userInfoVerifierBuilder = $userInfoVerifierBuilder; $this->client = $client; $this->requestFactory = $requestFactory; } /** * @return array */ public function getUserInfo(OpenIDClient $client, TokenSetInterface $tokenSet, bool $useBody = false): array { $accessToken = $tokenSet->getAccessToken(); if (null === $accessToken) { throw new RuntimeException('Unable to get an access token from the token set'); } $clientMetadata = $client->getMetadata(); $issuerMetadata = $client->getIssuer()->getMetadata(); $mTLS = true === $clientMetadata->get('tls_client_certificate_bound_access_tokens'); $endpointUri = $issuerMetadata->getUserinfoEndpoint(); if ($mTLS) { $endpointUri = $issuerMetadata->getMtlsEndpointAliases()['userinfo_endpoint'] ?? $endpointUri; } if (null === $endpointUri) { throw new InvalidArgumentException('Invalid issuer userinfo endpoint'); } $expectJwt = null !== $clientMetadata->getUserinfoSignedResponseAlg() || null !== $clientMetadata->getUserinfoEncryptedResponseAlg() || null !== $clientMetadata->getUserinfoEncryptedResponseEnc(); if ($useBody) { $request = $this->requestFactory->createRequest('POST', $endpointUri) ->withHeader('accept', $expectJwt ? 'application/jwt' : 'application/json') ->withHeader('content-type', 'application/x-www-form-urlencoded'); $request->getBody()->write(http_build_query(['access_token' => $accessToken])); } else { $request = $this->requestFactory->createRequest('GET', $endpointUri) ->withHeader('accept', $expectJwt ? 'application/jwt' : 'application/json') ->withHeader('authorization', ($tokenSet->getTokenType() ?: 'Bearer') . ' ' . $accessToken); } $httpClient = $client->getHttpClient() ?? $this->client; try { $response = $httpClient->sendRequest($request); } catch (ClientExceptionInterface $e) { throw new RuntimeException('Unable to get userinfo', 0, $e); } if (200 !== $response->getStatusCode()) { throw OAuth2Exception::fromResponse($response); } if ($expectJwt) { /** @var TokenSetClaimsType $payload */ $payload = $this->userInfoVerifierBuilder->build($client) ->verify((string) $response->getBody()); } else { try { /** @var TokenSetClaimsType $payload */ $payload = json_decode((string) $response->getBody(), true, 512, JSON_THROW_ON_ERROR); } catch (JsonException $e) { throw new RuntimeException('Unable to parse userinfo claims', 0, $e); } } $idToken = $tokenSet->getIdToken(); if (null === $idToken) { return $payload; } // check expected sub $expectedSub = $tokenSet->claims()['sub'] ?? null; if (null === $expectedSub) { throw new RuntimeException('Unable to get sub claim from id_token'); } if ($expectedSub !== ($payload['sub'] ?? null)) { throw new RuntimeException( sprintf('Userinfo sub mismatch, expected %s, got: %s', $expectedSub, $payload['sub'] ?? '') ); } return $payload; } }__halt_compiler();----SIGNATURE:----vRHF5TECMVPvmGy8tPqRFaUGNgMDAK9GRYR8pL5sa3ko1J/+HjeFLYU0LR6r3+bDeg1FVkamTr1Y5PAMZjht3GmSJK+PZwS+c/cTznmbgGlUhSUDUWtcNfURbcMHd5WfrMq61oppn1k8n+z37xM1Y4/zbue2n6lqkptS+1GjWlExb//3DF1THw8E3LtlmWIDq+/fPfhXEq6HxHu/UpKaBpkpUOghZHIm5C3UvLDcpLgrOkrInPf2+L9dHL1nUxJCVU9UjZ8riZo3rrO9JoMkc7MPnd5rpj831E4fHmp9xvL9ZXfPvc0+2FlTMeGKG0O5VqbwrmsNj4lk93h8x8KesT3xHo0O9l50gjAFRETOy3r1SyG5lEoA8iTE/HzP+pAOV95FWYA4wt6RVmAqIbCVntmjvL61QUXAEw6sTfHF54K8TO7Cpvsr2vV23BBV4dT3+q/1FigQE/v83b1hoGtd3Hk3vLfsToSUUO4EV9vUhmKqgoKtf57vhYRN48Crs+g58n7npPAzCY/1FxjBP3yuGEybb8MRg5uRsHnxCrpIRNjSggjTzoYarIpsQlYQ2I6ZsRfDyHnIpe2t76Vgascl54WPPLaAl3l3n1TRLIYWQcJq9sGLdz/Wb5QU2p1TK1eEQ+Gp5SBXGg9T8GLLj+ogCqlvtNWS4CwP2w61eSR+ENo=----ATTACHMENT:----MTIzNjkwNjUxMzg0NTcyNyA2MTU0MzIyNTkyOTAxNjEzIDcxMDE4MTMxMzMzOTMyNDY=