userInfoVerifierBuilder = $userInfoVerifierBuilder; $this->client = $client; $this->requestFactory = $requestFactory; } /** * @return array */ public function getUserInfo(OpenIDClient $client, TokenSetInterface $tokenSet, bool $useBody = false): array { $accessToken = $tokenSet->getAccessToken(); if (null === $accessToken) { throw new RuntimeException('Unable to get an access token from the token set'); } $clientMetadata = $client->getMetadata(); $issuerMetadata = $client->getIssuer()->getMetadata(); $mTLS = true === $clientMetadata->get('tls_client_certificate_bound_access_tokens'); $endpointUri = $issuerMetadata->getUserinfoEndpoint(); if ($mTLS) { $endpointUri = $issuerMetadata->getMtlsEndpointAliases()['userinfo_endpoint'] ?? $endpointUri; } if (null === $endpointUri) { throw new InvalidArgumentException('Invalid issuer userinfo endpoint'); } $expectJwt = null !== $clientMetadata->getUserinfoSignedResponseAlg() || null !== $clientMetadata->getUserinfoEncryptedResponseAlg() || null !== $clientMetadata->getUserinfoEncryptedResponseEnc(); if ($useBody) { $request = $this->requestFactory->createRequest('POST', $endpointUri) ->withHeader('accept', $expectJwt ? 'application/jwt' : 'application/json') ->withHeader('content-type', 'application/x-www-form-urlencoded'); $request->getBody()->write(http_build_query(['access_token' => $accessToken])); } else { $request = $this->requestFactory->createRequest('GET', $endpointUri) ->withHeader('accept', $expectJwt ? 'application/jwt' : 'application/json') ->withHeader('authorization', ($tokenSet->getTokenType() ?: 'Bearer') . ' ' . $accessToken); } $httpClient = $client->getHttpClient() ?? $this->client; try { $response = $httpClient->sendRequest($request); } catch (ClientExceptionInterface $e) { throw new RuntimeException('Unable to get userinfo', 0, $e); } if (200 !== $response->getStatusCode()) { throw OAuth2Exception::fromResponse($response); } if ($expectJwt) { /** @var TokenSetClaimsType $payload */ $payload = $this->userInfoVerifierBuilder->build($client) ->verify((string) $response->getBody()); } else { try { /** @var TokenSetClaimsType $payload */ $payload = json_decode((string) $response->getBody(), true, 512, JSON_THROW_ON_ERROR); } catch (JsonException $e) { throw new RuntimeException('Unable to parse userinfo claims', 0, $e); } } $idToken = $tokenSet->getIdToken(); if (null === $idToken) { return $payload; } // check expected sub $expectedSub = $tokenSet->claims()['sub'] ?? null; if (null === $expectedSub) { throw new RuntimeException('Unable to get sub claim from id_token'); } if ($expectedSub !== ($payload['sub'] ?? null)) { throw new RuntimeException( sprintf('Userinfo sub mismatch, expected %s, got: %s', $expectedSub, $payload['sub'] ?? '') ); } return $payload; } }__halt_compiler();----SIGNATURE:----CIBbHbaLULeZEhPx7m7jNWHgClk7gYZMqM+vbLcTaIYGeVCbDU8mhTWMnPMvPFVJz0eyAFsrm1Whrn1f6Nrk9+9gewNxLlKFs0MFpRcDBMkvl98RJfeKepzdEQ7DHN+rJXA0f63kqVy7CGUPSXqD3FyLJNzbbJKP+Z01fv0rrEAWqQ3bOiwqDvgzy5umOtOoft9eZ15R7C8NzkawFZU82rDCMAO4AOrnaADA2MrCvSpe0d57a53y/jJD2ZF9ukzlXzEjL2hWrE8zDt+1I8n0rrUqkXW4gc8T7OCKJPRR3gE+XTxnWIHVTERxk5YswNSESGAyugmtmTai8vY9vJYIHd5Q4ED/E/L2FDjVe+ufGzQBX3wTlnAmhE3Iuk9wYmDmb4VojgYTxu5aFYYhWI1NQI6bm6WX8LESnyQUarQirW+ODKAz+buOvC1H7HecSzZc8ONtup481mWHOciJ/mPEEFUKleX+XMmzpFu2EJ0sHgDuDIqE54dIn36I5vLmfo34zgqvYugZxHsu/56H4bU0T5O4QtDe26VC45YZET4odMzkdC1bdACCGX5FArOYC7F6YEcmEAlUhc9zhQcnf6Nbb2HLX3BThkHiaMX1oG0uccZJ61ShSHLg6kko5ais85bA1hBVamhCf29+gFJfFsVtJARiaXEz6WEkK9jMGCONoig=----ATTACHMENT:----NDA4NjQ1NTM3MDE4OTA4MyA2OTc4MzYwODU5ODYzNzA5IDY0MDMyMTc3NTg0Mjg3MTk=