public function JWTVerifier::__construct in Auth0 Single Sign On 8.2
JWTVerifier Constructor.
Parameters
array $config Uses the following keys::
- valid_audiences (Array) - Required; list of audiences accepted by the service.
- client_secret (String) - Required for HS256; Auth0 Application Client Secret.
- authorized_iss (Array) - Required for RS256; list of issuers trusted by the service.
- supported_algs (Array) - List of supported algorithms; defaults to HS256.
- cache (CacheHandler) - Optional. Instance of CacheHandler to cache the JWKs.
- guzzle_options (Array) - Extra Guzzle HTTP client options used when getting a JWKS.
- jwks_path (string) - Path from the issuer domain to the JWKS; used for RS256.
JWKFetcher|null $jwkFetcher Instance of the JWKFetcher class to inject or null to instantiate.:
Throws
CoreException If the suported_algs config key is set.
CoreException If the valid_audiences config key is empty.
CoreException If the token supports RS256 and the authorized_iss config key is empty.
CoreException If the the token supports HS256 and the client_secret config key is empty.
File
- vendor/
auth0/ auth0-php/ src/ JWTVerifier.php, line 86
Class
- JWTVerifier
- Class JWTVerifier. Used to validate JWTs issued by Auth0.
Namespace
Auth0\SDKCode
public function __construct(array $config, JWKFetcher $jwkFetcher = null) {
$cache = null;
$guzzleOptions = [];
// Allow for dependency injection of a JWKFetcher object.
$this->JWKFetcher = $jwkFetcher;
if (!$this->JWKFetcher instanceof JWKFetcher) {
// CacheHandler implementation to be used in JWKFetcher.
if (isset($config['cache']) && $config['cache'] instanceof CacheHandler) {
$cache = $config['cache'];
}
// Pass in Guzzle client options, if present.
if (isset($config['guzzle_options']) && is_array($config['guzzle_options'])) {
$guzzleOptions = $config['guzzle_options'];
}
$this->JWKFetcher = new JWKFetcher($cache, $guzzleOptions);
}
// JWKS path to use; see variable declaration above for default.
if (isset($config['jwks_path'])) {
$this->jwks_path = (string) $config['jwks_path'];
}
// Legacy misspelling in JWT library.
if (isset($config['suported_algs'])) {
throw new CoreException('`suported_algs` was properly renamed to `supported_algs`');
}
// Make sure we have audiences to check.
if (empty($config['valid_audiences'])) {
throw new CoreException('The audience is mandatory');
}
$this->valid_audiences = $config['valid_audiences'];
// Set the supported algorithms if passed; see variable declaration above for default.
if (isset($config['supported_algs'])) {
$this->supported_algs = $config['supported_algs'];
}
// Check for algorithms that are not HS256 or RS256.
$unsupported_algs = array_diff($this->supported_algs, [
'HS256',
'RS256',
]);
if (!empty($unsupported_algs)) {
throw new CoreException('Cannot support the following algorithm(s): ' . implode(', ', $unsupported_algs));
}
// Set if the authorized issuer is passed; enforce if RS256.
if (!empty($config['authorized_iss'])) {
$this->authorized_iss = $config['authorized_iss'];
}
else {
if ($this
->supportsAlg('RS256')) {
throw new CoreException('The token iss property is required when accepting RS256 signed tokens');
}
}
// Only store the client_secret if this is an HS256 token.
if ($this
->supportsAlg('HS256')) {
// HS256 tokens require a client_secret.
if (empty($config['client_secret'])) {
throw new CoreException('The client_secret is required when accepting HS256 signed tokens');
}
if (!isset($config['secret_base64_encoded']) || $config['secret_base64_encoded']) {
// If secret_base64_encoded is not passed or it is passed as truth-y, decode the client secret.
$this->client_secret = $this
->decodeB64($config['client_secret']);
}
else {
// Otherwise, leave as-is.
$this->client_secret = $config['client_secret'];
}
}
}