Gestion décodage JWT

wouldsmina · sbenaddi · commit 5126141f0f1d · 2026-04-03T15:53:19.000+02:00
diff --git a/.env.example b/.env.example
@@ -106,5 +106,8 @@ OIDC_CLIENT_ID=deming
 OIDC_CLIENT_SECRET=deming
 OIDC_BASE_URL=http://auth.lan
 OIDC_SUFFIX=""
+OIDC_USE_ID_TOKEN=false     # true pour décoder le JWT
+OIDC_JWT_ALG=RS256          # RS256 ou HS256. utile uniquement avec OIDC_USE_ID_TOKEN=true
+OIDC_JWT_SECRET_OR_KEY=""   # secret pour HS256 ou clé au format PEM pour RS256
 OIDC_REDIRECT_URI=${APP_URL}auth/callback/oidc
 APP_VERSION=2025.08.13
diff --git a/app/Providers/Socialite/GenericSocialiteProvider.php b/app/Providers/Socialite/GenericSocialiteProvider.php
@@ -6,6 +6,8 @@
 use Laravel\Socialite\Two\AbstractProvider;
 use Laravel\Socialite\Two\ProviderInterface;
 use Laravel\Socialite\Two\User;
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
 use Log;
 
 /**
@@ -40,6 +42,7 @@ class GenericSocialiteProvider extends AbstractProvider implements ProviderInter
      * {@inheritdoc}
      */
     protected $scopeSeparator = ' ';
+    protected $idToken;
 
     /**
      * Return provider Url.
@@ -96,6 +99,19 @@ protected function getTokenUrl()
         return $this->getOIDCUrl() . '/token';
     }
 
+    /**
+     * Get the access token response for the given code.
+     *
+     * @param  string  $code
+     * @return mixed
+     */
+    public function getAccessTokenResponse($code)
+    {
+        $response = parent::getAccessTokenResponse($code);
+        $this->idToken = $response['id_token'] ?? null;
+        return $response;
+    }
+
     /**
      * @param string $token
      *
@@ -105,6 +121,15 @@ protected function getTokenUrl()
      */
     protected function getUserByToken($token)
     {
+        $useIdToken = config('services.oidc.use_id_token', false);
+
+        if ($useIdToken) {
+            if (!$this->idToken) {
+                throw new \Exception('OIDC_USE_ID_TOKEN=true but id_token not received');
+            }
+            return $this->decodeIdToken($this->idToken);
+        }
+
         $base_url = $this->getOIDCUrl() . '/userinfo';
         // If userinfo endpoint set, use it instead
         if (config('services.oidc.userinfo_endpoint')) {
@@ -140,4 +165,22 @@ protected function mapUserToObject(array $user)
         }
         return (new User())->setRaw($user)->map($socialite_user);
     }
+
+    protected function decodeIdToken($idToken)
+    {
+        $alg = config('services.oidc.jwt_alg', 'RS256');
+        $key = config('services.oidc.jwt_secret_or_key');
+
+        if (!$key) {
+            throw new \Exception('JWT secret or public key not configured');
+        }
+
+        try {
+            $decoded = JWT::decode($idToken, new Key($key, $alg));
+        } catch (\Exception $e) {
+            throw new \Exception('Failed to decode ID token: '.$e->getMessage(), 0, $e);
+        }
+
+        return json_decode(json_encode($decoded), true);
+    }
 }
diff --git a/composer.json b/composer.json
@@ -6,6 +6,7 @@
     "license": "GPLv3",
     "require": {
         "php": "^8.2",
+        "firebase/php-jwt": "^7.0",
         "directorytree/ldaprecord-laravel": "^3.4",
         "erusev/parsedown": "^1.7",
         "laravel/framework": "^11.9",
diff --git a/config/services.php b/config/services.php
@@ -71,6 +71,9 @@
         'authorize_endpoint' => env('OIDC_AUTHORIZE_ENDPOINT', null),
         'token_endpoint' => env('OIDC_TOKEN_ENDPOINT', null),
         'userinfo_endpoint' => env('OIDC_USERINFO_ENDPOINT', null),
+        'use_id_token' => env('OIDC_USE_ID_TOKEN', false),
+        'jwt_alg' => env('OIDC_JWT_ALG', 'RS256'),
+        'jwt_secret_or_key' => env('OIDC_JWT_SECRET_OR_KEY', ''),
         'map_user_attr' => [
             'id' => 'sub',
             'name' => 'name',
