You are here

Home » API reference » Auth0 Single Sign On 8.2 » TokenGeneratorTest.php » TokenTest

public function TokenTest::testThatTokenWithInvalidAudThrowsException in Auth0 Single Sign On 8.2

Test that an invalid audience is rejected.

Return value

void

Throws

CoreException See Auth0\SDK\JWTVerifier::verifyAndDecode().

File

vendor/auth0/auth0-php/tests/API/Helpers/TokenGeneratorTest.php, line 239

Class

TokenTest
Class TokenTest

Namespace

Auth0\Tests\Api\Helpers

Code

public function testThatTokenWithInvalidAudThrowsException() {
  $verifier = new JWTVerifier([
    'valid_audiences' => [
      '__valid_aud__',
    ],
    'supported_algs' => [
      'RS256',
    ],
    'authorized_iss' => [
      '__valid_iss__',
    ],
  ]);

  // 1. A token with an invalid audience should throw an exception.
  $head_obj = new \stdClass();
  $head_obj->typ = 'JWT';
  $head_obj->alg = 'RS256';
  $jwt_head = JWT::urlsafeB64Encode(JWT::jsonEncode($head_obj));
  $payload_obj = new \stdClass();
  $payload_obj->aud = [
    '__invalid_aud__',
  ];
  $jwt_payload = JWT::urlsafeB64Encode(JWT::jsonEncode($payload_obj));
  $caught_exception = false;
  $error_msg = 'No exception caught';
  try {
    $verifier
      ->verifyAndDecode($jwt_head . '.' . $jwt_payload . '.' . uniqid());
  } catch (InvalidTokenException $e) {
    $error_msg = $e
      ->getMessage();
    $caught_exception = $this
      ->errorHasString($e, 'Invalid token audience __invalid_aud__; expected __valid_aud__');
  }
  $this
    ->assertTrue($caught_exception, $error_msg);

  // 2. A token without a key ID should throw an exception.
  $payload_obj->aud = '__valid_aud__';
  $jwt_payload = JWT::urlsafeB64Encode(JWT::jsonEncode($payload_obj));
  $caught_exception = false;
  $error_msg = 'No exception caught';
  try {
    $verifier
      ->verifyAndDecode($jwt_head . '.' . $jwt_payload . '.' . uniqid());
  } catch (CoreException $e) {
    $error_msg = $e
      ->getMessage();
    $caught_exception = $this
      ->errorHasString($e, 'Token key ID is missing for RS256 token');
  }
  $this
    ->assertTrue($caught_exception, $error_msg);

  // 3. A token with an invalid issuer should throw an exception.
  $head_obj->kid = uniqid();
  $jwt_head = JWT::urlsafeB64Encode(JWT::jsonEncode($head_obj));
  $payload_obj->iss = '__invalid_iss__';
  $jwt_payload = JWT::urlsafeB64Encode(JWT::jsonEncode($payload_obj));
  $caught_exception = false;
  $error_msg = 'No exception caught';
  try {
    $verifier
      ->verifyAndDecode($jwt_head . '.' . $jwt_payload . '.' . uniqid());
  } catch (CoreException $e) {
    $error_msg = $e
      ->getMessage();
    $caught_exception = $this
      ->errorHasString($e, 'We cannot trust on a token issued by');
  }
  $this
    ->assertTrue($caught_exception, $error_msg);

  // 4. A token with an invalid signature should throw an exception.
  $verifier = new JWTVerifier([
    'valid_audiences' => [
      '__valid_aud__',
    ],
    'client_secret' => self::CLIENT_SECRET,
  ]);
  $head_obj->alg = 'HS256';
  $jwt_head = JWT::urlsafeB64Encode(JWT::jsonEncode($head_obj));
  $payload_obj->iss = '__valid_iss__';
  $jwt_payload = JWT::urlsafeB64Encode(JWT::jsonEncode($payload_obj));
  $caught_exception = false;
  $error_msg = 'No exception caught';
  try {
    $verifier
      ->verifyAndDecode($jwt_head . '.' . $jwt_payload . '.' . JWT::urlsafeB64Encode(uniqid()));
  } catch (CoreException $e) {
    $error_msg = $e
      ->getMessage();
    $caught_exception = $this
      ->errorHasString($e, 'Signature verification failed');
  }
  $this
    ->assertTrue($caught_exception, $error_msg);
}