Criação do CertKeyService.php.

Criação de recurso para leitura da chave no cache (por interface).
Criação de recurso para gravação de chave no cache (por interface).
Criação de ConfigurationDiscoveryService.php para descobrir a configuração do OpenID Connect.

Author: fernando-scolari-bvc

composer.json

@@ -4,7 +4,9 @@
     "type": "library",
     "require": {
         "zendframework/zend-mvc": "^3.1",
-        "lcobucci/jwt": "^3.3"
+        "lcobucci/jwt": "^3.3",
+      "ext-curl": "*",
+      "ext-json": "*"
     },
     "require-dev": {
         "zendframework/zend-test": "^3.2",

src/Auth/Authorizator.php

@@ -2,13 +2,22 @@
 
 namespace Zend\Mvc\OIDC\Auth;
 
+use Exception;
 use Zend\Http\Request;
 use Zend\Mvc\OIDC\Common\Configuration;
+use Zend\Mvc\OIDC\Common\Enum\ValidationTokenResultEnum;
+use Zend\Mvc\OIDC\Common\Exceptions\AudienceConfigurationException;
 use Zend\Mvc\OIDC\Common\Exceptions\BasicAuthorizationException;
+use Zend\Mvc\OIDC\Common\Exceptions\CertificateKeyException;
+use Zend\Mvc\OIDC\Common\Exceptions\InvalidAuthorizationTokenException;
+use Zend\Mvc\OIDC\Common\Exceptions\JwkRecoveryException;
+use Zend\Mvc\OIDC\Common\Exceptions\OidcConfigurationDiscoveryException;
 use Zend\Mvc\OIDC\Common\Exceptions\RealmConfigurationException;
 use Zend\Mvc\OIDC\Common\Exceptions\ServiceUrlConfigurationException;
 use Zend\Mvc\OIDC\Common\Model\Token;
 use Zend\Mvc\OIDC\Common\Parse\ConfigurationParser;
+use Zend\Mvc\OIDC\OpenIDConnect\CertKeyService;
+use Zend\Mvc\OIDC\OpenIDConnect\ConfigurationDiscoveryService;
 use Zend\ServiceManager\ServiceLocatorInterface;
 use Zend\ServiceManager\ServiceManager;
 
@@ -45,6 +54,16 @@ class Authorizator
      */
     private $routesConfig;
 
+    /**
+     * @var ConfigurationDiscoveryService
+     */
+    private $configurationDiscoveryService;
+
+    /**
+     * @var CertKeyService
+     */
+    private $certKeyService;
+
     /**
      * Authorizator constructor.
      *
@@ -53,6 +72,7 @@ class Authorizator
      *
      * @throws RealmConfigurationException
      * @throws ServiceUrlConfigurationException
+     * @throws AudienceConfigurationException
      */
     public function __construct(array $moduleConfig, ServiceLocatorInterface $serviceManager)
     {
@@ -62,6 +82,10 @@ public function __construct(array $moduleConfig, ServiceLocatorInterface $servic
 
         $this->serviceManager = $serviceManager;
 
+        $this->configurationDiscoveryService = new ConfigurationDiscoveryService();
+
+        $this->certKeyService = new CertKeyService();
+
         $this->configurationParser = new ConfigurationParser();
         $this->configuration = $this->configurationParser->parse($moduleConfig);
     }
@@ -71,21 +95,49 @@ public function __construct(array $moduleConfig, ServiceLocatorInterface $servic
      *
      * @return bool
      * @throws BasicAuthorizationException
+     * @throws CertificateKeyException
+     * @throws InvalidAuthorizationTokenException
+     * @throws JwkRecoveryException
+     * @throws OidcConfigurationDiscoveryException
+     * @throws Exception
      */
     public function authorize(Request $request): bool
     {
         $this->token = new Token($this->getAuthorizationToken($request));
 
         $authorizeConfig = $this->getAuthorizeConfiguration($request);
 
+        $certKey = $this->certKeyService->resolveCertificate($this->configuration, $this->serviceManager);
+
+        if (!is_null($certKey)) {
+            $this->configuration->setPublicKey($certKey);
+            $result = $this->token->validate($this->configuration);
+
+            if ($result == ValidationTokenResultEnum::INVALID) {
+                throw new InvalidAuthorizationTokenException('Invalid authorization token.');
+            } else if ($result == ValidationTokenResultEnum::EXPIRED) {
+                throw new InvalidAuthorizationTokenException('Expired authorization token.');
+            }
+        } else {
+            throw new CertificateKeyException('Failed to retrieve the token certificate key.');
+        }
+
         return $this->isAuthorized($authorizeConfig);
     }
 
+    /**
+     * @return array
+     */
     public function getTokenClaims(): array
     {
         return $this->token->getClaims();
     }
 
+    /**
+     * @param array $authorizeConfig
+     *
+     * @return bool
+     */
     private function isAuthorized(array $authorizeConfig): bool
     {
         $result = false;
@@ -101,6 +153,11 @@ private function isAuthorized(array $authorizeConfig): bool
         return $result;
     }
 
+    /**
+     * @param Request $request
+     *
+     * @return array
+     */
     private function getAuthorizeConfiguration(Request $request): array
     {
         $url = $request->getUriString();

src/Common/Enum/ConfigurationEnum.php

@@ -14,4 +14,5 @@ interface ConfigurationEnum
     const REALM_ID = 'realmId';
     const CLIENT_ID = 'client_id';
     const PUBLIC_KEY = 'public_key';
+    const AUDIENCE = 'audience';
 }

src/Common/Enum/ServiceEnum.php

@@ -0,0 +1,9 @@
+<?php
+
+namespace Zend\Mvc\OIDC\Common\Enum;
+
+interface ServiceEnum
+{
+    const CERT_KEY_CACHE_READER = 'Zend\Mvc\OIDC\Custom\CertKeyCacheReaderInterface';
+    const CERT_KEY_CACHE_WRITER = 'Zend\Mvc\OIDC\Custom\CertKeyCacheWriterInterface';
+}

src/Common/Exceptions/AudienceConfigurationException.php

@@ -0,0 +1,13 @@
+<?php
+
+namespace Zend\Mvc\OIDC\Common\Exceptions;
+
+/**
+ * Class AudienceConfigurationException
+ *
+ * @package Zend\Mvc\OIDC\Common\Exceptions
+ */
+class AudienceConfigurationException extends \Exception
+{
+
+}

src/Common/Exceptions/CertificateKeyException.php

@@ -0,0 +1,13 @@
+<?php
+
+namespace Zend\Mvc\OIDC\Common\Exceptions;
+
+/**
+ * Class CertificateKeyException
+ *
+ * @package Zend\Mvc\OIDC\Common\Exceptions
+ */
+class CertificateKeyException extends \Exception
+{
+
+}

src/Common/Exceptions/InvalidAuthorizationTokenException.php

@@ -0,0 +1,13 @@
+<?php
+
+namespace Zend\Mvc\OIDC\Common\Exceptions;
+
+/**
+ * Class InvalidAuthorizationTokenException
+ *
+ * @package Zend\Mvc\OIDC\Common\Exceptions
+ */
+class InvalidAuthorizationTokenException extends \Exception
+{
+
+}

src/Common/Exceptions/JwkRecoveryException.php

@@ -0,0 +1,13 @@
+<?php
+
+namespace Zend\Mvc\OIDC\Common\Exceptions;
+
+/**
+ * Class JwkRecoveryException
+ *
+ * @package Zend\Mvc\OIDC\Common\Exceptions
+ */
+class JwkRecoveryException extends \Exception
+{
+
+}

src/Common/Exceptions/OidcConfigurationDiscoveryException.php

@@ -0,0 +1,13 @@
+<?php
+
+namespace Zend\Mvc\OIDC\Common\Exceptions;
+
+/**
+ * Class OidcConfigurationDiscoveryException
+ *
+ * @package Zend\Mvc\OIDC\Common\Exceptions
+ */
+class OidcConfigurationDiscoveryException extends \Exception
+{
+
+}

src/Common/Infra/HttpClient.php

@@ -0,0 +1,45 @@
+<?php
+
+namespace Zend\Mvc\OIDC\Common\Infra;
+
+/**
+ * Class HttpClient
+ *
+ * @package Zend\Mvc\OIDC\Common\Infra
+ */
+class HttpClient
+{
+
+    public function sendRequest(
+        string $baseUrl,
+        string $method = 'GET',
+        string $path = '/',
+        array $headers = array(),
+        string $data = ''
+    ) {
+        $method = strtoupper($method);
+        $url = $baseUrl . $path;
+
+        // Initiate HTTP request
+        $request = curl_init();
+
+        curl_setopt($request, CURLOPT_URL, $url);
+        curl_setopt($request, CURLOPT_RETURNTRANSFER, true);
+
+        if ($method === 'POST') {
+            curl_setopt($request, CURLOPT_POST, true);
+            curl_setopt($request, CURLOPT_POSTFIELDS, $data);
+            array_push($headers, 'Content-Length: ' . strlen($data));
+        }
+
+        curl_setopt($request, CURLOPT_HTTPHEADER, $headers);
+        $response = curl_exec($request);
+        $response_code = curl_getinfo($request, CURLINFO_HTTP_CODE);
+        curl_close($request);
+
+        return array(
+            'code' => $response_code,
+            'body' => $response
+        );
+    }
+}