last part: detect if a JWT is in a JWE on login

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

Author: julien-nc

lib/Controller/LoginController.php

@@ -467,13 +467,15 @@ public function code(string $state = '', string $code = '', string $scope = '',
 			$jwtHeader = json_decode(JWT::urlsafeB64Decode($jwtParts[0]), true);
 			$this->logger->warning('JWT HEADER', ['jwt_header' => $jwtHeader]);
 			if (isset($jwtHeader['typ']) && $jwtHeader['typ'] === 'JWT') {
-				// we have a JWT
+				// we have a JWT, do nothing
 			} elseif (isset($jwtHeader['cty']) && $jwtHeader['cty'] === 'JWT') {
-				// we have a JWE
+				// we have a JWE that contains the JWT string (the ID token)
+				$idTokenRaw = $this->jweService->decryptSerializedJwe($idTokenRaw);
+				$this->logger->warning('raw decrypted JWE', ['decrypted_jwe' => $idTokenRaw]);
+				$this->logger->warning('decrypted+decoded JWE', ['decrypted_jwe' => json_decode($idTokenRaw, true)]);
+			} else {
+				$this->logger->warning('Unsupported id_token when using "private key JWT"', ['id_token' => $idTokenRaw]);
 			}
-
-			// $dec = $this->jweService->decryptSerializedJwe($idTokenRaw);
-			// $this->logger->warning('decrypted JWE', ['decrypted_jwe' => json_decode($dec, true)]);
 		}
 		$jwks = $this->discoveryService->obtainJWK($provider, $idTokenRaw);
 		JWT::$leeway = 60;

lib/Service/JweService.php

@@ -35,14 +35,14 @@ public function __construct(
 	}
 
 	/**
-	 * @param array $payloadArray the content of the JWE
+	 * @param string $payload the content of the JWE
 	 * @param array $encryptionJwk the public key in JWK format
 	 * @param string $keyEncryptionAlg the algorithm to use for the key encryption
 	 * @param string $contentEncryptionAlg the algorithm to use for the content encryption
 	 * @return string
 	 */
 	public function createSerializedJweWithKey(
-		array $payloadArray, array $encryptionJwk,
+		string $payload, array $encryptionJwk,
 		string $keyEncryptionAlg = JwkService::PEM_ENC_KEY_ALGORITHM,
 		string $contentEncryptionAlg = self::CONTENT_ENCRYPTION_ALGORITHM,
 	): string {
@@ -66,11 +66,8 @@ public function createSerializedJweWithKey(
 		// Our key.
 		$jwk = new JWK($encryptionJwk);
 
-		// The payload we want to encrypt. It MUST be a string.
-		$payload = json_encode($payloadArray);
-
 		$jwe = $jweBuilder
-			->create()              // We want to create a new JWE
+			->create()            // We want to create a new JWE
 			->withPayload($payload) // We set the payload
 			->withSharedProtectedHeader([
 				// Key Encryption Algorithm
@@ -80,12 +77,14 @@ public function createSerializedJweWithKey(
 				// 'enc' => 'A256CBC-HS512',
 				'enc' => $contentEncryptionAlg,
 				//'zip' => 'DEF'            // Not recommended.
+				'cty' => 'JWT',
 			])
 			->addRecipient($jwk)    // We add a recipient (a shared key or public key).
 			->build();
 
-		$serializer = new CompactSerializer(); // The serializer
-		return $serializer->serialize($jwe, 0); // We serialize the recipient at index 0 (we only have one recipient).
+		$serializer = new CompactSerializer();
+		// We serialize the recipient at index 0 (we only have one recipient).
+		return $serializer->serialize($jwe, 0);
 	}
 
 	/**
@@ -171,13 +170,13 @@ public function decryptSerializedJwe(string $serializedJwe): string {
 		return $this->decryptSerializedJweWithKey($serializedJwe, $encPrivJwk);
 	}
 
-	public function createSerializedJwe(array $payloadArray): string {
+	public function createSerializedJwe(string $payload): string {
 		$myPemEncryptionKey = $this->jwkService->getMyEncryptionKey(true);
 		$sslEncryptionKey = openssl_pkey_get_private($myPemEncryptionKey);
 		$sslEncryptionKeyDetails = openssl_pkey_get_details($sslEncryptionKey);
 		$encPublicJwk = $this->jwkService->getJwkFromSslKey($sslEncryptionKeyDetails, isEncryptionKey: true);
 
-		return $this->createSerializedJweWithKey($payloadArray, $encPublicJwk);
+		return $this->createSerializedJweWithKey($payload, $encPublicJwk);
 	}
 
 	public function debug(): array {
@@ -203,7 +202,7 @@ public function debug(): array {
 		$serializedJweToken = $this->createSerializedJwe($payloadArray, $exampleJwkArray);
 		$decryptedJweString = $this->decryptSerializedJwe($serializedJweToken, $exampleJwkArray);
 		*/
-		$serializedJweToken = $this->createSerializedJweWithKey($payloadArray, $encPublicJwk);
+		$serializedJweToken = $this->createSerializedJweWithKey(json_encode($payloadArray), $encPublicJwk);
 		$jwtParts = explode('.', $serializedJweToken, 3);
 		$jwtHeader = json_decode(base64_decode($jwtParts[0]), true);
 		$decryptedJweString = $this->decryptSerializedJweWithKey($serializedJweToken, $encPrivJwk);

tests/unit/Service/JweServiceTest.php

@@ -44,8 +44,9 @@ public function testJweEncryptionDecryption() {
 			'iss' => 'My service',
 			'aud' => 'Your application',
 		];
+		$inputPayload = json_encode($inputPayloadArray);
 
-		$serializedJweToken = $this->jweService->createSerializedJweWithKey($inputPayloadArray, $encPublicJwk);
+		$serializedJweToken = $this->jweService->createSerializedJweWithKey($inputPayload, $encPublicJwk);
 		$decryptedJweString = $this->jweService->decryptSerializedJweWithKey($serializedJweToken, $encPrivJwk);
 
 		$outputPayloadArray = json_decode($decryptedJweString, true);