thephpleague · marcriemer · Nov 24, 2022 · Nov 25, 2022 · Nov 25, 2022 · Nov 25, 2022
diff --git a/examples/src/Repositories/IdTokenRepository.php b/examples/src/Repositories/IdTokenRepository.php
@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\OAuth2\Server\Repositories;
+
+use DateTimeImmutable;
+use Lcobucci\JWT\Encoding\ChainedFormatter;
+use Lcobucci\JWT\Encoding\JoseEncoder;
+use Lcobucci\JWT\Token\Builder;
+use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
+
+/**
+ * Exmaple implemnation of IdTokenRepositoryInterface
+ *
+ * @author Marc Riemer <[email protected]>
+ * @license http://opensource.org/licenses/MIT MIT
+ */
+class IdTokenRepository implements IdTokenRepositoryInterface
+{
+    public function __construct(private string $issuedBy, private ?string $nonce = null)
+    {
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getBuilder(AccessTokenEntityInterface $accessToken): Builder
+    {
+        $builder = (new Builder(new JoseEncoder(), ChainedFormatter::withUnixTimestampDates()))
+            ->permittedFor($accessToken->getClient()->getIdentifier())
+            ->issuedBy($this->issuedBy)
+            ->issuedAt(new DateTimeImmutable())
+            ->expiresAt($accessToken->getExpiryDateTime())
+            ->relatedTo($accessToken->getUserIdentifier());
+
+        if ($this->nonce) {
+            $builder->withClaim('nonce', $this->nonce);
+        }
+
+        return $builder;
+    }
+}
diff --git a/src/ClaimExtractor.php b/src/ClaimExtractor.php
@@ -0,0 +1,178 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\OAuth2\Server;
+
+use InvalidArgumentException;
+use League\OAuth2\Server\Entities\ClaimSetEntry;
+use League\OAuth2\Server\Entities\ClaimSetEntryInterface;
+use League\OAuth2\Server\Entities\ClaimSetInterface;
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
+
+use function array_filter;
+use function array_intersect;
+use function array_keys;
+use function array_merge;
+use function in_array;
+use function sprintf;
+
+/**
+ * ClaimExtractor
+ *
+ * @link https://github.com/steverhoades/oauth2-openid-connect-server
+ *
+ * @author Steve Rhoades <[email protected]>
+ * @author Marc Riemer <[email protected]>
+ */
+class ClaimExtractor implements ClaimExtractorInterface
+{
+    /**
+     * claimSetEntries
+     *
+     * @var ClaimSetEntryInterface[]
+     */
+    protected array $claimSetEntries = [];
+
+    /**
+     * Protected claims
+     *
+     * @var string[]
+     */
+    protected array $protectedClaims = ['profile', 'email', 'address', 'phone'];
+
+    /**
+     * ClaimExtractor constructor
+     *
+     * @param array<int, ClaimSetEntryInterface> $claimSetEntries
+     */
+    public function __construct(array $claimSetEntries = [])
+    {
+        $this->claimSetEntries = self::getDefaultClaimSetEnties();
+        foreach ($claimSetEntries as $claimSetEntry) {
+            $this->addClaimSetEntry($claimSetEntry);
+        }
+    }
+
+    /**
+     * @return $this
+     *
+     * @throws \InvalidArgumentException
+     */
+    public function addClaimSetEntry(ClaimSetEntryInterface $claimSetEntry): ClaimExtractor
+    {
+        if (in_array($claimSetEntry->getScope(), $this->protectedClaims) && !$this->getClaimSetEntry($claimSetEntry->getScope())) {
+            throw new InvalidArgumentException(
+                sprintf('%s is a protected scope and is pre-defined by the OpenID Connect specification.', $claimSetEntry->getScope())
+            );
+        }
+
+        $this->claimSetEntries[] = $claimSetEntry;
+
+        return $this;
+    }
+
+    public function getClaimSetEntry(string $scope): ?ClaimSetEntryInterface
+    {
+        foreach ($this->claimSetEntries as $entry) {
+            if ($entry->getScope() === $scope) {
+                return $entry;
+            }
+        }
+
+        return null;
+    }
+
+    /**
+     * Get claimSetEntries
+     *
+     * @return array<ClaimSetInterface>
+     */
+    public function getClaimSetEntries(): array
+    {
+        return $this->claimSetEntries;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function extract(array $scopes, array $claims): array
+    {
+        $claimData  = [];
+        $keys = array_keys($claims);
+
+        foreach ($scopes as $scope) {
+            $scopeName = ($scope instanceof ScopeEntityInterface) ? $scope->getIdentifier() : $scope;
+
+            $claimSet = $this->getClaimSetEntry($scopeName);
+            if (null === $claimSet) {
+                continue;
+            }
+
+            $intersected = array_intersect($claimSet->getClaims(), $keys);
+
+            if (empty($intersected)) {
+                continue;
+            }
+
+            $data = array_filter(
+                $claims,
+                function ($key) use ($intersected) {
+                    return in_array($key, $intersected);
+                },
+                ARRAY_FILTER_USE_KEY
+            );
+
+            $claimData = array_merge($claimData, $data);
+        }
+
+        return $claimData;
+    }
+
+    /**
+     * Create a array default openID connect claims
+     *
+     * @see http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
+     *
+     * @return ClaimSetEntry[]
+     */
+    public static function getDefaultClaimSetEnties(): array
+    {
+        return [
+            new ClaimSetEntry('profile', [
+                'name',
+                'family_name',
+                'given_name',
+                'middle_name',
+                'nickname',
+                'preferred_username',
+                'profile',
+                'picture',
+                'website',
+                'gender',
+                'birthdate',
+                'zoneinfo',
+                'locale',
+                'updated_at',
+            ]),
+            new ClaimSetEntry('email', [
+                'email',
+                'email_verified',
+            ]),
+            new ClaimSetEntry('address', [
+                'address',
+            ]),
+            new ClaimSetEntry('phone', [
+                'phone_number',
+                'phone_number_verified',
+            ]),
+            new ClaimSetEntry('openid', [
+                'nonce',
+                'auth_time',
+                'acr',
+                'amr',
+                'azp',
+            ]),
+        ];
+    }
+}
diff --git a/src/ClaimExtractorInterface.php b/src/ClaimExtractorInterface.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\OAuth2\Server;
+
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
+
+interface ClaimExtractorInterface
+{
+    /**
+     * For given scopes and aggregated claims get all claims that have been configured on the extractor.
+     *
+     * @param array<int, ScopeEntityInterface> $scopes
+     * @param array<string, string>            $claims
+     *
+     * @return array<string, string>
+     */
+    public function extract(array $scopes, array $claims): array;
+}
diff --git a/src/Entities/ClaimSetEntry.php b/src/Entities/ClaimSetEntry.php
@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\OAuth2\Server\Entities;
+
+/**
+ * ClaimSetEntry
+ *
+ * @author Steve Rhoades <[email protected]>
+ * @author Marc Riemer <[email protected]>
+ * @license http://opensource.org/licenses/MIT MIT
+ */
+class ClaimSetEntry implements ClaimSetEntryInterface
+{
+    /**
+     * Summary of __construct
+     *
+     * @param string   $scope  Scope of the claimset
+     * @param string[] $claims The claims
+     */
+    public function __construct(
+        protected string $scope,
+        protected array $claims
+    ) {
+    }
+
+    /**
+     * Get scope
+     */
+    public function getScope(): string
+    {
+        return $this->scope;
+    }
+
+    /**
+     * Get claims
+     *
+     * @return array<string, string>
+     */
+    public function getClaims(): array
+    {
+        return $this->claims;
+    }
+}
diff --git a/src/Entities/ClaimSetEntryInterface.php b/src/Entities/ClaimSetEntryInterface.php
@@ -0,0 +1,17 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\OAuth2\Server\Entities;
+
+/**
+ * ClaimSetEntryInterface
+ *
+ * @author Steve Rhoades <[email protected]>
+ * @author Marc Riemer <[email protected]>
+ * @license http://opensource.org/licenses/MIT MIT
+ */
+interface ClaimSetEntryInterface extends ClaimSetInterface
+{
+    public function getScope(): string;
+}
diff --git a/src/Entities/ClaimSetInterface.php b/src/Entities/ClaimSetInterface.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\OAuth2\Server\Entities;
+
+/**
+ * ClaimSetEntryInterface
+ *
+ * @author Steve Rhoades <[email protected]>
+ * @author Marc Riemer <[email protected]>
+ * @license http://opensource.org/licenses/MIT MIT
+ */
+interface ClaimSetInterface
+{
+    /**
+     * Get Claims
+     *
+     * @return array<string, string>
+     */
+    public function getClaims(): array;
+}
diff --git a/src/IdTokenClaimsCreatedEvent.php b/src/IdTokenClaimsCreatedEvent.php
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\OAuth2\Server;
+
+use Lcobucci\JWT\Builder;
+
+/**
+ * IdTokenClaimsCreatedEvent Event helps to extend claims of the id_token
+ *
+ * A usecase is to add nonce If requested by the client
+ *
+ * @author Marc Riemer <[email protected]>
+ */
+final class IdTokenClaimsCreatedEvent extends IdTokenEvent
+{
+    /**
+     * Builder
+     */
+    private Builder $builder;
+
+    public function __construct(string $name, Builder $builder)
+    {
+        parent::__construct($name);
+        $this->builder = $builder;
+    }
+
+    public function getBuilder(): Builder
+    {
+        return $this->builder;
+    }
+}
diff --git a/src/IdTokenEvent.php b/src/IdTokenEvent.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace League\OAuth2\Server;
+
+use League\OAuth2\Server\EventEmitting\AbstractEvent;
+
+/**
+ * IdTokenEvent
+ *
+ * @author Marc Riemer <[email protected]>
+ */
+class IdTokenEvent extends AbstractEvent
+{
+    public const ID_TOKEN_ISSUED = 'id_token.issued';
+
+    // This event can be used to extent claims of the id_token
+    public const ID_TOKEN_CLAIMS_CREATED = 'id_token.claims.created';
+}