Class yii\authclient\OpenIdConnect

Inheritanceyii\authclient\OpenIdConnect » yii\authclient\OAuth2 » yii\authclient\BaseOAuth » yii\authclient\BaseClient » yii\base\Component
Implementsyii\authclient\ClientInterface
Available since extension's version2.1.3
Source Code https://github.com/yiisoft/yii2-authclient/blob/master/src/OpenIdConnect.php

OpenIdConnect serves as a client for the OpenIdConnect flow.

Application configuration example:

'components' => [
    'authClientCollection' => [
        'class' => 'yii\authclient\Collection',
        'clients' => [
            'google' => [
                'class' => 'yii\authclient\OpenIdConnect',
                'issuerUrl' => 'https://accounts.google.com',
                'clientId' => 'google_client_id',
                'clientSecret' => 'google_client_secret',
                'name' => 'google',
                'title' => 'Google OpenID Connect',
            ],
        ],
    ]
    // ...
]

This class requires web-token/jwt-checker,web-token/jwt-key-mgmt, web-token/jwt-signature, web-token/jwt-signature-algorithm-hmac, web-token/jwt-signature-algorithm-ecdsa and web-token/jwt-signature-algorithm-rsa libraries to be installed for JWS verification. This can be done via composer:

composer require --prefer-dist "web-token/jwt-checker:>=1.0 <3.0" "web-token/jwt-signature:>=1.0 <3.0"
"web-token/jwt-signature:>=1.0 <3.0" "web-token/jwt-signature-algorithm-hmac:>=1.0 <3.0"
"web-token/jwt-signature-algorithm-ecdsa:>=1.0 <3.0" "web-token/jwt-signature-algorithm-rsa:>=1.0 <3.0"

Note: if you are using well-trusted OpenIdConnect provider, you may disable $validateJws, making installation of web-token library redundant, however it is not recommended as it violates the protocol specification.

See also:

Public Properties

Hide inherited properties

Property Type Description Defined By
$accessToken yii\authclient\OAuthToken Auth token instance. yii\authclient\BaseOAuth
$allowedJwsAlgorithms array JWS algorithms, which are allowed to be used. yii\authclient\OpenIdConnect
$apiBaseUrl string API base URL. yii\authclient\BaseOAuth
$authUrl string Authorize URL. yii\authclient\BaseOAuth
$autoRefreshAccessToken boolean Whether to automatically perform 'refresh access token' request on expired access token. yii\authclient\BaseOAuth
$cache \yii\caching\Cache|null The cache object, null - if not enabled. yii\authclient\OpenIdConnect
$clientId string OAuth client ID. yii\authclient\OAuth2
$clientSecret string OAuth client secret. yii\authclient\OAuth2
$configParams array OpenID provider configuration parameters. yii\authclient\OpenIdConnect
$configParamsCacheKeyPrefix string The prefix for the key used to store $configParams data in cache. yii\authclient\OpenIdConnect
$defaultIdTokenClaims array Predefined OpenID Connect Claims yii\authclient\OpenIdConnect
$enablePkce boolean Whether to enable proof key for code exchange (PKCE) support and add a code_challenge and code_verifier to the auth request. yii\authclient\OAuth2
$httpClient \yii\httpclient\Client Internal HTTP client. yii\authclient\BaseClient
$id string Service id. yii\authclient\BaseClient
$issuerUrl string OpenID Issuer (provider) base URL, e.g. https://example.com. yii\authclient\OpenIdConnect
$name string Service name. yii\authclient\BaseClient
$normalizeUserAttributeMap array Normalize user attribute map. yii\authclient\BaseClient
$parametersToKeepInReturnUrl array List of the parameters to keep in default return url. yii\authclient\BaseOAuth
$requestOptions array HTTP request options. yii\authclient\BaseClient
$returnUrl string Return URL. yii\authclient\BaseOAuth
$scope string Auth request scope. yii\authclient\OpenIdConnect
$signatureMethod yii\authclient\signature\BaseMethod Signature method instance. yii\authclient\BaseOAuth
$stateStorage yii\authclient\StateStorageInterface Stage storage. yii\authclient\BaseClient
$title string Service title. yii\authclient\BaseClient
$tokenUrl string Token request URL endpoint. yii\authclient\OAuth2
$userAttributes array List of user attributes. yii\authclient\BaseClient
$validateAuthNonce boolean Whether to use and validate auth 'nonce' parameter in authentication flow. yii\authclient\OpenIdConnect
$validateAuthState boolean Whether to use and validate auth 'state' parameter in authentication flow. yii\authclient\OAuth2
$validateJws boolean Whether to validate/decrypt JWS received with Auth token. yii\authclient\OpenIdConnect
$version string Protocol version. yii\authclient\OAuth2
$viewOptions array View options in format: optionName => optionValue. yii\authclient\BaseClient

Public Methods

Hide inherited methods

Method Description Defined By
api() Performs request to the OAuth API returning response data. yii\authclient\BaseOAuth
applyAccessTokenToRequest() Applies access token to the HTTP request instance. yii\authclient\OpenIdConnect
authenticateClient() Authenticate OAuth client directly at the provider without third party (user) involved, using 'client_credentials' grant type. yii\authclient\OAuth2
authenticateUser() Authenticates user directly by 'username/password' pair, using 'password' grant type. yii\authclient\OAuth2
authenticateUserJwt() Authenticates user directly using JSON Web Token (JWT). yii\authclient\OAuth2
beforeApiRequestSend() Handles Request::EVENT_BEFORE_SEND event. yii\authclient\BaseOAuth
buildAuthUrl() Composes user authorization URL. yii\authclient\OpenIdConnect
createApiRequest() Creates an HTTP request for the API call. yii\authclient\BaseOAuth
createRequest() Creates HTTP request instance. yii\authclient\BaseClient
fetchAccessToken() Fetches access token from authorization code. yii\authclient\OpenIdConnect
getAccessToken() yii\authclient\BaseOAuth
getCache() yii\authclient\OpenIdConnect
getConfigParam() Returns particular configuration parameter value. yii\authclient\OpenIdConnect
getConfigParams() yii\authclient\OpenIdConnect
getHttpClient() Returns HTTP client. yii\authclient\BaseClient
getId() yii\authclient\BaseClient
getName() yii\authclient\BaseClient
getNormalizeUserAttributeMap() yii\authclient\BaseClient
getRequestOptions() yii\authclient\BaseClient
getReturnUrl() yii\authclient\BaseOAuth
getSignatureMethod() yii\authclient\BaseOAuth
getStateStorage() yii\authclient\BaseClient
getTitle() yii\authclient\BaseClient
getUserAttributes() yii\authclient\BaseClient
getValidateAuthNonce() yii\authclient\OpenIdConnect
getViewOptions() yii\authclient\BaseClient
refreshAccessToken() Gets new auth token to replace expired one. yii\authclient\OpenIdConnect
setAccessToken() Sets access token to be used. yii\authclient\BaseOAuth
setCache() Sets up a component to be used for caching. yii\authclient\OpenIdConnect
setConfigParams() Set the OpenID provider configuration manually, this will bypass the automatic discovery via the /.well-known/openid-configuration endpoint. yii\authclient\OpenIdConnect
setHttpClient() Sets HTTP client to be used. yii\authclient\BaseOAuth
setId() yii\authclient\BaseClient
setName() yii\authclient\BaseClient
setNormalizeUserAttributeMap() yii\authclient\BaseClient
setRequestOptions() yii\authclient\BaseClient
setReturnUrl() yii\authclient\BaseOAuth
setSignatureMethod() Set signature method to be used. yii\authclient\BaseOAuth
setStateStorage() yii\authclient\BaseClient
setTitle() yii\authclient\BaseClient
setUserAttributes() yii\authclient\BaseClient
setValidateAuthNonce() yii\authclient\OpenIdConnect
setViewOptions() yii\authclient\BaseClient

Protected Methods

Hide inherited methods

Method Description Defined By
applyClientCredentialsToRequest() Applies client credentials (e.g. $clientId and $clientSecret) to the HTTP request instance. yii\authclient\OpenIdConnect
composeUrl() Composes URL from base URL and GET params. yii\authclient\BaseOAuth
createHttpClient() Creates HTTP client instance from reference or configuration. yii\authclient\BaseOAuth
createSignatureMethod() Creates signature method instance from its configuration. yii\authclient\BaseOAuth
createToken() Creates token from its configuration. yii\authclient\OpenIdConnect
defaultName() Generates service name. yii\authclient\BaseClient
defaultNormalizeUserAttributeMap() Returns the default $normalizeUserAttributeMap value. yii\authclient\BaseClient
defaultRequestOptions() Returns default HTTP request options. yii\authclient\BaseOAuth
defaultReturnUrl() Composes default $returnUrl value. yii\authclient\BaseOAuth
defaultTitle() Generates service title. yii\authclient\BaseClient
defaultViewOptions() Returns the default $viewOptions value. yii\authclient\BaseClient
discoverConfig() Discovers OpenID Provider configuration parameters. yii\authclient\OpenIdConnect
generateAuthNonce() Generates the auth nonce value. yii\authclient\OpenIdConnect
generateAuthState() Generates the auth state value. yii\authclient\OAuth2
getJwkSet() Return JwkSet, returning related data. yii\authclient\OpenIdConnect
getJwsLoader() Return JWSLoader that validate the JWS token. yii\authclient\OpenIdConnect
getState() Returns persistent state value. yii\authclient\BaseClient
getStateKeyPrefix() Returns session key prefix, which is used to store internal states. yii\authclient\BaseClient
initUserAttributes() Initializes authenticated user attributes. yii\authclient\OpenIdConnect
loadJws() Decrypts/validates JWS, returning related data. yii\authclient\OpenIdConnect
normalizeUserAttributes() Normalize given user attributes according to $normalizeUserAttributeMap. yii\authclient\BaseClient
removeState() Removes persistent state value. yii\authclient\BaseClient
restoreAccessToken() Restores access token. yii\authclient\BaseOAuth
saveAccessToken() Saves token as persistent state. yii\authclient\BaseOAuth
sendRequest() Sends the given HTTP request, returning response data. yii\authclient\BaseOAuth
setState() Sets persistent state. yii\authclient\BaseClient
validateClaims() Validates the claims data received from OpenID provider. yii\authclient\OpenIdConnect

Property Details

Hide inherited properties

$allowedJwsAlgorithms public property

JWS algorithms, which are allowed to be used. These are used by web-token library for JWS validation/decryption. Make sure to install web-token/jwt-signature-algorithm-hmac, web-token/jwt-signature-algorithm-ecdsa and web-token/jwt-signature-algorithm-rsa packages that support the particular algorithm before adding it here.

public array $allowedJwsAlgorithms = [
    
'HS256',
    
'HS384',
    
'HS512',
    
'ES256',
    
'ES384',
    
'ES512',
    
'RS256',
    
'RS384',
    
'RS512',
    
'PS256',
    
'PS384',
    
'PS512',
]
$cache public property

The cache object, null - if not enabled. Note that the type of this property differs in getter and setter. See getCache() and setCache() for details.

public \yii\caching\Cache|null $cache null
$configParams public property

OpenID provider configuration parameters.

public array $configParams null
$configParamsCacheKeyPrefix public property

The prefix for the key used to store $configParams data in cache. Actual cache key will be formed addition $id value to it.

See also $cache.

public string $configParamsCacheKeyPrefix 'config-params-'
$defaultIdTokenClaims public property (available since version 2.2.12)

Predefined OpenID Connect Claims

See also https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.2.

public array $defaultIdTokenClaims = [
    
'iss',
    
'sub',
    
'aud',
    
'exp',
    
'iat',
    
'auth_time',
    
'nonce',
    
'acr',
    
'amr',
    
'azp',
]
$issuerUrl public property

OpenID Issuer (provider) base URL, e.g. https://example.com.

public string $issuerUrl null
$scope public property

Auth request scope.

public string $scope 'openid'
$validateAuthNonce public property

Whether to use and validate auth 'nonce' parameter in authentication flow.

$validateJws public property

Whether to validate/decrypt JWS received with Auth token. Note: this functionality requires web-token/jwt-checker, web-token/jwt-key-mgmt, web-token/jwt-signature composer package to be installed. You can disable this option in case of usage of trusted OpenIDConnect provider, however this violates the protocol rules, so you are doing it on your own risk.

public boolean $validateJws true

Method Details

Hide inherited methods

api() public method

Defined in: yii\authclient\BaseOAuth::api()

Performs request to the OAuth API returning response data.

You may use createApiRequest() method instead, gaining more control over request execution.

See also createApiRequest().

public array api ( $apiSubUrl, $method 'GET', $data = [], $headers = [] )
$apiSubUrl string|array

API sub URL, which will be append to $apiBaseUrl, or absolute API URL.

$method string

Request method.

$data array|string

Request data or content.

$headers array

Additional request headers.

return array

API response data.

                public function api($apiSubUrl, $method = 'GET', $data = [], $headers = [])
{
    $request = $this->createApiRequest()
        ->setMethod($method)
        ->setUrl($apiSubUrl)
        ->addHeaders($headers);
    if (!empty($data)) {
        if (is_array($data)) {
            $request->setData($data);
        } else {
            $request->setContent($data);
        }
    }
    return $this->sendRequest($request);
}

            
applyAccessTokenToRequest() public method (available since version 2.1)

Applies access token to the HTTP request instance.

public void applyAccessTokenToRequest ( $request, $accessToken )
$request \yii\httpclient\Request

HTTP request instance.

$accessToken yii\authclient\OAuthToken

Access token instance.

                public function applyAccessTokenToRequest($request, $accessToken)
{
    // OpenID Connect requires bearer token auth for the user info endpoint
    $request->getHeaders()->set('Authorization', 'Bearer ' . $accessToken->getToken());
}

            
applyClientCredentialsToRequest() protected method (available since version 2.1.3)

Applies client credentials (e.g. $clientId and $clientSecret) to the HTTP request instance.

This method should be invoked before sending any HTTP request, which requires client credentials.

protected void applyClientCredentialsToRequest ( $request )
$request \yii\httpclient\Request

HTTP request instance.

                protected function applyClientCredentialsToRequest($request)
{
    $supportedAuthMethods = $this->getConfigParam('token_endpoint_auth_methods_supported', 'client_secret_basic');
    if (in_array('client_secret_basic', $supportedAuthMethods)) {
        $request->addHeaders([
            'Authorization' => 'Basic ' . base64_encode($this->clientId . ':' . $this->clientSecret)
        ]);
    } elseif (in_array('client_secret_post', $supportedAuthMethods)) {
        $request->addData([
            'client_id' => $this->clientId,
            'client_secret' => $this->clientSecret,
        ]);
    } elseif (in_array('client_secret_jwt', $supportedAuthMethods)) {
        $header = [
            'typ' => 'JWT',
            'alg' => 'HS256',
        ];
        $payload = [
            'iss' => $this->clientId,
            'sub' => $this->clientId,
            'aud' => $this->tokenUrl,
            'jti' => $this->generateAuthNonce(),
            'iat' => time(),
            'exp' => time() + 3600,
        ];
        $signatureBaseString = base64_encode(Json::encode($header)) . '.' . base64_encode(Json::encode($payload));
        $signatureMethod = new HmacSha(['algorithm' => 'sha256']);
        $signature = $signatureMethod->generateSignature($signatureBaseString, $this->clientSecret);
        $assertion = $signatureBaseString . '.' . $signature;
        $request->addData([
            'assertion' => $assertion,
        ]);
    } else {
        throw new InvalidConfigException('Unable to authenticate request: none of following auth methods is suported: ' . implode(', ', $supportedAuthMethods));
    }
}

            
authenticateClient() public method (available since version 2.1.0)

Defined in: yii\authclient\OAuth2::authenticateClient()

Authenticate OAuth client directly at the provider without third party (user) involved, using 'client_credentials' grant type.

See also https://tools.ietf.org/html/rfc6749#section-4.4.

public yii\authclient\OAuthToken authenticateClient ( $params = [] )
$params array

Additional request params.

return yii\authclient\OAuthToken

Access token.

                public function authenticateClient($params = [])
{
    $defaultParams = [
        'grant_type' => 'client_credentials',
    ];
    if (!empty($this->scope)) {
        $defaultParams['scope'] = $this->scope;
    }
    $request = $this->createRequest()
        ->setMethod('POST')
        ->setUrl($this->tokenUrl)
        ->setData(array_merge($defaultParams, $params));
    $this->applyClientCredentialsToRequest($request);
    $response = $this->sendRequest($request);
    $token = $this->createToken(['params' => $response]);
    $this->setAccessToken($token);
    return $token;
}

            
authenticateUser() public method (available since version 2.1.0)

Defined in: yii\authclient\OAuth2::authenticateUser()

Authenticates user directly by 'username/password' pair, using 'password' grant type.

See also https://tools.ietf.org/html/rfc6749#section-4.3.

public yii\authclient\OAuthToken authenticateUser ( $username, $password, $params = [] )
$username string

User name.

$password string

User password.

$params array

Additional request params.

return yii\authclient\OAuthToken

Access token.

                public function authenticateUser($username, $password, $params = [])
{
    $defaultParams = [
        'grant_type' => 'password',
        'username' => $username,
        'password' => $password,
    ];
    if (!empty($this->scope)) {
        $defaultParams['scope'] = $this->scope;
    }
    $request = $this->createRequest()
        ->setMethod('POST')
        ->setUrl($this->tokenUrl)
        ->setData(array_merge($defaultParams, $params));
    $this->applyClientCredentialsToRequest($request);
    $response = $this->sendRequest($request);
    $token = $this->createToken(['params' => $response]);
    $this->setAccessToken($token);
    return $token;
}

            
authenticateUserJwt() public method (available since version 2.1.3)

Defined in: yii\authclient\OAuth2::authenticateUserJwt()

Authenticates user directly using JSON Web Token (JWT).

See also https://tools.ietf.org/html/rfc7515.

public yii\authclient\OAuthToken authenticateUserJwt ( $username, $signature null, $options = [], $params = [] )
$username string
$signature yii\authclient\signature\BaseMethod|array

Signature method or its array configuration. If empty - $signatureMethod will be used.

$options array

Additional options. Valid options are:

  • header: array, additional JWS header parameters.
  • payload: array, additional JWS payload (message or claim-set) parameters.
  • signatureKey: string, signature key to be used, if not set - $clientSecret will be used.
$params array

Additional request params.

return yii\authclient\OAuthToken

Access token.

                public function authenticateUserJwt($username, $signature = null, $options = [], $params = [])
{
    if (empty($signature)) {
        $signatureMethod = $this->getSignatureMethod();
    } elseif (is_object($signature)) {
        $signatureMethod = $signature;
    } else {
        $signatureMethod = $this->createSignatureMethod($signature);
    }
    $header = isset($options['header']) ? $options['header'] : [];
    $payload = isset($options['payload']) ? $options['payload'] : [];
    $header = array_merge([
        'typ' => 'JWT'
    ], $header);
    if (!isset($header['alg'])) {
        $signatureName = $signatureMethod->getName();
        if (preg_match('/^([a-z])[a-z]*\-([a-z])[a-z]*([0-9]+)$/is', $signatureName, $matches)) {
            // convert 'RSA-SHA256' to 'RS256' :
            $signatureName = $matches[1] . $matches[2] . $matches[3];
        }
        $header['alg'] = $signatureName;
    }
    $payload = array_merge([
        'iss' => $username,
        'scope' => $this->scope,
        'aud' => $this->tokenUrl,
        'iat' => time(),
    ], $payload);
    if (!isset($payload['exp'])) {
        $payload['exp'] = $payload['iat'] + 3600;
    }
    $signatureBaseString = base64_encode(Json::encode($header)) . '.' . base64_encode(Json::encode($payload));
    $signatureKey = isset($options['signatureKey']) ? $options['signatureKey'] : $this->clientSecret;
    $signature = $signatureMethod->generateSignature($signatureBaseString, $signatureKey);
    $assertion = $signatureBaseString . '.' . $signature;
    $request = $this->createRequest()
        ->setMethod('POST')
        ->setUrl($this->tokenUrl)
        ->setData(array_merge([
            'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
            'assertion' => $assertion,
        ], $params));
    $response = $this->sendRequest($request);
    $token = $this->createToken(['params' => $response]);
    $this->setAccessToken($token);
    return $token;
}

            
beforeApiRequestSend() public method (available since version 2.1)

Defined in: yii\authclient\BaseOAuth::beforeApiRequestSend()

Handles Request::EVENT_BEFORE_SEND event.

Applies $accessToken to the request.

public void beforeApiRequestSend ( $event )
$event \yii\httpclient\RequestEvent

Event instance.

throws \yii\base\Exception

on invalid access token.

                public function beforeApiRequestSend($event)
{
    $accessToken = $this->getAccessToken();
    if (!is_object($accessToken) || (!$accessToken->getIsValid() && !$this->autoRefreshAccessToken)) {
        throw new Exception('Invalid access token.');
    } elseif ($accessToken->getIsExpired() && $this->autoRefreshAccessToken) {
        $accessToken = $this->refreshAccessToken($accessToken);
    }
    $this->applyAccessTokenToRequest($event->request, $accessToken);
}

            
buildAuthUrl() public method

Composes user authorization URL.

public string buildAuthUrl ( array $params = [] )
$params array

Additional auth GET params.

return string

Authorization URL.

                public function buildAuthUrl(array $params = [])
{
    if ($this->authUrl === null) {
        $this->authUrl = $this->getConfigParam('authorization_endpoint');
    }
    if (!isset($params['nonce']) && $this->getValidateAuthNonce()) {
        $nonce = $this->generateAuthNonce();
        $this->setState('authNonce', $nonce);
        $params['nonce'] = $nonce;
    }
    return parent::buildAuthUrl($params);
}

            
composeUrl() protected method

Defined in: yii\authclient\BaseOAuth::composeUrl()

Composes URL from base URL and GET params.

protected string composeUrl ( $url, array $params = [] )
$url string

Base URL.

$params array

GET params.

return string

Composed URL.

                protected function composeUrl($url, array $params = [])
{
    if (!empty($params)) {
        if (strpos($url, '?') === false) {
            $url .= '?';
        } else {
            $url .= '&';
        }
        $url .= http_build_query($params, '', '&', PHP_QUERY_RFC3986);
    }
    return $url;
}

            
createApiRequest() public method (available since version 2.1)

Defined in: yii\authclient\BaseOAuth::createApiRequest()

Creates an HTTP request for the API call.

The created request will be automatically processed adding access token parameters and signature before sending. You may use createRequest() to gain full control over request composition and execution.

See also createRequest().

public \yii\httpclient\Request createApiRequest ( )
return \yii\httpclient\Request

HTTP request instance.

                public function createApiRequest()
{
    $request = $this->createRequest();
    $request->on(Request::EVENT_BEFORE_SEND, [$this, 'beforeApiRequestSend']);
    return $request;
}

            
createHttpClient() protected method (available since version 2.1)

Defined in: yii\authclient\BaseOAuth::createHttpClient()

Creates HTTP client instance from reference or configuration.

protected \yii\httpclient\Client createHttpClient ( $reference )
$reference string|array

Component name or array configuration.

return \yii\httpclient\Client

HTTP client instance.

                protected function createHttpClient($reference)
{
    $httpClient = parent::createHttpClient($reference);
    $httpClient->baseUrl = $this->apiBaseUrl;
    return $httpClient;
}

            
createRequest() public method (available since version 2.1)

Defined in: yii\authclient\BaseClient::createRequest()

Creates HTTP request instance.

public \yii\httpclient\Request createRequest ( )
return \yii\httpclient\Request

HTTP request instance.

                public function createRequest()
{
    return $this->getHttpClient()
        ->createRequest()
        ->addOptions($this->defaultRequestOptions())
        ->addOptions($this->getRequestOptions());
}

            
createSignatureMethod() protected method

Defined in: yii\authclient\BaseOAuth::createSignatureMethod()

Creates signature method instance from its configuration.

protected yii\authclient\signature\BaseMethod createSignatureMethod ( array $signatureMethodConfig )
$signatureMethodConfig array

Signature method configuration.

return yii\authclient\signature\BaseMethod

Signature method instance.

                protected function createSignatureMethod(array $signatureMethodConfig)
{
    if (!array_key_exists('class', $signatureMethodConfig)) {
        $signatureMethodConfig['class'] = signature\HmacSha1::className();
    }
    return Yii::createObject($signatureMethodConfig);
}

            
createToken() protected method

Creates token from its configuration.

protected yii\authclient\OAuthToken createToken ( array $tokenConfig = [] )
$tokenConfig array

Token configuration.

return yii\authclient\OAuthToken

Token instance.

                protected function createToken(array $tokenConfig = [])
{
    if ($this->validateJws) {
        $jwsData = $this->loadJws($tokenConfig['params']['id_token']);
        $this->validateClaims($jwsData);
        $tokenConfig['params'] = array_merge($tokenConfig['params'], $jwsData);
        if ($this->getValidateAuthNonce()) {
            $authNonce = $this->getState('authNonce');
            if (
                !isset($jwsData['nonce'])
                || empty($authNonce)
                || !Yii::$app->getSecurity()->compareString($jwsData['nonce'], $authNonce)
            ) {
                throw new HttpException(400, 'Invalid auth nonce');
            } else {
                $this->removeState('authNonce');
            }
        }
    }
    return parent::createToken($tokenConfig);
}

            
defaultName() protected method

Defined in: yii\authclient\BaseClient::defaultName()

Generates service name.

protected string defaultName ( )
return string

Service name.

                protected function defaultName()
{
    return Inflector::camel2id(StringHelper::basename(get_class($this)));
}

            
defaultNormalizeUserAttributeMap() protected method

Defined in: yii\authclient\BaseClient::defaultNormalizeUserAttributeMap()

Returns the default $normalizeUserAttributeMap value.

Particular client may override this method in order to provide specific default map.

protected array defaultNormalizeUserAttributeMap ( )
return array

Normalize attribute map.

                protected function defaultNormalizeUserAttributeMap()
{
    return [];
}

            
defaultRequestOptions() protected method (available since version 2.1)

Defined in: yii\authclient\BaseOAuth::defaultRequestOptions()

Returns default HTTP request options.

protected array defaultRequestOptions ( )
return array

HTTP request options.

                protected function defaultRequestOptions()
{
    return [
        'userAgent' => Inflector::slug(Yii::$app->name) . ' OAuth ' . $this->version . ' Client',
        'timeout' => 30,
    ];
}

            
defaultReturnUrl() protected method

Defined in: yii\authclient\BaseOAuth::defaultReturnUrl()

Composes default $returnUrl value.

protected string defaultReturnUrl ( )
return string

Return URL.

                protected function defaultReturnUrl()
{
    $params = Yii::$app->getRequest()->getQueryParams();
    $params = array_intersect_key($params, array_flip($this->parametersToKeepInReturnUrl));
    $params[0] = Yii::$app->controller->getRoute();
    return Yii::$app->getUrlManager()->createAbsoluteUrl($params);
}

            
defaultTitle() protected method

Defined in: yii\authclient\BaseClient::defaultTitle()

Generates service title.

protected string defaultTitle ( )
return string

Service title.

                protected function defaultTitle()
{
    return StringHelper::basename(get_class($this));
}

            
defaultViewOptions() protected method

Defined in: yii\authclient\BaseClient::defaultViewOptions()

Returns the default $viewOptions value.

Particular client may override this method in order to provide specific default view options.

protected array defaultViewOptions ( )
return array

List of default $viewOptions

                protected function defaultViewOptions()
{
    return [];
}

            
discoverConfig() protected method

Discovers OpenID Provider configuration parameters.

protected array discoverConfig ( )
return array

OpenID Provider configuration parameters.

throws yii\authclient\InvalidResponseException

on failure.

                protected function discoverConfig()
{
    $request = $this->createRequest();
    $configUrl = rtrim($this->issuerUrl, '/') . '/.well-known/openid-configuration';
    $request->setMethod('GET')
        ->setUrl($configUrl);
    $response = $this->sendRequest($request);
    return $response;
}

            
fetchAccessToken() public method

Fetches access token from authorization code.

public yii\authclient\OAuthToken fetchAccessToken ( $authCode, array $params = [] )
$authCode string

Authorization code, usually comes at GET parameter 'code'.

$params array

Additional request params.

return yii\authclient\OAuthToken

Access token.

throws \yii\web\HttpException

on invalid auth state in case enableStateValidation is enabled.

                public function fetchAccessToken($authCode, array $params = [])
{
    if ($this->tokenUrl === null) {
        $this->tokenUrl = $this->getConfigParam('token_endpoint');
    }
    if (!isset($params['nonce']) && $this->getValidateAuthNonce()) {
        $params['nonce'] = $this->getState('authNonce');
    }
    return parent::fetchAccessToken($authCode, $params);
}

            
generateAuthNonce() protected method

Generates the auth nonce value.

protected string generateAuthNonce ( )
return string

Auth nonce value.

                protected function generateAuthNonce()
{
    return Yii::$app->security->generateRandomString();
}

            
generateAuthState() protected method (available since version 2.1)

Defined in: yii\authclient\OAuth2::generateAuthState()

Generates the auth state value.

protected string generateAuthState ( )
return string

Auth state value.

                protected function generateAuthState()
{
    $baseString = get_class($this) . '-' . time();
    if (Yii::$app->has('session')) {
        $baseString .= '-' . Yii::$app->session->getId();
    }
    return hash('sha256', uniqid($baseString, true));
}

            
getAccessToken() public method
public yii\authclient\OAuthToken getAccessToken ( )
return yii\authclient\OAuthToken

Auth token instance.

                public function getAccessToken()
{
    if (!is_object($this->_accessToken)) {
        $this->_accessToken = $this->restoreAccessToken();
    }
    return $this->_accessToken;
}

            
getCache() public method

public \yii\caching\Cache|null getCache ( )
return \yii\caching\Cache|null

The cache object, null - if not enabled.

                public function getCache()
{
    if ($this->_cache !== null && !is_object($this->_cache)) {
        $this->_cache = Instance::ensure($this->_cache, Cache::className());
    }
    return $this->_cache;
}

            
getConfigParam() public method

Returns particular configuration parameter value.

public mixed getConfigParam ( $name, $default null )
$name string

Configuration parameter name.

$default mixed

Value to be returned if the configuration parameter isn't set.

return mixed

Configuration parameter value.

                public function getConfigParam($name, $default = null)
{
    $params = $this->getConfigParams();
    return array_key_exists($name, $params) ? $params[$name] : $default;
}

            
getConfigParams() public method

public array getConfigParams ( )
return array

OpenID provider configuration parameters.

                public function getConfigParams()
{
    if ($this->_configParams === null) {
        $cache = $this->getCache();
        $cacheKey = $this->configParamsCacheKeyPrefix . $this->getId();
        if ($cache === null || ($configParams = $cache->get($cacheKey)) === false) {
            $configParams = $this->discoverConfig();
        }
        $this->_configParams = $configParams;
        if ($cache !== null) {
            $cache->set($cacheKey, $configParams);
        }
    }
    return $this->_configParams;
}

            
getHttpClient() public method (available since version 2.1)

Defined in: yii\authclient\BaseClient::getHttpClient()

Returns HTTP client.

public \yii\httpclient\Client getHttpClient ( )
return \yii\httpclient\Client

Internal HTTP client.

                public function getHttpClient()
{
    if (!is_object($this->_httpClient)) {
        $this->_httpClient = $this->createHttpClient($this->_httpClient);
    }
    return $this->_httpClient;
}

            
getId() public method
public string getId ( )
return string

Service id

                public function getId()
{
    if (empty($this->_id)) {
        $this->_id = $this->getName();
    }
    return $this->_id;
}

            
getJwkSet() protected method

Return JwkSet, returning related data.

protected \yii\authclient\JWKSet getJwkSet ( )
return \yii\authclient\JWKSet

Object represents a key set.

throws yii\authclient\InvalidResponseException

on failure.

                protected function getJwkSet()
{
    if ($this->_jwkSet === null) {
        $cache = $this->getCache();
        $cacheKey = $this->configParamsCacheKeyPrefix . '_jwkSet';
        if ($cache === null || ($jwkSet = $cache->get($cacheKey)) === false) {
            $request = $this->createRequest()
                ->setMethod('GET')
                ->setUrl($this->getConfigParam('jwks_uri'));
            $response = $this->sendRequest($request);
            $jwkSet = JWKFactory::createFromValues($response);
        }
        $this->_jwkSet = $jwkSet;
        if ($cache !== null) {
            $cache->set($cacheKey, $jwkSet);
        }
    }
    return $this->_jwkSet;
}

            
getJwsLoader() protected method

Return JWSLoader that validate the JWS token.

protected \Jose\Component\Signature\JWSLoader getJwsLoader ( )
return \Jose\Component\Signature\JWSLoader

To do token validation.

throws \yii\base\InvalidConfigException

on invalid algorithm provide in configuration.

                protected function getJwsLoader()
{
    if ($this->_jwsLoader === null) {
        $algorithms = [];
        foreach ($this->allowedJwsAlgorithms as $algorithm)
        {
            $class = '\Jose\Component\Signature\Algorithm\\' . $algorithm;
            if (!class_exists($class))
            {
                throw new InvalidConfigException("Alogrithm class $class doesn't exist");
            }
            $algorithms[] = new $class();
        }
        $this->_jwsLoader = new JWSLoader(
            new JWSSerializerManager([ new CompactSerializer() ]),
            new JWSVerifier(new AlgorithmManager($algorithms)),
            new HeaderCheckerManager(
                [ new AlgorithmChecker($this->allowedJwsAlgorithms) ],
                [ new JWSTokenSupport() ]
            )
        );
    }
    return $this->_jwsLoader;
}

            
getName() public method
public string getName ( )
return string

Service name.

                public function getName()
{
    if ($this->_name === null) {
        $this->_name = $this->defaultName();
    }
    return $this->_name;
}

            
getNormalizeUserAttributeMap() public method
public array getNormalizeUserAttributeMap ( )
return array

Normalize user attribute map.

                public function getNormalizeUserAttributeMap()
{
    if ($this->_normalizeUserAttributeMap === null) {
        $this->_normalizeUserAttributeMap = $this->defaultNormalizeUserAttributeMap();
    }
    return $this->_normalizeUserAttributeMap;
}

            
getRequestOptions() public method (available since version 2.1)
public array getRequestOptions ( )
return array

HTTP request options.

                public function getRequestOptions()
{
    return $this->_requestOptions;
}

            
getReturnUrl() public method
public string getReturnUrl ( )
return string

Return URL.

                public function getReturnUrl()
{
    if ($this->_returnUrl === null) {
        $this->_returnUrl = $this->defaultReturnUrl();
    }
    return $this->_returnUrl;
}

            
getSignatureMethod() public method
public yii\authclient\signature\BaseMethod getSignatureMethod ( )
return yii\authclient\signature\BaseMethod

Signature method instance.

                public function getSignatureMethod()
{
    if (!is_object($this->_signatureMethod)) {
        $this->_signatureMethod = $this->createSignatureMethod($this->_signatureMethod);
    }
    return $this->_signatureMethod;
}

            
getState() protected method

Defined in: yii\authclient\BaseClient::getState()

Returns persistent state value.

protected mixed getState ( $key )
$key string

State key.

return mixed

State value.

                protected function getState($key)
{
    return $this->getStateStorage()->get($this->getStateKeyPrefix() . $key);
}

            
getStateKeyPrefix() protected method

Defined in: yii\authclient\BaseClient::getStateKeyPrefix()

Returns session key prefix, which is used to store internal states.

protected string getStateKeyPrefix ( )
return string

Session key prefix.

                protected function getStateKeyPrefix()
{
    return get_class($this) . '_' . $this->getId() . '_';
}

            
getStateStorage() public method
public yii\authclient\StateStorageInterface getStateStorage ( )
return yii\authclient\StateStorageInterface

Stage storage.

                public function getStateStorage()
{
    if (!is_object($this->_stateStorage)) {
        $this->_stateStorage = Yii::createObject($this->_stateStorage);
    }
    return $this->_stateStorage;
}

            
getTitle() public method
public string getTitle ( )
return string

Service title.

                public function getTitle()
{
    if ($this->_title === null) {
        $this->_title = $this->defaultTitle();
    }
    return $this->_title;
}

            
getUserAttributes() public method
public array getUserAttributes ( )
return array

List of user attributes

                public function getUserAttributes()
{
    if ($this->_userAttributes === null) {
        $this->_userAttributes = $this->normalizeUserAttributes($this->initUserAttributes());
    }
    return $this->_userAttributes;
}

            
getValidateAuthNonce() public method

public boolean getValidateAuthNonce ( )
return boolean

Whether to use and validate auth 'nonce' parameter in authentication flow.

                public function getValidateAuthNonce()
{
    if ($this->_validateAuthNonce === null) {
        $this->_validateAuthNonce = $this->validateJws && in_array('nonce', $this->getConfigParam('claims_supported'));
    }
    return $this->_validateAuthNonce;
}

            
getViewOptions() public method
public array getViewOptions ( )
return array

View options in format: optionName => optionValue

                public function getViewOptions()
{
    if ($this->_viewOptions === null) {
        $this->_viewOptions = $this->defaultViewOptions();
    }
    return $this->_viewOptions;
}

            
initUserAttributes() protected method

Initializes authenticated user attributes.

protected array initUserAttributes ( )
return array

Auth user attributes.

                protected function initUserAttributes()
{
    // Use 'userinfo_endpoint' config if available,
    // try to extract user claims from access token's 'id_token' claim otherwise.
    $userinfoEndpoint = $this->getConfigParam('userinfo_endpoint');
    if (!empty($userinfoEndpoint)) {
        $userInfo = $this->api($userinfoEndpoint, 'GET');
        // The userinfo endpoint can return a JSON object (which will be converted to an array) or a JWT.
        if (is_array($userInfo)) {
            return $userInfo;
        } else {
            // Use the userInfo endpoint as id_token and parse it as JWT below
            $idToken = $userInfo;
        }
    } else {
        $accessToken = $this->accessToken;
        $idToken = $accessToken->getParam('id_token');
    }
    $idTokenData = [];
    if (!empty($idToken)) {
        if ($this->validateJws) {
            $idTokenClaims = $this->loadJws($idToken);
        } else {
            $idTokenClaims = Json::decode(StringHelper::base64UrlDecode(explode('.', $idToken)[1]));
        }
        $metaDataFields = array_flip($this->defaultIdTokenClaims);
        unset($metaDataFields['sub']); // "Subject Identifier" is not meta data
        $idTokenData = array_diff_key($idTokenClaims, $metaDataFields);
    }
    return $idTokenData;
}

            
loadJws() protected method

Decrypts/validates JWS, returning related data.

protected array loadJws ( $jws )
$jws string

Raw JWS input.

return array

JWS underlying data.

throws \yii\web\HttpException

on invalid JWS signature.

                protected function loadJws($jws)
{
    try {
        $jwsLoader = $this->getJwsLoader();
        $signature = null;
        $jwsVerified = $jwsLoader->loadAndVerifyWithKeySet($jws, $this->getJwkSet(), $signature);
        return Json::decode($jwsVerified->getPayload());
    } catch (\Exception $e) {
        $message = YII_DEBUG ? 'Unable to verify JWS: ' . $e->getMessage() : 'Invalid JWS';
        throw new HttpException(400, $message, $e->getCode(), $e);
    }
}

            
normalizeUserAttributes() protected method

Defined in: yii\authclient\BaseClient::normalizeUserAttributes()

Normalize given user attributes according to $normalizeUserAttributeMap.

protected array normalizeUserAttributes ( $attributes )
$attributes array

Raw attributes.

return array

Normalized attributes.

throws \yii\base\InvalidConfigException

on incorrect normalize attribute map.

                protected function normalizeUserAttributes($attributes)
{
    foreach ($this->getNormalizeUserAttributeMap() as $normalizedName => $actualName) {
        if (is_scalar($actualName)) {
            if (array_key_exists($actualName, $attributes)) {
                $attributes[$normalizedName] = $attributes[$actualName];
            }
        } else {
            if (is_callable($actualName)) {
                $attributes[$normalizedName] = call_user_func($actualName, $attributes);
            } elseif (is_array($actualName)) {
                $haystack = $attributes;
                $searchKeys = $actualName;
                $isFound = true;
                while (($key = array_shift($searchKeys)) !== null) {
                    if (is_array($haystack) && array_key_exists($key, $haystack)) {
                        $haystack = $haystack[$key];
                    } else {
                        $isFound = false;
                        break;
                    }
                }
                if ($isFound) {
                    $attributes[$normalizedName] = $haystack;
                }
            } else {
                throw new InvalidConfigException('Invalid actual name "' . gettype($actualName) . '" specified at "' . get_class($this) . '::normalizeUserAttributeMap"');
            }
        }
    }
    return $attributes;
}

            
refreshAccessToken() public method

Gets new auth token to replace expired one.

public yii\authclient\OAuthToken refreshAccessToken ( yii\authclient\OAuthToken $token )
$token yii\authclient\OAuthToken

Expired auth token.

return yii\authclient\OAuthToken

New auth token.

                public function refreshAccessToken(OAuthToken $token)
{
    if ($this->tokenUrl === null) {
        $this->tokenUrl = $this->getConfigParam('token_endpoint');
    }
    if ($this->getValidateAuthNonce()) {
        $nonce = $this->generateAuthNonce();
        $this->setState('authNonce', $nonce);
        $token->setParam('nonce', $nonce);
    }
    return parent::refreshAccessToken($token);
}

            
removeState() protected method

Defined in: yii\authclient\BaseClient::removeState()

Removes persistent state value.

protected boolean removeState ( $key )
$key string

State key.

return boolean

Success.

                protected function removeState($key)
{
    return $this->getStateStorage()->remove($this->getStateKeyPrefix() . $key);
}

            
restoreAccessToken() protected method

Defined in: yii\authclient\BaseOAuth::restoreAccessToken()

Restores access token.

protected yii\authclient\OAuthToken restoreAccessToken ( )
return yii\authclient\OAuthToken

Auth token.

                protected function restoreAccessToken()
{
    $token = $this->getState('token');
    if (is_object($token)) {
        /* @var $token OAuthToken */
        if ($token->getIsExpired() && $this->autoRefreshAccessToken) {
            $token = $this->refreshAccessToken($token);
        }
    }
    return $token;
}

            
saveAccessToken() protected method

Defined in: yii\authclient\BaseOAuth::saveAccessToken()

Saves token as persistent state.

protected $this saveAccessToken ( $token )
$token yii\authclient\OAuthToken|null

Auth token to be saved.

return $this

The object itself.

                protected function saveAccessToken($token)
{
    return $this->setState('token', $token);
}

            
sendRequest() protected method (available since version 2.1)

Defined in: yii\authclient\BaseOAuth::sendRequest()

Sends the given HTTP request, returning response data.

protected array|string|null sendRequest ( $request )
$request \yii\httpclient\Request

HTTP request to be sent.

return array|string|null

Response data.

throws yii\authclient\ClientErrorResponseException

on client error response codes.

throws yii\authclient\InvalidResponseException

on non-successful (other than client error) response codes.

throws \yii\httpclient\Exception

                protected function sendRequest($request)
{
    $response = $request->send();
    if (!$response->getIsOk()) {
        $statusCode = (int)$response->getStatusCode();
        if ($statusCode >= 400 && $statusCode < 500) {
            $exceptionClass = 'yii\\authclient\\ClientErrorResponseException';
        } else {
            $exceptionClass = 'yii\\authclient\\InvalidResponseException';
        }
        throw new $exceptionClass(
            $response,
            'Request failed with code: ' . $statusCode . ', message: ' . $response->getContent(),
            $statusCode
        );
    }
    if (stripos($response->headers->get('content-type', ''), 'application/jwt') !== false) {
        return $response->getContent();
    } else {
        return $response->getData();
    }
}

            
setAccessToken() public method

Defined in: yii\authclient\BaseOAuth::setAccessToken()

Sets access token to be used.

public void setAccessToken ( $token )
$token array|yii\authclient\OAuthToken|null

Access token or its configuration. Set to null to restore token from token store.

                public function setAccessToken($token)
{
    if (!is_object($token) && $token !== null) {
        $token = $this->createToken($token);
    }
    $this->_accessToken = $token;
    $this->saveAccessToken($token);
}

            
setCache() public method

Sets up a component to be used for caching.

This can be one of the following:

  • an application component ID (e.g. cache)
  • a configuration array
  • a \yii\caching\Cache object

When null is passed, it means caching is not enabled.

public void setCache ( $cache )
$cache \yii\caching\Cache|array|string|null

The cache object or the ID of the cache application component.

                public function setCache($cache)
{
    $this->_cache = $cache;
}

            
setConfigParams() public method (available since version 2.2.12)

Set the OpenID provider configuration manually, this will bypass the automatic discovery via the /.well-known/openid-configuration endpoint.

public void setConfigParams ( $configParams )
$configParams array

OpenID provider configuration parameters.

                public function setConfigParams($configParams)
{
    $this->_configParams = $configParams;
}

            
setHttpClient() public method (available since version 2.1)

Defined in: yii\authclient\BaseOAuth::setHttpClient()

Sets HTTP client to be used.

public void setHttpClient ( $httpClient )
$httpClient array|\yii\httpclient\Client

Internal HTTP client.

                public function setHttpClient($httpClient)
{
    if (is_object($httpClient)) {
        $httpClient = clone $httpClient;
        $httpClient->baseUrl = $this->apiBaseUrl;
    }
    parent::setHttpClient($httpClient);
}

            
setId() public method
public void setId ( $id )
$id string

Service id.

                public function setId($id)
{
    $this->_id = $id;
}

            
setName() public method
public void setName ( $name )
$name string

Service name.

                public function setName($name)
{
    $this->_name = $name;
}

            
setNormalizeUserAttributeMap() public method
public void setNormalizeUserAttributeMap ( $normalizeUserAttributeMap )
$normalizeUserAttributeMap array

Normalize user attribute map.

                public function setNormalizeUserAttributeMap($normalizeUserAttributeMap)
{
    $this->_normalizeUserAttributeMap = $normalizeUserAttributeMap;
}

            
setRequestOptions() public method (available since version 2.1)
public void setRequestOptions ( array $options )
$options array

HTTP request options.

                public function setRequestOptions(array $options)
{
    $this->_requestOptions = $options;
}

            
setReturnUrl() public method
public void setReturnUrl ( $returnUrl )
$returnUrl string

Return URL

                public function setReturnUrl($returnUrl)
{
    $this->_returnUrl = $returnUrl;
}

            
setSignatureMethod() public method

Defined in: yii\authclient\BaseOAuth::setSignatureMethod()

Set signature method to be used.

public void setSignatureMethod ( $signatureMethod )
$signatureMethod array|yii\authclient\signature\BaseMethod

Signature method instance or its array configuration.

throws \yii\base\InvalidArgumentException

on wrong argument.

                public function setSignatureMethod($signatureMethod)
{
    if (!is_object($signatureMethod) && !is_array($signatureMethod)) {
        throw new InvalidArgumentException('"' . get_class($this) . '::signatureMethod" should be instance of "\yii\autclient\signature\BaseMethod" or its array configuration. "' . gettype($signatureMethod) . '" has been given.');
    }
    $this->_signatureMethod = $signatureMethod;
}

            
setState() protected method

Defined in: yii\authclient\BaseClient::setState()

Sets persistent state.

protected $this setState ( $key, $value )
$key string

State key.

$value mixed

State value

return $this

The object itself

                protected function setState($key, $value)
{
    $this->getStateStorage()->set($this->getStateKeyPrefix() . $key, $value);
    return $this;
}

            
setStateStorage() public method
public void setStateStorage ( $stateStorage )
$stateStorage yii\authclient\StateStorageInterface|array|string

Stage storage to be used.

                public function setStateStorage($stateStorage)
{
    $this->_stateStorage = $stateStorage;
}

            
setTitle() public method
public void setTitle ( $title )
$title string

Service title.

                public function setTitle($title)
{
    $this->_title = $title;
}

            
setUserAttributes() public method
public void setUserAttributes ( $userAttributes )
$userAttributes array

List of user attributes

                public function setUserAttributes($userAttributes)
{
    $this->_userAttributes = $this->normalizeUserAttributes($userAttributes);
}

            
setValidateAuthNonce() public method

public void setValidateAuthNonce ( $validateAuthNonce )
$validateAuthNonce boolean

Whether to use and validate auth 'nonce' parameter in authentication flow.

                public function setValidateAuthNonce($validateAuthNonce)
{
    $this->_validateAuthNonce = $validateAuthNonce;
}

            
setViewOptions() public method
public void setViewOptions ( $viewOptions )
$viewOptions array

View options in format: optionName => optionValue

                public function setViewOptions($viewOptions)
{
    $this->_viewOptions = $viewOptions;
}

            
validateClaims() protected method (available since version 2.2.3)

Validates the claims data received from OpenID provider.

protected void validateClaims ( array $claims )
$claims array

Claims data.

throws \yii\web\HttpException

on invalid claims.

                protected function validateClaims(array $claims)
{
    $expectedIssuer = $this->getConfigParam('issuer', $this->issuerUrl);
    if (!isset($claims['iss']) || (strcmp(rtrim($claims['iss'], '/'), rtrim($expectedIssuer, '/')) !== 0)) {
        throw new HttpException(400, 'Invalid "iss"');
    }
    if (!isset($claims['aud'])
        || (!is_string($claims['aud']) && !is_array($claims['aud']))
        || (is_string($claims['aud']) && strcmp($claims['aud'], $this->clientId) !== 0)
        || (is_array($claims['aud']) && !in_array($this->clientId, $claims['aud']))
    ) {
        throw new HttpException(400, 'Invalid "aud"');
    }
}