diff --git a/composer.json b/composer.json index d996711f..2ce853e6 100644 --- a/composer.json +++ b/composer.json @@ -17,11 +17,13 @@ "require": { "php": "^7.2|^8.0", "ext-json": "*", + "firebase/php-jwt": "^6.4", "guzzlehttp/guzzle": "^6.0|^7.0", "illuminate/contracts": "^6.0|^7.0|^8.0|^9.0|^10.0|^11.0", "illuminate/http": "^6.0|^7.0|^8.0|^9.0|^10.0|^11.0", "illuminate/support": "^6.0|^7.0|^8.0|^9.0|^10.0|^11.0", - "league/oauth1-client": "^1.10.1" + "league/oauth1-client": "^1.10.1", + "phpseclib/phpseclib": "^3.0" }, "require-dev": { "mockery/mockery": "^1.0", diff --git a/src/Two/FacebookProvider.php b/src/Two/FacebookProvider.php index 866f2120..50d4d194 100644 --- a/src/Two/FacebookProvider.php +++ b/src/Two/FacebookProvider.php @@ -2,8 +2,13 @@ namespace Laravel\Socialite\Two; +use Exception; +use Firebase\JWT\JWT; +use Firebase\JWT\Key; use GuzzleHttp\RequestOptions; use Illuminate\Support\Arr; +use phpseclib3\Crypt\RSA; +use phpseclib3\Math\BigInteger; class FacebookProvider extends AbstractProvider implements ProviderInterface { @@ -93,6 +98,64 @@ protected function getUserByToken($token) { $this->lastToken = $token; + return $this->getUserByOIDCToken($token) ?? + $this->getUserFromAccessToken($token); + } + + /** + * Get user based on the OIDC token. + * + * @param string $token + * @return array + */ + protected function getUserByOIDCToken($token) + { + $kid = json_decode(base64_decode(explode('.', $token)[0]), true)['kid'] ?? null; + + if ($kid === null) { + return null; + } + + $data = (array) JWT::decode($token, $this->getPublicKeyOfOIDCToken($kid)); + + throw_if($data['aud'] !== $this->clientId, new Exception('Token has incorrect audience.')); + throw_if($data['iss'] !== 'https://www.facebook.com', new Exception('Token has incorrect issuer.')); + + $data['id'] = $data['sub']; + $data['first_name'] = $data['given_name']; + $data['last_name'] = $data['family_name']; + + return $data; + } + + /** + * Get the public key to verify the signature of OIDC token. + * + * @param string $id + * @return \Firebase\JWT\Key + */ + protected function getPublicKeyOfOIDCToken(string $kid) + { + $response = $this->getHttpClient()->get('https://limited.facebook.com/.well-known/oauth/openid/jwks/'); + + $key = Arr::first(json_decode($response->getBody()->getContents(), true)['keys'], function ($key) use ($kid) { + return $key['kid'] === $kid; + }); + + $key['n'] = new BigInteger(JWT::urlsafeB64Decode($key['n']), 256); + $key['e'] = new BigInteger(JWT::urlsafeB64Decode($key['e']), 256); + + return new Key((string) RSA::load($key), 'RS256'); + } + + /** + * Get user based on the access token. + * + * @param string $token + * @return array + */ + protected function getUserFromAccessToken($token) + { $params = [ 'access_token' => $token, 'fields' => implode(',', $this->fields), @@ -117,15 +180,19 @@ protected function getUserByToken($token) */ protected function mapUserToObject(array $user) { - $avatarUrl = $this->graphUrl.'/'.$this->version.'/'.$user['id'].'/picture'; + if (! isset($user['sub'])) { + $avatarUrl = $this->graphUrl.'/'.$this->version.'/'.$user['id'].'/picture'; + + $avatarOriginalUrl = $avatarUrl.'?width=1920'; + } return (new User)->setRaw($user)->map([ 'id' => $user['id'], 'nickname' => null, 'name' => $user['name'] ?? null, 'email' => $user['email'] ?? null, - 'avatar' => $avatarUrl.'?type=normal', - 'avatar_original' => $avatarUrl.'?width=1920', + 'avatar' => $avatarUrl ?? $user['picture'] ?? null, + 'avatar_original' => $avatarOriginalUrl ?? $user['picture'] ?? null, 'profileUrl' => $user['link'] ?? null, ]); }