php-auth-client/examples/verify-token.php at master · stromcom/php-auth-client · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
<?php
declare(strict_types=1);

/**
 * Resource-server pattern: verify the Bearer JWT on every inbound request.
 *
 * No user login flow — this is the pattern for an internal API that accepts
 * tokens issued elsewhere. Apply per-endpoint authorization on top.
 */

require __DIR__ . '/../vendor/autoload.php';

use Stromcom\AuthClient\Client;
use Stromcom\AuthClient\Configuration;
use Stromcom\AuthClient\Exception\AuthorizationException;
use Stromcom\AuthClient\Exception\TokenVerificationException;
use Stromcom\AuthClient\Jwks\FileJwksCache;

$auth = new Client(
  new Configuration(
    clientId: (string) getenv('AUTH_CLIENT_ID'),
    issuer:   getenv('AUTH_ISSUER') ?: 'http://localhost:8003',
  ),
  jwksCache: new FileJwksCache(sys_get_temp_dir() . '/stromcom-auth-jwks'),
);

$header = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
if (!preg_match('/^Bearer\s+(.+)$/i', $header, $m)) {
  http_response_code(401);
  header('WWW-Authenticate: Bearer realm="api"');
  exit(json_encode(['error' => 'missing_bearer_token']));
}

try {
  $claims = $auth->verify($m[1]);
  $claims->requireGroup('translate-editor');
} catch (TokenVerificationException $e) {
  http_response_code(401);
  exit(json_encode(['error' => 'invalid_token', 'message' => $e->getMessage()]));
} catch (AuthorizationException $e) {
  http_response_code(403);
  exit(json_encode(['error' => 'forbidden', 'message' => $e->getMessage()]));
}

header('Content-Type: application/json');
echo json_encode([
  'subject' => $claims->subject,
  'email'   => $claims->email,
  'groups'  => $claims->groups,
]);