OpenID Access token validation in PHP

Question

Im trying to make a SSO validation on thinktecture OpenId connect in PHP I have written a client and get an access token. BUT i cannot find out how to validate it.

The documentation says: 3.2.2.9. Access Token Validation

To validate an Access Token issued from the Authorization Endpoint with an ID Token, the Client SHOULD do the following:

1. Hash the octets of the ASCII representation of the access_token with the hash algorithm specified in JWA [JWA] for the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, the hash algorithm used is SHA-256.

2. Take the left-most half of the hash and base64url encode it.

3. The value of at_hash in the ID Token MUST match the value produced in the previous step.

I have no idea how to make step 1. I got the ALg as RS256 and i have the at_hash from the Id token, i just cant find an exampel in PHP on how to do the validation.

Answer 1

Here is an example in PHP to calculate the at_hash value that should be easy to adapt to your environment:

public function setAccessTokenHash($accessTokenString)
    {
        // bit : 256/384/512 
        if(isset($this->_header['alg']) && $this->_header['alg'] != 'none'){
            $bit = substr($this->_header['alg'], 2, 3);
        }else{
            // TODO: Error case. throw exception???
            $bit = '256';
        }
        $len = ((int)$bit)/16;
        $this->_payload['at_hash'] = Akita_OpenIDConnect_Util_Base64::urlEncode(substr(hash('sha'.$bit, $accessTokenString, true), 0, $len));
    }