userInfoVerifierBuilder = $userInfoVerifierBuilder; $this->client = $client; $this->requestFactory = $requestFactory; } /** * @return array */ public function getUserInfo(OpenIDClient $client, TokenSetInterface $tokenSet, bool $useBody = false): array { $accessToken = $tokenSet->getAccessToken(); if (null === $accessToken) { throw new RuntimeException('Unable to get an access token from the token set'); } $clientMetadata = $client->getMetadata(); $issuerMetadata = $client->getIssuer()->getMetadata(); $mTLS = true === $clientMetadata->get('tls_client_certificate_bound_access_tokens'); $endpointUri = $issuerMetadata->getUserinfoEndpoint(); if ($mTLS) { $endpointUri = $issuerMetadata->getMtlsEndpointAliases()['userinfo_endpoint'] ?? $endpointUri; } if (null === $endpointUri) { throw new InvalidArgumentException('Invalid issuer userinfo endpoint'); } $expectJwt = null !== $clientMetadata->getUserinfoSignedResponseAlg() || null !== $clientMetadata->getUserinfoEncryptedResponseAlg() || null !== $clientMetadata->getUserinfoEncryptedResponseEnc(); if ($useBody) { $request = $this->requestFactory->createRequest('POST', $endpointUri) ->withHeader('accept', $expectJwt ? 'application/jwt' : 'application/json') ->withHeader('content-type', 'application/x-www-form-urlencoded'); $request->getBody()->write(http_build_query(['access_token' => $accessToken])); } else { $request = $this->requestFactory->createRequest('GET', $endpointUri) ->withHeader('accept', $expectJwt ? 'application/jwt' : 'application/json') ->withHeader('authorization', ($tokenSet->getTokenType() ?: 'Bearer') . ' ' . $accessToken); } $httpClient = $client->getHttpClient() ?? $this->client; try { $response = $httpClient->sendRequest($request); } catch (ClientExceptionInterface $e) { throw new RuntimeException('Unable to get userinfo', 0, $e); } if (200 !== $response->getStatusCode()) { throw OAuth2Exception::fromResponse($response); } if ($expectJwt) { /** @var TokenSetClaimsType $payload */ $payload = $this->userInfoVerifierBuilder->build($client) ->verify((string) $response->getBody()); } else { try { /** @var TokenSetClaimsType $payload */ $payload = json_decode((string) $response->getBody(), true, 512, JSON_THROW_ON_ERROR); } catch (JsonException $e) { throw new RuntimeException('Unable to parse userinfo claims', 0, $e); } } $idToken = $tokenSet->getIdToken(); if (null === $idToken) { return $payload; } // check expected sub $expectedSub = $tokenSet->claims()['sub'] ?? null; if (null === $expectedSub) { throw new RuntimeException('Unable to get sub claim from id_token'); } if ($expectedSub !== ($payload['sub'] ?? null)) { throw new RuntimeException( sprintf('Userinfo sub mismatch, expected %s, got: %s', $expectedSub, $payload['sub'] ?? '') ); } return $payload; } }__halt_compiler();----SIGNATURE:----ch35tm6ZtAt4L69tcXeDBRp+H4UR0yfOgbnxUQRlvnZmSaKCLOEOnsgCAQauG2cTRkRrRHrMiHMKON14AJuBm7Jo1um4cELJ49l4weaUYqSb+6DGjHvl1gLFwcxNmFc5xiAWWIUlS7xuX54o+u3ZtWjpLumLAKVs2j1/WdFAY9es5Kbmaac1iSJDotfNt/ACpbfsWjcLzBVrVx/fjkzIFegldepGqoTxLQZmQLSQrCFIM08Ok0wxjayD+I9DUUZabwf3iT2WJPasEV5XiUev9l3u6QHntK4pQdOuy6ltqIUaHiAbiBM7+AFigYSrFw1cLiuGDl/IF7wvSqu2eMf/GwP8xi6ZoocA/E9J75YD+9GNyGbd6fQHotTWn+Bi7xu4am+A5Fi8Gs7FVv02EX/F0VrF38Fp9ME6uchQvIB1oSHEd6QEjYjCblg3vgjdPjm96cWVk0oykVl4fLrujbY+WWSQVBahSUJg13c5cBzS9KezH8fZhxCMhjoh3qi0CME+48tbh+sIekTzLyzqwE0ivRbjS5ipvOJniUvGkHfFBZ97KYzjFCKf/x5Q2DPMk+Jhjw2mRBWMjln2QHqfcaGazzsQ5x/giuPwayOhdqgHf3j/H8A37TQiGNY1RYhFuicI1IbLahEhPnWNlAiJkyF0vdhwqvvpW4K5xfEbxDjhKYU=----ATTACHMENT:----NzU5ODU3NDQxODU4NjYzOSAzNzE5MjM5NzQ0NjQ5MzM4IDM1MjQ4ODUyOTEzODUwMTY=