You are here

Home » API reference » Auth0 Single Sign On 8.2 » JWTVerifier.php » JWTVerifier

public function JWTVerifier::verifyAndDecode in Auth0 Single Sign On 8.2

Verify and decode a JWT.

Parameters

string $jwt JWT to verify and decode.:

Return value

mixed

Throws

InvalidTokenException If the token does not have 3 sections.

InvalidTokenException If the algorithm used to sign the token is not supported.

InvalidTokenException If the token does not have a valid audience.

CoreException If an RS256 token is missing a key ID.

CoreException If an RS256 token does not have a valid issuer.

CoreException If the token cannot be decoded.

File

vendor/auth0/auth0-php/src/JWTVerifier.php, line 173

Class

JWTVerifier
Class JWTVerifier. Used to validate JWTs issued by Auth0.

Namespace

Auth0\SDK

Code

public function verifyAndDecode($jwt) {
  $tks = explode('.', $jwt);
  if (count($tks) !== 3) {
    throw new InvalidTokenException('Wrong number of segments');
  }
  try {
    $head_decoded = $this
      ->decodeTokenSegment($tks[0]);
    $body_decoded = $this
      ->decodeTokenSegment($tks[1]);
  } catch (\DomainException $e) {
    throw new InvalidTokenException('Malformed token.');
  }
  if (!is_object($head_decoded) || !is_object($body_decoded)) {
    throw new InvalidTokenException('Malformed token.');
  }
  if (empty($head_decoded->alg)) {
    throw new InvalidTokenException('Token algorithm not found');
  }
  if (!$this
    ->supportsAlg($head_decoded->alg)) {
    throw new InvalidTokenException('Token algorithm not supported');
  }

  // Validate the token audience, if present.
  if (!empty($body_decoded->aud)) {
    $audience = is_array($body_decoded->aud) ? $body_decoded->aud : [
      $body_decoded->aud,
    ];
    if (!count(array_intersect($audience, $this->valid_audiences))) {
      $message = 'Invalid token audience ' . implode(', ', $audience);
      $message .= '; expected ' . implode(', ', $this->valid_audiences);
      throw new InvalidTokenException($message);
    }
  }
  if ('HS256' === $head_decoded->alg) {
    $secret = $this->client_secret;
  }
  else {
    if (empty($head_decoded->kid)) {
      throw new CoreException('Token key ID is missing for RS256 token');
    }
    if (empty($body_decoded->iss) || !in_array($body_decoded->iss, $this->authorized_iss)) {
      throw new CoreException('We cannot trust on a token issued by `' . $body_decoded->iss . '`');
    }
    $jwks_url = $body_decoded->iss . $this->jwks_path;
    $secret = $this->JWKFetcher
      ->getKeys($jwks_url);
  }
  try {
    return $this
      ->decodeToken($jwt, $secret);
  } catch (\Exception $e) {
    throw new CoreException($e
      ->getMessage());
  }
}