bshaffer · hhniao · Jan 4, 2018 · Jan 4, 2018 · Jan 4, 2018 · Jan 4, 2018
diff --git a/src/OAuth2/OpenID/ResponseType/IdToken.php b/src/OAuth2/OpenID/ResponseType/IdToken.php
@@ -7,6 +7,7 @@
 use OAuth2\Storage\PublicKeyInterface;
 use OAuth2\OpenID\Storage\UserClaimsInterface;
 use LogicException;
+use OAuth2\OpenID\Storage\OpenIDConnectInterface;
 
 class IdToken implements IdTokenInterface
 {
@@ -30,18 +31,28 @@ class IdToken implements IdTokenInterface
     protected $encryptionUtil;
 
     /**
-     * Constructor
      *
+     * @var OpenIDConnectInterface 
+     */
+    protected $openIDStorage;
+
+    protected $subjectIdentifierType;
+    /**
+     * Constructor
+     * 
      * @param UserClaimsInterface $userClaimsStorage
      * @param PublicKeyInterface $publicKeyStorage
+     * @param OpenIDConnectInterface $openIDStorage
      * @param array $config
      * @param EncryptionInterface $encryptionUtil
+     * @param type $subjectIdentifierType
      * @throws LogicException
      */
-    public function __construct(UserClaimsInterface $userClaimsStorage, PublicKeyInterface $publicKeyStorage, array $config = array(), EncryptionInterface $encryptionUtil = null)
-    {
+    public function __construct(UserClaimsInterface $userClaimsStorage, PublicKeyInterface $publicKeyStorage, OpenIDConnectInterface $openIDStorage, array $config = array(), EncryptionInterface $encryptionUtil = null, $subjectIdentifierType = self::SUBJECT_IDENTIFIER_PUBLIC) {
         $this->userClaimsStorage = $userClaimsStorage;
         $this->publicKeyStorage = $publicKeyStorage;
+        $this->openIDStorage = $openIDStorage;
+        $this->subjectIdentifierType = $subjectIdentifierType;
         if (is_null($encryptionUtil)) {
             $encryptionUtil = new Jwt();
         }
@@ -55,6 +66,9 @@ public function __construct(UserClaimsInterface $userClaimsStorage, PublicKeyInt
         ), $config);
     }
 
+    public function setSubjectIdentifierType($type){        
+        $this->subjectIdentifierType = $type;
+    }
     /**
      * @param array $params
      * @param null $userInfo
@@ -96,7 +110,7 @@ public function createIdToken($client_id, $userInfo, $nonce = null, $userClaims
 
         $token = array(
             'iss'        => $this->config['issuer'],
-            'sub'        => $user_id,
+            'sub'        => $this->openIDStorage->getOpenID($user_id, $client_id,$this->subjectIdentifierType),
             'aud'        => $client_id,
             'iat'        => time(),
             'exp'        => time() + $this->config['id_lifetime'],
@@ -117,7 +131,7 @@ public function createIdToken($client_id, $userInfo, $nonce = null, $userClaims
 
         return $this->encodeToken($token, $client_id);
     }
-
+    
     /**
      * @param $access_token
      * @param null $client_id

diff --git a/src/OAuth2/OpenID/ResponseType/IdTokenInterface.php b/src/OAuth2/OpenID/ResponseType/IdTokenInterface.php
@@ -4,8 +4,11 @@
 
 use OAuth2\ResponseType\ResponseTypeInterface;
 
-interface IdTokenInterface extends ResponseTypeInterface
-{
+interface IdTokenInterface extends ResponseTypeInterface {
+
+    const SUBJECT_IDENTIFIER_PUBLIC = 'public';
+    const SUBJECT_IDENTIFIER_PAIRWISE = 'pairwise';
+
     /**
      * Create the id token.
      *

diff --git a/src/OAuth2/OpenID/Storage/OpenIDConnectInterface.php b/src/OAuth2/OpenID/Storage/OpenIDConnectInterface.php
@@ -0,0 +1,20 @@
+<?php
+namespace OAuth2\OpenID\Storage;
+
+interface OpenIDConnectInterface {
+
+    /**
+     * 
+     * @param type $userId
+     * @param type $clientId
+     * @return array|null An associative array as below, and return NULL if not found:
+     * @code array(
+     *     'openid' => 'openid'
+     *     'user_id' => 'user id',
+     *     'client_id' => 'client_id'
+     * )
+     */
+    public function getOpenID($userId, $clientId, $type);
+
+    public function setOpenID($openid, $userId, $clientId);
+}
diff --git a/src/OAuth2/Server.php b/src/OAuth2/Server.php
@@ -124,6 +124,7 @@ class Server implements ResourceControllerInterface,
         'public_key' => 'OAuth2\Storage\PublicKeyInterface',
         'jwt_bearer' => 'OAuth2\Storage\JWTBearerInterface',
         'scope' => 'OAuth2\Storage\ScopeInterface',
+        'openid_connect' => 'OAuth2\OpenID\Storage\OpenIDConnectInterface',
     );
 
     /**
@@ -176,6 +177,7 @@ public function __construct($storage = array(), array $config = array(), array $
             'allow_public_clients'     => true,
             'always_issue_new_refresh_token' => false,
             'unset_refresh_token_after_use' => true,
+            'subject_identifier_type' => IdToken::SUBJECT_IDENTIFIER_PUBLIC,
         ), $config);
 
         foreach ($grantTypes as $key => $grantType) {
@@ -879,10 +881,14 @@ protected function createDefaultIdTokenResponseType()
         if (!isset($this->storages['public_key'])) {
             throw new LogicException("You must supply a storage object implementing OAuth2\Storage\PublicKeyInterface to use openid connect");
         }
+
+        if (!isset($this->storages['openid_connect'])) {
+            throw new LogicException("You must supply a storage object implementing OAuth2\OpenID\Storage\OpenIDConnectInterface to use openid connect");
+        }
 
         $config = array_intersect_key($this->config, array_flip(explode(' ', 'issuer id_lifetime')));
 
-        return new IdToken($this->storages['user_claims'], $this->storages['public_key'], $config);
+        return new IdToken($this->storages['user_claims'], $this->storages['public_key'], $this->storages['openid_connect'], $config, null, $this->config['subject_identifier_type']);
     }
 
     /**

diff --git a/src/OAuth2/Storage/Memory.php b/src/OAuth2/Storage/Memory.php
@@ -4,6 +4,8 @@
 
 use OAuth2\OpenID\Storage\UserClaimsInterface;
 use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface;
+use OAuth2\OpenID\Storage\OpenIDConnectInterface;
+use OAuth2\OpenID\ResponseType\IdTokenInterface;
 
 /**
  * Simple in-memory storage for all storage types
@@ -22,7 +24,8 @@ class Memory implements AuthorizationCodeInterface,
     JwtBearerInterface,
     ScopeInterface,
     PublicKeyInterface,
-    OpenIDAuthorizationCodeInterface
+    OpenIDAuthorizationCodeInterface,
+    OpenIDConnectInterface
 {
     public $authorizationCodes;
     public $userCredentials;
@@ -34,6 +37,7 @@ class Memory implements AuthorizationCodeInterface,
     public $supportedScopes;
     public $defaultScope;
     public $keys;
+    public $openId;
 
     public function __construct($params = array())
     {
@@ -74,6 +78,22 @@ public function getAuthorizationCode($code)
         ), $this->authorizationCodes[$code]);
     }
 
+    public function getOpenID($userId, $clientId, $type) {
+
+        if ($type === IdTokenInterface::SUBJECT_IDENTIFIER_PUBLIC) {
+            $this->setOpenID($userId, $userId, $clientId);
+            return $userId;
+        }
+
+        $openid = hash_hmac('sha256', $userId, $clientId);
+        $this->setOpenID($openid, $userId, $clientId);
+
+        return $openid;
+    }
+
+    public function setOpenID($openid,$userId,$clientId) {
+        $this->openId = $openid;
+    }
     public function setAuthorizationCode($code, $client_id, $user_id, $redirect_uri, $expires, $scope = null, $id_token = null)
     {
         $this->authorizationCodes[$code] = compact('code', 'client_id', 'user_id', 'redirect_uri', 'expires', 'scope', 'id_token');

diff --git a/src/OAuth2/Storage/Pdo.php b/src/OAuth2/Storage/Pdo.php
@@ -5,7 +5,8 @@
 use OAuth2\OpenID\Storage\UserClaimsInterface;
 use OAuth2\OpenID\Storage\AuthorizationCodeInterface as OpenIDAuthorizationCodeInterface;
 use InvalidArgumentException;
-
+use OAuth2\OpenID\Storage\OpenIDConnectInterface;
+use OAuth2\OpenID\ResponseType\IdTokenInterface;
 /**
  * Simple PDO storage for all storage types
  *
@@ -28,7 +29,8 @@ class Pdo implements
     ScopeInterface,
     PublicKeyInterface,
     UserClaimsInterface,
-    OpenIDAuthorizationCodeInterface
+    OpenIDAuthorizationCodeInterface,
+    OpenIDConnectInterface
 {
     /**
      * @var \PDO
@@ -81,6 +83,7 @@ public function __construct($connection, $config = array())
             'jti_table'  => 'oauth_jti',
             'scope_table'  => 'oauth_scopes',
             'public_key_table'  => 'oauth_public_keys',
+            'openid_connect_table'  => 'oauth_openid_connect',
         ), $config);
     }
 
@@ -115,6 +118,27 @@ public function isPublicClient($client_id)
         return empty($result['client_secret']);
     }
 
+    public function getOpenID($user_id, $client_id, $type) {
+
+        if ($type === IdTokenInterface::SUBJECT_IDENTIFIER_PUBLIC) {
+            return $user_id;
+        }
+        $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id and user_id = :user_id', $this->config['openid_connect_table']));
+        $stmt->execute(compact('client_id', 'user_id'));
+        $tmp = $stmt->fetch(\PDO::FETCH_ASSOC);
+
+        if ($tmp === false) {
+            $openid = hash_hmac('sha256', $user_id, $client_id);
+            $this->setOpenID($openid, $user_id, $client_id);
+            return $openid;
+        }
+        return $tmp['openid'];
+    }
+
+    public function setOpenID($openid, $user_id, $client_id) {
+        $stmt = $this->db->prepare(sprintf('INSERT INTO %s (openid, client_id, user_id) VALUES (:openid, :client_id, :user_id)', $this->config['openid_connect_table']));
+        return $stmt->execute(compact('openid', 'client_id', 'user_id'));
+    }
     /**
      * @param string $client_id
      * @return array|mixed
@@ -723,6 +747,13 @@ public function getBuildSql($dbName = 'oauth2_server_php')
               public_key           VARCHAR(2000),
               private_key          VARCHAR(2000),
               encryption_algorithm VARCHAR(100) DEFAULT 'RS256'
+            );
+
+            CREATE TABLE {$this->config['openid_connect_table']} (
+              openid            VARCHAR(255),
+              user_id           VARCHAR(80),
+              client_id          VARCHAR(80),
+              PRIMARY KEY (client_id,user_id)
             )
         ";
 

diff --git a/test/OAuth2/OpenID/ResponseType/CodeIdTokenTest.php b/test/OAuth2/OpenID/ResponseType/CodeIdTokenTest.php
@@ -171,7 +171,7 @@ private function getTestServer($config = array())
         $memoryStorage->supportedScopes[] = 'email';
         $responseTypes = array(
             'code'     => $code    = new AuthorizationCode($memoryStorage),
-            'id_token' => $idToken = new IdToken($memoryStorage, $memoryStorage, $config),
+            'id_token' => $idToken = new IdToken($memoryStorage, $memoryStorage, $memoryStorage, $config),
             'code id_token' => new CodeIdToken($code, $idToken),
         );
 

diff --git a/test/OAuth2/OpenID/ResponseType/IdTokenTest.php b/test/OAuth2/OpenID/ResponseType/IdTokenTest.php
@@ -172,14 +172,47 @@ private function getTestServer($config = array())
         $storage = array(
             'client' => $memoryStorage,
             'scope' => $memoryStorage,
+            'openid_connect' => $memoryStorage
         );
         $responseTypes = array(
-            'id_token' => new IdToken($memoryStorage, $memoryStorage, $config),
+            'id_token' => new IdToken($memoryStorage, $memoryStorage, $memoryStorage, $config),
         );
 
         $server = new Server($storage, $config, array(), $responseTypes);
         $server->addGrantType(new ClientCredentials($memoryStorage));
 
         return $server;
     }
+
+    public function testOpenIDConnectWithSubjectIdentifierTypePairwise(){
+        // add the test parameters in memory
+        $server = $this->getTestServer(array('allow_implicit' => true));
+        $server->getResponseType('id_token')->setSubjectIdentifierType(IdToken::SUBJECT_IDENTIFIER_PAIRWISE);
+        $request = new Request(array(
+            'response_type' => 'id_token',
+            'redirect_uri'  => 'http://adobe.com',
+            'client_id'     => 'Test Client ID',
+            'scope'         => 'openid email',
+            'state'         => 'test',
+            'nonce'         => 'test',
+        ));
+
+        $user_id = 'testuser';
+        $server->handleAuthorizeRequest($request, $response = new Response(), true, $user_id);
+
+        $this->assertEquals($response->getStatusCode(), 302);
+        $location = $response->getHttpHeader('Location');
+        $this->assertNotContains('error', $location);
+
+        $parts = parse_url($location);
+        $this->assertArrayHasKey('fragment', $parts);
+        $this->assertFalse(isset($parts['query']));
+
+        // assert fragment is in "application/x-www-form-urlencoded" format
+        parse_str($parts['fragment'], $params);
+        $this->assertNotNull($params);
+        $this->assertArrayHasKey('id_token', $params);
+        $this->assertArrayNotHasKey('access_token', $params);
+        $this->validateIdToken($params['id_token']);
+    }
 }
diff --git a/test/OAuth2/OpenID/ResponseType/IdTokenTokenTest.php b/test/OAuth2/OpenID/ResponseType/IdTokenTokenTest.php
@@ -80,7 +80,7 @@ private function getTestServer($config = array())
         $memoryStorage = Bootstrap::getInstance()->getMemoryStorage();
         $responseTypes = array(
             'token'     => $token   = new AccessToken($memoryStorage, $memoryStorage),
-            'id_token'  => $idToken = new IdToken($memoryStorage, $memoryStorage, $config),
+            'id_token'  => $idToken = new IdToken($memoryStorage, $memoryStorage, $memoryStorage, $config),
             'id_token token' => new IdTokenToken($token, $idToken),
         );