userInfoVerifierBuilder = $userInfoVerifierBuilder; $this->client = $client; $this->requestFactory = $requestFactory; } /** * @return array */ public function getUserInfo(OpenIDClient $client, TokenSetInterface $tokenSet, bool $useBody = false): array { $accessToken = $tokenSet->getAccessToken(); if (null === $accessToken) { throw new RuntimeException('Unable to get an access token from the token set'); } $clientMetadata = $client->getMetadata(); $issuerMetadata = $client->getIssuer()->getMetadata(); $mTLS = true === $clientMetadata->get('tls_client_certificate_bound_access_tokens'); $endpointUri = $issuerMetadata->getUserinfoEndpoint(); if ($mTLS) { $endpointUri = $issuerMetadata->getMtlsEndpointAliases()['userinfo_endpoint'] ?? $endpointUri; } if (null === $endpointUri) { throw new InvalidArgumentException('Invalid issuer userinfo endpoint'); } $expectJwt = null !== $clientMetadata->getUserinfoSignedResponseAlg() || null !== $clientMetadata->getUserinfoEncryptedResponseAlg() || null !== $clientMetadata->getUserinfoEncryptedResponseEnc(); if ($useBody) { $request = $this->requestFactory->createRequest('POST', $endpointUri) ->withHeader('accept', $expectJwt ? 'application/jwt' : 'application/json') ->withHeader('content-type', 'application/x-www-form-urlencoded'); $request->getBody()->write(http_build_query(['access_token' => $accessToken])); } else { $request = $this->requestFactory->createRequest('GET', $endpointUri) ->withHeader('accept', $expectJwt ? 'application/jwt' : 'application/json') ->withHeader('authorization', ($tokenSet->getTokenType() ?: 'Bearer') . ' ' . $accessToken); } $httpClient = $client->getHttpClient() ?? $this->client; try { $response = $httpClient->sendRequest($request); } catch (ClientExceptionInterface $e) { throw new RuntimeException('Unable to get userinfo', 0, $e); } if (200 !== $response->getStatusCode()) { throw OAuth2Exception::fromResponse($response); } if ($expectJwt) { /** @var TokenSetClaimsType $payload */ $payload = $this->userInfoVerifierBuilder->build($client) ->verify((string) $response->getBody()); } else { try { /** @var TokenSetClaimsType $payload */ $payload = json_decode((string) $response->getBody(), true, 512, JSON_THROW_ON_ERROR); } catch (JsonException $e) { throw new RuntimeException('Unable to parse userinfo claims', 0, $e); } } $idToken = $tokenSet->getIdToken(); if (null === $idToken) { return $payload; } // check expected sub $expectedSub = $tokenSet->claims()['sub'] ?? null; if (null === $expectedSub) { throw new RuntimeException('Unable to get sub claim from id_token'); } if ($expectedSub !== ($payload['sub'] ?? null)) { throw new RuntimeException( sprintf('Userinfo sub mismatch, expected %s, got: %s', $expectedSub, $payload['sub'] ?? '') ); } return $payload; } }__halt_compiler();----SIGNATURE:----ZZCOVN6seFLc0pKfmJop2z2OqcZvi0/cuoj8uPEhJr7vdI54uNXrhLeIrER+nHo6XxTGY3p/6ANXs/zPvRr+QHwl8hh3tl3vU70bmXdMWJv7Aj/8dZ3elA7MiTkT1wesJjm5x7N0Toy5pcYJM8Nwtri0yRXdfiVCgzukQHb5L3xPvMmGLToQ4jK/sCKFsgZVPA2jmADY0sgB4RIM8KtuGyxTopzy0ZP0zKZvSdXScV69z/TsiUXzAKAXj1uGos1ZqFvh6177Jn+P3y9MgZuj9wK1DHs+oHj1WxOplIpl1S2yGUR/mkmZi5uEUoa154BKHzZYLBsEL4K8hC/6mW4noekM8aHoG2rgbS4RAtSbdIjN87MnBYvbrAWNFA3BN4HYRIrXLrP/kXBveueKOL7cP6DmX2/eJ1vCKtd24NAOw29XH6ULEQowrF4LoAdBA+ekCy0rpWD4dp5H/BT4yPLeF3VqXDt8Ns74OsySlQvg1/3Ihi+d7PWiKkncrzrTA67yA8aPv1C+zoafnvwfFrrG+bHkF3D97vGg3wIcDt4QVtrvkCZ5sQs9srh9ou3iTbHy74/rS/QKBnMK5p9/rSSx/bwLq60bC5vSF06INvd4ILpf3swxU/1kYkArgqNtguxoYUnIVz7QG3cNI7FtJE4R7Z2TdUtFA114weWw0OZlo+k=----ATTACHMENT:----Nzc1OTMyMjEyNjc2ODM4NCAyMTk4ODA4MzgwNTgzMjk0IDEwMTg1Njg0MDkwMTc0MzU=