Feat: Issuers

[Meldiron]

No description provided.

[greptile-apps]

Greptile Summary

This PR introduces a compact JWS token-issuing framework with three concrete implementations: an RFC 9068 JWT access token (AccessToken, RS256), an OIDC id_token (IdToken, RS256), and an OAuth2 refresh token (RefreshToken, HS256). All three previously flagged issues — scope/nonce/at_hash/c_hash claim injection, and silent json_encode failure — have been addressed in this revision.

• Issuer base: JWS signing mechanics (header assembly, jti generation, base64url encoding) with JSON_THROW_ON_ERROR correctly surfacing encoding failures.
• Asymmetric issuers: RSA key pair generation, deterministic kid derivation from the modulus, and JWK export for JWKS endpoints.
• Symmetric issuer: HMAC-SHA256 refresh token with optional kid for secret rotation; registered claims always overwrite any caller-supplied values in $claims.

Confidence Score: 5/5

Safe to merge; the core signing paths are correct and all previously flagged injection vectors are now guarded.

The three previously reported issues (scope/hash-claim injection and silent json_encode failure) are all fixed. The remaining finding is a PHP empty() edge case on optional string parameters in IdToken — only triggered by the string "0", which is not a realistic nonce, access token, or authorization code value in any conformant OIDC flow.

src/Auth/Issuers/Asymmetric/IdToken.php — the empty() guards on optional string parameters.

Important Files Changed

Filename	Overview
src/Auth/Issuer.php	Base JWS signing class; now correctly uses JSON_THROW_ON_ERROR so malformed claims surface as an exception rather than producing a silently broken token.
src/Auth/Issuers/Asymmetric.php	RSA key handling, JWK export, and RS256 signing are well-implemented; kid derived deterministically from modulus hash.
src/Auth/Issuers/Asymmetric/AccessToken.php	RFC 9068 claim set correctly assembled; scope injection via $claims is now guarded with an unset before the merge.
src/Auth/Issuers/Asymmetric/IdToken.php	OIDC id_token claim set is correct; nonce/at_hash/c_hash injection is guarded; minor: empty() used instead of !== null for optional string guards.
src/Auth/Issuers/Symmetric.php	HS256 HMAC signing is correct; kid header conditionally included; generateSecret produces adequate 256-bit entropy.
src/Auth/Issuers/Symmetric/RefreshToken.php	HS256 refresh token claim set is correct; scope injection guarded with unset; no auth_time (intentional per tests).
tests/Auth/Issuers/Asymmetric/AccessTokenTest.php	Thorough coverage: header type, registered claims, signature validity, scope injection guards, jti generation, and custom claims.
tests/Auth/Issuers/Asymmetric/IdTokenTest.php	Good coverage including hash-claim injection guards, at_hash/c_hash computation, unrepresentable-claim exception, and JWK export.
tests/Auth/Issuers/Symmetric/RefreshTokenTest.php	Covers HMAC correctness, scope injection guards, jti uniqueness, and kid header presence.

_{Reviews (4): Last reviewed commit: "Add issuers to readme" | Re-trigger Greptile}