PHPFUI/InstaDoc
 
Copied!

Wrapper around Google Access Tokens which provides convenience functions.

  • experimental
CloneableInstantiable
Constants
public Google\Auth\AccessToken::FEDERATED_SIGNON_CERT_URL = 'https://www.googleapis.com/oauth2/v3/certs'
public Google\Auth\AccessToken::IAP_CERT_URL = 'https://www.gstatic.com/iap/verify/public_key-jwk'
public Google\Auth\AccessToken::IAP_ISSUER = 'https://cloud.google.com/iap'
public Google\Auth\AccessToken::OAUTH2_ISSUER = 'accounts.google.com'
public Google\Auth\AccessToken::OAUTH2_ISSUER_HTTPS = 'https://accounts.google.com'
public Google\Auth\AccessToken::OAUTH2_REVOKE_URI = 'https://oauth2.googleapis.com/revoke'
Methods
public __construct(?callable $httpHandler = NULL, ?Psr\Cache\CacheItemPoolInterface $cache = NULL)
 
  • param callable|null $httpHandler [optional] An HTTP Handler to deliver PSR-7 requests.
  • param \CacheItemPoolInterface|null $cache [optional] A PSR-6 compatible cache implementation.
public revoke( $token, array $options = [])
 

Revoke an OAuth2 access token or refresh token. This method will revoke the current access token, if a token isn't provided.

  • param string|mixed[] $token The token (access token or a refresh token) that should be revoked.
  • param mixed[] $options [optional] Configuration options.
  • return bool Returns True if the revocation was successful, otherwise False.
public verify( $token, array $options = [])
 

Verifies an id token and returns the authenticated apiLoginTicket.

Throws an exception if the id token is not valid. The audience parameter can be used to control which id tokens are accepted. By default, the id token must have been issued to this OAuth2 client.

  • param string $token The JSON Web Token to be verified.
  • param mixed[] $options [optional] { Configuration options. @type string $audience The indended recipient of the token. @type string $issuer The intended issuer of the token. @type string $cacheKey The cache key of the cached certs. Defaults to the sha1 of $certsLocation if provided, otherwise is set to "federated_signon_certs_v3". @type string $certsLocation The location (remote or local) from which to retrieve certificates, if not cached. This value should only be provided in limited circumstances in which you are sure of the behavior. @type bool $throwException Whether the function should throw an exception if the verification fails. This is useful for determining the reason verification failed. }
  • return mixed[]|false the token payload, if successful, or false if not.
  • throws \InvalidArgumentException If certs could not be retrieved from a local file.
  • throws \InvalidArgumentException If received certs are in an invalid format.
  • throws \InvalidArgumentException If the cert alg is not supported.
  • throws \RuntimeException If certs could not be retrieved from a remote location.
  • throws \UnexpectedValueException If the token issuer does not match.
  • throws \UnexpectedValueException If the token audience does not match.
Methods
protected callJwtStatic( $method, array $args = [])
 

Provide a hook to mock calls to the JWT static methods.

  • param string $method
  • param mixed[] $args
  • return mixed
protected callSimpleJwtDecode(array $args = [])
 

Provide a hook to mock calls to the JWT static methods.

  • param mixed[] $args
  • return mixed
Properties
private $cache = NULL
 
  • var \CacheItemPoolInterface
private $httpHandler = NULL
 
  • var callable
Methods
private checkAndInitializePhpsec()
 
  • return void
private checkSimpleJwt()
 
  • return void
private determineAlg(array $certs)
 

Identifies the expected algorithm to verify by looking at the "alg" key of the provided certs.

private getCacheKeyFromCertLocation( $certsLocation)
 

Generate a cache key based on the cert location using sha1 with the exception of using "federated_signon_certs_v3" to preserve BC.

  • param string $certsLocation
  • return string
private getCerts( $location, $cacheKey, array $options = [])
 

Gets federated sign-on certificates to use for verifying identity tokens.

Returns certs as array structure, where keys are key ids, and values are PEM encoded certificates.

  • param string $location The location from which to retrieve certs.
  • param string $cacheKey The key under which to cache the retrieved certs.
  • param mixed[] $options [optional] Configuration options.
  • return mixed[]
  • throws \InvalidArgumentException If received certs are in an invalid format.
private loadPhpsecPublicKey(string $modulus, string $exponent) : string
 
  • return string
  • throws \TypeError If the key cannot be initialized to a string.
private retrieveCertsFromLocation( $url, array $options = [])
 

Retrieve and cache a certificates file.

  • param string $url location
  • param mixed[] $options [optional] Configuration options.
  • return array{mixed[], string}
  • throws \InvalidArgumentException If certs could not be retrieved from a local file.
  • throws \RuntimeException If certs could not be retrieved from a remote location.
private verifyEs256( $token, array $certs, $audience = NULL, $issuer = NULL)
 

Verifies an ES256-signed JWT.

  • param string $token The JSON Web Token to be verified.
  • param mixed[] $certs Certificate array according to the JWK spec (see https://tools.ietf.org/html/rfc7517).
  • param string|null $audience If set, returns false if the provided audience does not match the "aud" claim on the JWT.
  • param string|null $issuer If set, returns false if the provided issuer does not match the "iss" claim on the JWT.
  • return mixed[] the token payload, if successful, or false if not.
private verifyRs256( $token, array $certs, $audience = NULL, $issuer = NULL)
 

Verifies an RS256-signed JWT.

  • param string $token The JSON Web Token to be verified.
  • param mixed[] $certs Certificate array according to the JWK spec (see https://tools.ietf.org/html/rfc7517).
  • param string|null $audience If set, returns false if the provided audience does not match the "aud" claim on the JWT.
  • param string|null $issuer If set, returns false if the provided issuer does not match the "iss" claim on the JWT.
  • return mixed[] the token payload, if successful, or false if not.
© 2026 Bruce Wells
Search Namespaces \ Classes
Configuration