Allow access tokens to be decoded (#571)

* Allow access tokens to be decoded

* Always allow clientId to be a valid claim for `aud`

* test: Fix validation test

Co-authored-by: Evan Sims <[email protected]>

Author: shadowhand

src/Auth0.php

@@ -246,28 +246,28 @@ public function decode(
         ?string $tokenNonce = null,
         ?int $tokenMaxAge = null,
         ?int $tokenLeeway = null,
-        ?int $tokenNow = null
+        ?int $tokenNow = null,
+        ?int $tokenType = null
     ): Token {
-        // instantiate Token handler using the provided JWT, expecting an ID token, using the SDK configuration.
-        $token = new Token($this->configuration, $token, Token::TYPE_ID_TOKEN);
+        $tokenType = $tokenType ?? Token::TYPE_ID_TOKEN;
+        $tokenNonce = $tokenNonce ?? $this->getTransientStore()->getOnce('nonce') ?? null;
+        $tokenMaxAge = $tokenMaxAge ?? $this->getTransientStore()->getOnce('max_age') ?? null;
+        $tokenIssuer = null;
 
-        // Verify token signature.
+        $token = new Token($this->configuration, $token, $tokenType);
         $token->verify();
 
-        $tokenMaxAge = $tokenMaxAge ?? $this->getTransientStore()->getOnce('max_age') ?? null;
-
-        // If pulling from transient storage, $tokenMaxAge might be a string.
+        // If pulled from transient storage, $tokenMaxAge might be a string.
         if ($tokenMaxAge !== null) {
             $tokenMaxAge = (int) $tokenMaxAge;
         }
 
-        // Validate token claims.
         $token->validate(
-            null,
+            $tokenIssuer,
             $tokenAudience,
             $tokenOrganization,
-            $tokenNonce ?? $this->getTransientStore()->getOnce('nonce') ?? null,
-            $tokenMaxAge ?? null,
+            $tokenNonce,
+            $tokenMaxAge,
             $tokenLeeway,
             $tokenNow
         );

src/Token.php

@@ -139,11 +139,8 @@ public function validate(
         $tokenNonce = $tokenNonce ?? null;
         $tokenMaxAge = $tokenMaxAge ?? $this->configuration->getTokenMaxAge() ?? null;
         $tokenLeeway = $tokenLeeway ?? $this->configuration->getTokenLeeway() ?? 60;
-
-        // If 'aud' claim check isn't defined, fallback to client id, if configured.
-        if (count($tokenAudience) === 0 && $this->configuration->hasClientId()) {
-            $tokenAudience[] = (string) $this->configuration->getClientId();
-        }
+        $tokenAudience[] = (string) $this->configuration->getClientId();
+        $tokenAudience = array_unique($tokenAudience);
 
         $validator = $this->parser->validate();
         $now = $tokenNow ?? time();

tests/Unit/Auth0Test.php

@@ -391,6 +391,26 @@ public function defer(
     $auth0->decode($token);
 })->throws(\Auth0\SDK\Exception\InvalidTokenException::class);
 
+test('decode() can be used with access tokens', function (): void {
+    $token = (new \Auth0\Tests\Utilities\TokenGenerator())->withHs256();
+
+    $auth0 = new \Auth0\SDK\Auth0($this->configuration + [
+        'tokenAlgorithm' => 'HS256',
+    ]);
+
+    $decoded = $auth0->decode($token,
+        null,
+        null,
+        null,
+        null,
+        null,
+        null,
+        \Auth0\SDK\Token::TYPE_TOKEN,
+    );
+
+    expect($decoded->getAudience())->toContain('__test_client_id__');
+});
+
 test('exchange() throws an exception if no code is present', function(): void {
     $auth0 = new \Auth0\SDK\Auth0($this->configuration);
     $auth0->exchange();

tests/Unit/TokenTest.php

@@ -158,12 +158,11 @@ function(): SdkConfiguration {
     array $claims
 ): void {
     $token = new Token($configuration, $jwt->token, Token::TYPE_ID_TOKEN);
-
     $token->validate(null, [ $claims['aud'] ]);
 })->with(['mocked data' => [
     function(): SdkConfiguration {
         $this->configuration->setDomain('__test_domain__');
-        $this->configuration->setClientId('__test_client_id__');
+        $this->configuration->setClientId('__diff_client_id__');
         $this->configuration->setTokenAlgorithm('HS256');
         return $this->configuration;
     },