search

jumbojett / OpenID-Connect-PHP

Minimalist OpenID Connect client
https://github.com/jumbojett/OpenID-Connect-PHP
Apache License 2.0
621 stars 367 forks source link

Unable to verify JWT claims #257

Open IkhlasAlaydi opened 3 years ago

IkhlasAlaydi commented 3 years ago

hello everyone,

I faced the same issue now , I tried the suggested solutions and didn't work, I tried the same on different application on a different server and it worked properly , I compared the claims and token format they are the same , any ideas ?

I am working with codeigniter i have just added the below lines to the controller 

public function index() {
        if (isset($_SESSION['user']['sub'])) {
    if (!$this->helper_lib->is_login()) {
            redirect('Welcome/login');
       }
} else {
    $wfp_oidc = new WfpOpenIdConnect();
    $wfp_oidc->login();
}

when I login with wrong credentials it give me the option to re-enter the credentials again , but when I Login with the right ones the error is shown 

An uncaught Exception was encountered

Type: Jumbojett\OpenIDConnectClientException

Message: Unable to verify JWT claims

Filename: C:\xampp\htdocs\monitoring\application\libraries\jumbojett\openid-connect-php\src\OpenIDConnectClient.php

Line Number: 372

Backtrace:

File: C:\xampp\htdocs\monitoring\application\libraries\WfpOpenIdConnect.php
Line: 44
Function: authenticate

File: C:\xampp\htdocs\monitoring\application\controllers\Welcome.php
Line: 30
Function: login

File: C:\xampp\htdocs\monitoring\index.php
Line: 317
Function: require_once
huchim commented 3 years ago

Hi @IkhlasAlaydi

You must check if clientId is provided using setClientID('ClientIDHere') or in constructor OpenIDConnectClient('https://...', 'ClientIDHere'). Each token has an aud claims in header, and must to match with your clientId.

use Jumbojett\OpenIDConnectClient;

$oidc = new OpenIDConnectClient('https://id.provider.com',
                                'ClientIDHere',
                                'ClientSecretHere');

Other possibles causes can be an expired token

erkiha commented 2 years ago

I had the issue with JWT claims verifying. In function verifyJWTclaims: $expected_at_hash = $this->urlEncode(substr(hash('sha'.$bit, $accessToken, true), 0, $len));

and in this $this->urlEncode:

protected function urlEncode($str) {
    $enc = base64_encode($str);
    $enc = rtrim($enc, '=');
 //   $enc = strtr($enc, '+/', '-_');
    return $enc;
}

In this chars + and / are translated to - and _ for some reason. At least in my case commenting this out fixed the problem. My provider sends those chars on their hash and it is wrong to change them here.