[Summary view] [Print] [Text view]

   1  <?php
   2  /*
   3   * Copyright 2012 Google Inc.
   4   *
   5   * Licensed under the Apache License, Version 2.0 (the "License");
   6   * you may not use this file except in compliance with the License.
   7   * You may obtain a copy of the License at
   8   *
   9   *     http://www.apache.org/licenses/LICENSE-2.0
  10   *
  11   * Unless required by applicable law or agreed to in writing, software
  12   * distributed under the License is distributed on an "AS IS" BASIS,
  13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14   * See the License for the specific language governing permissions and
  15   * limitations under the License.
  16   */
  17  
  18  require_once "Google/Auth/OAuth2.php";
  19  require_once "Google/Signer/P12.php";
  20  require_once "Google/Utils.php";
  21  
  22  /**
  23   * Credentials object used for OAuth 2.0 Signed JWT assertion grants.
  24   *
  25   * @author Chirag Shah <[email protected]>
  26   */
  27  class Google_Auth_AssertionCredentials
  28  {
  29    const MAX_TOKEN_LIFETIME_SECS = 3600;
  30  
  31    public $serviceAccountName;
  32    public $scopes;
  33    public $privateKey;
  34    public $privateKeyPassword;
  35    public $assertionType;
  36    public $sub;
  37    /**
  38     * @deprecated
  39     * @link http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06
  40     */
  41    public $prn;
  42    private $useCache;
  43  
  44    /**
  45     * @param $serviceAccountName
  46     * @param $scopes array List of scopes
  47     * @param $privateKey
  48     * @param string $privateKeyPassword
  49     * @param string $assertionType
  50     * @param bool|string $sub The email address of the user for which the
  51     *              application is requesting delegated access.
  52     * @param bool useCache Whether to generate a cache key and allow
  53     *              automatic caching of the generated token.
  54     */
  55    public function __construct(
  56        $serviceAccountName,
  57        $scopes,
  58        $privateKey,
  59        $privateKeyPassword = 'notasecret',
  60        $assertionType = 'http://oauth.net/grant_type/jwt/1.0/bearer',
  61        $sub = false,
  62        $useCache = true
  63    ) {
  64      $this->serviceAccountName = $serviceAccountName;
  65      $this->scopes = is_string($scopes) ? $scopes : implode(' ', $scopes);
  66      $this->privateKey = $privateKey;
  67      $this->privateKeyPassword = $privateKeyPassword;
  68      $this->assertionType = $assertionType;
  69      $this->sub = $sub;
  70      $this->prn = $sub;
  71      $this->useCache = $useCache;
  72    }
  73    
  74    /**
  75     * Generate a unique key to represent this credential.
  76     * @return string
  77     */
  78    public function getCacheKey()
  79    {
  80      if (!$this->useCache) {
  81        return false;
  82      }
  83      $h = $this->sub;
  84      $h .= $this->assertionType;
  85      $h .= $this->privateKey;
  86      $h .= $this->scopes;
  87      $h .= $this->serviceAccountName;
  88      return md5($h);
  89    }
  90  
  91    public function generateAssertion()
  92    {
  93      $now = time();
  94  
  95      $jwtParams = array(
  96            'aud' => Google_Auth_OAuth2::OAUTH2_TOKEN_URI,
  97            'scope' => $this->scopes,
  98            'iat' => $now,
  99            'exp' => $now + self::MAX_TOKEN_LIFETIME_SECS,
 100            'iss' => $this->serviceAccountName,
 101      );
 102  
 103      if ($this->sub !== false) {
 104        $jwtParams['sub'] = $this->sub;
 105      } else if ($this->prn !== false) {
 106        $jwtParams['prn'] = $this->prn;
 107      }
 108  
 109      return $this->makeSignedJwt($jwtParams);
 110    }
 111  
 112    /**
 113     * Creates a signed JWT.
 114     * @param array $payload
 115     * @return string The signed JWT.
 116     */
 117    private function makeSignedJwt($payload)
 118    {
 119      $header = array('typ' => 'JWT', 'alg' => 'RS256');
 120  
 121      $payload = json_encode($payload);
 122      // Handle some overzealous escaping in PHP json that seemed to cause some errors
 123      // with claimsets.
 124      $payload = str_replace('\/', '/', $payload);
 125  
 126      $segments = array(
 127        Google_Utils::urlSafeB64Encode(json_encode($header)),
 128        Google_Utils::urlSafeB64Encode($payload)
 129      );
 130  
 131      $signingInput = implode('.', $segments);
 132      $signer = new Google_Signer_P12($this->privateKey, $this->privateKeyPassword);
 133      $signature = $signer->sign($signingInput);
 134      $segments[] = Google_Utils::urlSafeB64Encode($signature);
 135  
 136      return implode(".", $segments);
 137    }
 138  }