Merge pull request #322 from ricklambrechts/add-support-for-private-k…

…ey-jwt Added support for private_key_jwt authentication method
jumbojett · Sep 28, 2022 · fba1440 · fba1440
2 parents 7672086 + bddb3bf
commit fba1440
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [unreleased]
+* Added support for `private_key_jwt` Client Authentication method #322
 
 ## Fixed
 

diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -215,6 +215,11 @@ class OpenIDConnectClient
      */
     private $issuerValidator;
 
+    /**
+     * @var callable|null generator function for private key jwt client authentication
+     */
+    private $privateKeyJwtGenerator;
+
     /**
      * @var bool Allow OAuth 2 implicit flow; see http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
      */
@@ -798,6 +803,12 @@ protected function requestTokens($code, $headers = array()) {
 	        unset($token_params['client_id']);
         }
 
+        // When there is a private key jwt generator and it is supported then use it as client authentication
+        if ($this->privateKeyJwtGenerator !== null && in_array('private_key_jwt', $token_endpoint_auth_methods_supported, true)) {
+            $token_params['client_assertion_type'] = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
+            $token_params['client_assertion'] = $this->privateKeyJwtGenerator->__invoke($token_endpoint);
+        }
+
         $ccm = $this->getCodeChallengeMethod();
         $cv = $this->getCodeVerifier();
         if (!empty($ccm) && !empty($cv)) {
@@ -1454,6 +1465,18 @@ public function setIssuerValidator($issuerValidator) {
         $this->issuerValidator = $issuerValidator;
     }
 
+    /**
+     * Use this for private_key_jwt client authentication
+     * The given function should accept the token_endpoint string as the only argument
+     * and return a jwt signed with your private key according to:
+     * https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
+     *
+     * @param callable $privateKeyJwtGenerator
+     */
+    public function setPrivateKeyJwtGenerator($privateKeyJwtGenerator) {
+        $this->privateKeyJwtGenerator = $privateKeyJwtGenerator;
+    }
+
     /**
      * @param bool $allowImplicitFlow
      */
@@ -1923,6 +1946,14 @@ public function getIssuerValidator() {
         return $this->issuerValidator;
     }
 
+
+    /**
+     * @return callable
+     */
+    public function getPrivateKeyJwtGenerator() {
+        return $this->privateKeyJwtGenerator;
+    }
+
     /**
      * @return int
      */