Refactored

Author: mariusjp

README.md

@@ -17,6 +17,8 @@ A few things are necessary to make this library work:
 When this package is done verifying the token is legit an Event will be fired to be consumed by the target application.
 This event should e.g. perform `Auth::login($user)` to fully let Laravel know this package has handled the authorization.
 
+WIP Events - Also explain logout
+
 You can set up an IDP with [`laravel/passport`][2] or set up your own with e.g. a Symfony application in combination with 
 [`steverhoades/oauth2-openid-connect-server`][3]
 

composer.json

@@ -2,7 +2,7 @@
     "name": "coddin-web/oidc-client-laravel-wrapper",
     "description": "A Laravel wrapper of jumbojett's OpenID Connect Client",
     "type": "library",
-    "version": "1.2.0",
+    "version": "1.3.0",
     "minimum-stability": "stable",
     "prefer-stable": true,
     "require": {

config/oidc.php

@@ -14,6 +14,9 @@
             'profile',
             'email',
         ],
+        'logout' => [
+            'redirect_after' => '/',
+        ],
     ],
     'private_key' => [
         'base64' => env('OIDC_BASE64_PRIVATE_KEY'),

phpstan-bootstrap.php

@@ -1,3 +1,4 @@
 <?php
 
+echo 'Bootstrap initiated, bypassing finals...';
 \DG\BypassFinals::enable();

src/Builder/OpenIDConnectClientBuilder.php

@@ -18,11 +18,16 @@ public function __construct(
     /**
      * @throws ConfigRepositoryException
      */
-    public function execute(): OpenIDConnectClient
+    public function execute(bool $public = false): OpenIDConnectClient|OpenIDConnectClientProviderConfigurationPublic
     {
         $appUrl = $this->configRepository->getAsString('app.url');
 
-        $openIDClient = new \Jumbojett\OpenIDConnectClient(
+        $clientClass = match ($public) {
+            true => OpenIDConnectClientProviderConfigurationPublic::class,
+            false => \Jumbojett\OpenIDConnectClient::class,
+        };
+
+        $openIDClient = new $clientClass(
             provider_url: $this->configRepository->getAsString('oidc.provider.endpoint'),
             client_id: $this->configRepository->getAsString('oidc.client.id'),
             client_secret: $this->determineClientSecret(),

src/Builder/OpenIDConnectClientProviderConfigurationPublic.php

@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Coddin\OpenIDConnectClient\Builder;
+
+use Jumbojett\OpenIDConnectClient;
+use Jumbojett\OpenIDConnectClientException;
+
+/**
+ * @codeCoverageIgnore
+ */
+final class OpenIDConnectClientProviderConfigurationPublic extends OpenIDConnectClient
+{
+    /**
+     * @throws OpenIDConnectClientException
+     */
+    public function getProviderConfigValuePublic(string $param, ?string $default = null): ?string
+    {
+        return $this->getProviderConfigValue(param: $param, default: $default);
+    }
+}

src/Helper/DateTimeDiffCalculator.php

@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Coddin\OpenIDConnectClient\Helper;
+
+final class DateTimeDiffCalculator
+{
+    public static function differenceInSeconds(
+        \DateTimeInterface $start,
+        \DateTimeInterface $end,
+    ): int {
+        $diff = $end->diff($start);
+
+        $daysInSecs = ((int) $diff->format('%r%a') * 24 * 60 * 60);
+        $hoursInSecs = ($diff->h * 60 * 60);
+        $minsInSecs = ($diff->i * 60);
+
+        return ($daysInSecs + $hoursInSecs + $minsInSecs + $diff->s);
+    }
+}

src/Http/Middleware/OpenIDConnectAuthenticated.php

@@ -9,9 +9,12 @@
 use Coddin\OpenIDConnectClient\Event\UserAuthorizedEvent;
 use Coddin\OpenIDConnectClient\Helper\ConfigRepository;
 use Coddin\OpenIDConnectClient\Helper\ConfigRepositoryException;
+use Coddin\OpenIDConnectClient\Helper\DateTimeDiffCalculator;
+use Coddin\OpenIDConnectClient\Service\Token\Storage\Exception\MissingTokenException;
 use Coddin\OpenIDConnectClient\Service\Token\Storage\TokenStorageAdaptor;
 use Illuminate\Http\Request;
 use Illuminate\Routing\ResponseFactory;
+use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Log;
 use Jumbojett\OpenIDConnectClientException;
 use Lcobucci\JWT\Token\Plain;
@@ -30,30 +33,42 @@ public function __construct(
     }
 
     /**
-     * @throws HttpException
+     * @throws ConfigRepositoryException
+     * @throws MissingTokenException
+     * @throws OpenIDConnectClientException
      */
     public function handle(Request $request, \Closure $next): mixed
     {
-        $token = $this->tokenStorageAdaptor->find();
+        if (\str_contains($request->getPathInfo(), 'logout')) {
+            return $next($request);
+        }
 
-        if ($token !== null) {
-            return $this->handleExistingToken($token, $request, $next);
+        $accessToken = $this->tokenStorageAdaptor->find(TokenStorageAdaptor::ACCESS_TOKEN_STORAGE_KEY);
+
+        if ($accessToken !== null) {
+            return $this->handleExistingToken($accessToken, $request, $next);
         }
 
         try {
             $jwtVerifier = $this->jwtVerifierBuilder->execute();
             $openIDClient = $this->openIDConnectClientBuilder->execute();
+
+            // Dynamically set the redirect URL?
+            $openIDClient->setRedirectURL($this->configRepository->getAsString('app.url') . $request->getPathInfo());
+
             $openIDClient->authenticate();
 
-            /** @var Plain $token */
-            $token = $jwtVerifier->parser()->parse($openIDClient->getIdToken());
+            $accessToken = $jwtVerifier->parser()->parse($openIDClient->getAccessToken());
             $this->tokenStorageAdaptor->put(
-                token: $token,
+                accessToken: $accessToken,
+                refreshToken: $openIDClient->getRefreshToken(),
             );
 
-            $userUuid = $token->claims()->get('sub');
-            $userName = $token->claims()->get('nickname');
-            $userEmail = $token->claims()->get('email');
+            /** @var Plain $idToken */
+            $idToken = $jwtVerifier->parser()->parse($openIDClient->getIdToken());
+            $userUuid = $idToken->claims()->get('sub');
+            $userName = $idToken->claims()->get('nickname');
+            $userEmail = $idToken->claims()->get('email');
 
             UserAuthorizedEvent::dispatch(
                 $userUuid,
@@ -74,48 +89,54 @@ public function handle(Request $request, \Closure $next): mixed
         // Consume the code from the URL and redirect to the intended URL without
         // the query parameter still visible.
         $oauthCode = $request->get('code');
-        if (is_string($oauthCode) && strlen($oauthCode) > 900) {
+        if (is_string($oauthCode) && strlen($oauthCode) > 800) {
             return $this->responseFactory->redirectTo($request->getPathInfo());
         }
 
         return $next($request);
     }
 
+    /**
+     * @throws OpenIDConnectClientException
+     * @throws MissingTokenException
+     * @throws ConfigRepositoryException
+     */
     private function handleExistingToken(
-        \Lcobucci\JWT\Token $token,
+        \Lcobucci\JWT\Token $accessToken,
         Request $request,
         \Closure $next,
     ): mixed {
-        if ($token->isExpired(new \DateTimeImmutable())) {
+        if ($accessToken->isExpired(new \DateTimeImmutable())) {
             $this->tokenStorageAdaptor->forget();
+            Auth::logout();
 
             return $this->responseFactory->redirectTo($request->getPathInfo());
         }
 
-        try {
-            $openIDClient = $this->openIDConnectClientBuilder->execute();
-            $stillActiveResponse = $openIDClient->introspectToken(
-                token: $token->toString(),
-                clientSecret: $this->configRepository->getAsString('oidc.client.secret'),
-            );
-        } catch (ConfigRepositoryException | OpenIDConnectClientException $e) {
-            throw new HttpException(Response::HTTP_INTERNAL_SERVER_ERROR);
-        }
+        /** @var Plain $accessToken */
+        $claims = $accessToken->claims();
+        /** @var \DateTimeInterface $issuedAt */
+        $issuedAt = $claims->get('iat');
+        /** @var \DateTimeInterface $expiresAt */
+        $expiresAt = $claims->get('exp');
 
-        if (!\is_object($stillActiveResponse)) {
-            $this->tokenStorageAdaptor->forget();
+        $validityInSeconds = DateTimeDiffCalculator::differenceInSeconds($issuedAt, $expiresAt);
+        $secondsLeft = DateTimeDiffCalculator::differenceInSeconds(new \DateTimeImmutable(), $expiresAt);
+        $percentageLeft = (($secondsLeft / $validityInSeconds) * 100);
 
-            return $this->responseFactory->redirectTo($request->getPathInfo());
-        }
-
-        // This is a shortcoming of the library returning an unstructured object.
-        /* @phpstan-ignore-next-line */
-        if ($stillActiveResponse->active === true) {
-            return $next($request);
-        } else {
-            $this->tokenStorageAdaptor->forget();
+        if ($percentageLeft <= 25) {
+            $refreshToken = $this->tokenStorageAdaptor->get(TokenStorageAdaptor::REFRESH_TOKEN_STORAGE_KEY);
+            $openIDClient = $this->openIDConnectClientBuilder->execute();
+            $openIDClient->refreshToken($refreshToken->toString());
 
-            return $this->responseFactory->redirectTo($request->getPathInfo());
+            $jwtVerifier = $this->jwtVerifierBuilder->execute();
+            $newAccessToken = $jwtVerifier->parser()->parse($openIDClient->getAccessToken());
+            $this->tokenStorageAdaptor->put(
+                accessToken: $newAccessToken,
+                refreshToken: $openIDClient->getRefreshToken(),
+            );
         }
+
+        return $next($request);
     }
 }

src/Service/Token/Storage/IlluminateSessionAdaptorToken.php

@@ -15,19 +15,23 @@ public function __construct(
     ) {
     }
 
-    public function find(): ?Token
+    public function find(string $type): ?Token
     {
-        $token = $this->sessionStore->get($this->getStorageKey());
+        if ($type !== $this->getAccessTokenStorageKey() && $type !== $this->getRefreshTokenStorageKey()) {
+            return null;
+        }
+
+        $token = $this->sessionStore->get($this->getAccessTokenStorageKey());
         if (!$token instanceof Token) {
             return null;
         }
 
         return $token;
     }
 
-    public function get(): Token
+    public function get(string $type): Token
     {
-        $token = $this->find();
+        $token = $this->find($type);
 
         if ($token === null) {
             throw MissingTokenException::make();
@@ -36,18 +40,28 @@ public function get(): Token
         return $token;
     }
 
-    public function put(Token $token): void
+    public function put(Token $accessToken, ?string $refreshToken = null): void
     {
-        $this->sessionStore->put($this->getStorageKey(), $token);
+        $this->sessionStore->put($this->getAccessTokenStorageKey(), $accessToken);
+        if ($refreshToken !== null) {
+            $this->sessionStore->put($this->getRefreshTokenStorageKey(), $refreshToken);
+        }
     }
 
     public function forget(): void
     {
-        $this->sessionStore->forget($this->getStorageKey());
+        $this->sessionStore->forget($this->getAccessTokenStorageKey());
+        $this->sessionStore->forget($this->getRefreshTokenStorageKey());
+        $this->sessionStore->save();
+    }
+
+    public function getAccessTokenStorageKey(): string
+    {
+        return self::ACCESS_TOKEN_STORAGE_KEY;
     }
 
-    public function getStorageKey(): string
+    public function getRefreshTokenStorageKey(): string
     {
-        return 'oidc_id_token';
+        return self::REFRESH_TOKEN_STORAGE_KEY;
     }
 }

src/Service/Token/Storage/TokenStorageAdaptor.php

@@ -9,16 +9,21 @@
 
 interface TokenStorageAdaptor
 {
-    public function find(): ?Token;
+    public const ACCESS_TOKEN_STORAGE_KEY = 'oidc_id_access_token';
+    public const REFRESH_TOKEN_STORAGE_KEY = 'oidc_id_refresh_token';
+
+    public function find(string $type): ?Token;
 
     /**
      * @throws MissingTokenException
      */
-    public function get(): Token;
+    public function get(string $type): Token;
 
-    public function put(Token $token): void;
+    public function put(Token $accessToken, ?string $refreshToken = null): void;
 
     public function forget(): void;
 
-    public function getStorageKey(): string;
+    public function getAccessTokenStorageKey(): string;
+
+    public function getRefreshTokenStorageKey(): string;
 }

tests/Unit/Builder/OpenIDConnectClientBuilderTest.php

@@ -80,7 +80,7 @@ public function authorization_code_flow(): void
             configRepository: $this->configRepository,
         );
         /** @noinspection PhpUnhandledExceptionInspection */
-        $openIdConnectClient = $openIdConnectBuilder->execute();
+        $openIdConnectClient = $openIdConnectBuilder->execute(true);
 
         self::assertInstanceOf(OpenIDConnectClient::class, $openIdConnectClient);
         // Obviously this is actually testing the Client, which is beyond our scope,