Merge pull request #323 from jumbojett/fix/harden-self-signed-jwk-header

fix: harden self signed JWK header
jumbojett · Sep 27, 2022 · 7672086 · 7672086
2 parents 3c896de + ed0e30a
commit 7672086
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [unreleased]
 
+## Fixed
+
+* Harden self-signed JWK header usage. #323
+
 ## [0.9.8]
 
 ## Fixed

diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -1066,6 +1066,7 @@ public function verifyJWTsignature($jwt) {
 
                 if (isset($header->jwk)) {
                     $jwk = $header->jwk;
+                    $this->verifyJWKHeader($jwk);
                 } else {
                     $jwks = json_decode($this->fetchURL($this->getProviderConfigValue('jwks_uri')));
                     if ($jwks === NULL) {
@@ -1942,4 +1943,12 @@ public function getCodeChallengeMethod() {
     public function setCodeChallengeMethod($codeChallengeMethod) {
         $this->codeChallengeMethod = $codeChallengeMethod;
     }
+
+    /**
+     * @throws OpenIDConnectClientException
+     */
+    protected function verifyJWKHeader($jwk)
+    {
+        throw new OpenIDConnectClientException('Self signed JWK header is not valid');
+    }
 }