [];
+
+    /**
+     * Valid issuer(s) for ID tokens.
+     *
+     * @var array
+     */
+    protected $idTokenIss = [];
+
     /**
      * State Handler.
      *
@@ -225,10 +256,11 @@ public function __construct(array $config)
             throw new CoreException('Invalid redirect_uri');
         }
 
-        $this->domain       = $config['domain'];
-        $this->clientId     = $config['client_id'];
-        $this->clientSecret = $config['client_secret'];
-        $this->redirectUri  = $config['redirect_uri'];
+        $this->domain              = $config['domain'];
+        $this->clientId            = $config['client_id'];
+        $this->clientSecret        = $config['client_secret'];
+        $this->clientSecretEncoded = ! empty( $config['secret_base64_encoded'] );
+        $this->redirectUri         = $config['redirect_uri'];
 
         if (isset($config['audience'])) {
             $this->audience = $config['audience'];
@@ -250,6 +282,33 @@ public function __construct(array $config)
             $this->guzzleOptions = $config['guzzle_options'];
         }
 
+        // If a token algorithm is passed, make sure it's a specific string.
+        if (! empty($config['id_token_alg'])) {
+            if (! in_array( $config['id_token_alg'], ['HS256', 'RS256'] )) {
+                throw new CoreException('Invalid id_token_alg; must be "HS256" or "RS256"');
+            }
+
+            $this->idTokenAlg = $config['id_token_alg'];
+        }
+
+        // If a token audience is passed, make sure it's an array.
+        if (! empty($config['id_token_aud'])) {
+            if (! is_array( $config['id_token_aud'] )) {
+                throw new CoreException('Invalid id_token_aud; must be an array of string values');
+            }
+
+            $this->idTokenAud = $config['id_token_aud'];
+        }
+
+        // If a token issuer is passed, make sure it's an array.
+        if (! empty($config['id_token_iss'])) {
+            if (! is_array( $config['id_token_iss'] )) {
+                throw new CoreException('Invalid id_token_iss; must be an array of string values');
+            }
+
+            $this->idTokenIss = $config['id_token_iss'];
+        }
+
         $this->debugMode = isset($config['debug']) ? $config['debug'] : false;
 
         // User info is persisted by default.
@@ -552,14 +611,27 @@ public function setAccessToken($accessToken)
     }
 
     /**
-     * Sets and persists the ID token.
+     * Sets, validates, and persists the ID token.
      *
      * @param string $idToken - ID token returned from the code exchange.
      *
      * @return \Auth0\SDK\Auth0
+     *
+     * @throws CoreException
+     * @throws Exception\InvalidTokenException
      */
     public function setIdToken($idToken)
     {
+        $jwtVerifier = new JWTVerifier([
+            'valid_audiences' => ! empty($this->idTokenAud) ? $this->idTokenAud : [ $this->clientId ],
+            'supported_algs' => $this->idTokenAlg ? [ $this->idTokenAlg ] : [ 'HS256', 'RS256' ],
+            'authorized_iss' => $this->idTokenIss ? $this->idTokenIss : [ 'https://'.$this->domain.'/' ],
+            'client_secret' => $this->clientSecret,
+            'secret_base64_encoded' => $this->clientSecretEncoded,
+            'guzzle_options' => $this->guzzleOptions,
+        ]);
+        $jwtVerifier->verifyAndDecode( $idToken );
+
         if (in_array('id_token', $this->persistantMap)) {
             $this->store->set('id_token', $idToken);
         }