Decode OpenID token with correct public key

Author: marickvantuil

src/GooglePublicKey.php

@@ -20,23 +20,31 @@ public function __construct(Client $guzzle)
         $this->guzzle = $guzzle;
     }
 
-    public function get()
+    public function get($kid = null)
     {
-        return Cache::rememberForever(self::CACHE_KEY, function () {
-            return $this->fetch();
-        });
+        $v3Certs = Cache::rememberForever(
+            self::CACHE_KEY,
+            function () {
+                return $this->getv3Certs();
+            }
+        );
+
+        $cert = $kid ? collect($v3Certs)->firstWhere('kid', '=', $kid) : $v3Certs[0];
+
+        return $this->extractPublicKeyFromCertificate($cert);
     }
 
-    private function fetch()
+    private function getv3Certs()
     {
         $jwksUri = $this->getJwksUri();
 
-        $keys = $this->getCertificateKeys($jwksUri);
-
-        $firstKey = $keys[1];
+        return $this->getCertificateKeys($jwksUri);
+    }
 
-        $modulus = $firstKey['n'];
-        $exponent = $firstKey['e'];
+    private function extractPublicKeyFromCertificate($certificate)
+    {
+        $modulus = $certificate['n'];
+        $exponent = $certificate['e'];
 
         $rsa = app(RSA::class);
 
@@ -72,6 +80,15 @@ private function getCertificateKeys($jwksUri)
         return Arr::get($certificates, 'keys');
     }
 
+    public function getKid($openIdToken)
+    {
+        $response = $this->guzzle->get('https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=' . $openIdToken);
+
+        $tokenInfo = json_decode($response->getBody(), true);
+
+        return Arr::get($tokenInfo, 'kid');
+    }
+
     public function isCached()
     {
         return Cache::has(self::CACHE_KEY);

src/TaskHandler.php

@@ -46,7 +46,8 @@ public function authorizeRequest()
         }
 
         $openIdToken = $this->request->bearerToken();
-        $publicKey = $this->publicKey->get();
+        $kid = $this->publicKey->getKid($openIdToken);
+        $publicKey = $this->publicKey->get($kid);
 
         $decodedToken = $this->jwt->decode($openIdToken, $publicKey, ['RS256']);
 

tests/GooglePublicKeyTest.php

@@ -2,6 +2,7 @@
 
 namespace Tests;
 
+use GuzzleHttp\Client;
 use Illuminate\Support\Facades\Cache;
 use Mockery;
 use phpseclib\Crypt\RSA;
@@ -14,11 +15,18 @@ class GooglePublicKeyTest extends TestCase
      */
     private $publicKey;
 
+    /**
+     * @var Client
+     */
+    private $guzzle;
+
     protected function setUp(): void
     {
         parent::setUp();
 
-        $this->publicKey = app(GooglePublicKey::class);
+        $this->guzzle = Mockery::mock(new Client());
+
+        $this->publicKey = new GooglePublicKey($this->guzzle);
     }
 
     /** @test */
@@ -40,12 +48,10 @@ public function it_caches_the_gcloud_public_key()
     /** @test */
     public function it_will_return_the_cached_gcloud_public_key()
     {
-        $this->app->instance(RSA::class, ($rsa = Mockery::mock(new RSA())->byDefault()));
-
         $this->publicKey->get();
 
         $this->publicKey->get();
 
-        $rsa->shouldHaveReceived('loadKey')->once();
+        $this->guzzle->shouldHaveReceived('get')->twice();
     }
 }

tests/TaskHandlerTest.php

@@ -42,6 +42,7 @@ protected function setUp(): void
         // Ensure we don't fetch the Google public key each test...
         $googlePublicKey = Mockery::mock(app(GooglePublicKey::class));
         $googlePublicKey->shouldReceive('get')->andReturnNull();
+        $googlePublicKey->shouldReceive('getKid')->andReturnNull();
 
         $this->handler = new TaskHandler(
             new CloudTasksClient([