N°8834 - Add compatibility with PHP 8.4 (#819)

* N°8834 - Add compatibility with PHP 8.4

* Rollback of scssphp/scssphp version upgrade due to compilation error

lib/thenetworg/oauth2-azure/README.md

@@ -228,7 +228,9 @@ With version 1.2.0 you can now use this library to protect your API with Azure A
 ```php
 // Assuming you have already initialized the $provider
 
-// Obtain the accessToken - in this case, we are getting it from Authorization header
+// Obtain the accessToken - in this case, we are getting it from Authorization header.
+// If you're instead using a persisted access token you got from $provider->getAccessToken,
+// you'll have to feed its id token to validateAccessToken like so: $provider->validateAccessToken($accessTokenn->getIdToken());
 $headers = getallheaders();
 // Assuming you got the value of Authorization header as "Bearer [the_access_token]" we parse it
 $authorization = explode(' ', $headers['Authorization']);

lib/thenetworg/oauth2-azure/composer.json

@@ -26,7 +26,7 @@
         "ext-openssl": "*",
         "php": "^7.1|^8.0",
         "league/oauth2-client": "~2.0",
-        "firebase/php-jwt": "~3.0||~4.0||~5.0||~6.0"
+        "firebase/php-jwt": "~3.0||~4.0||~5.0||~6.0||~7.0"
     },
     "autoload": {
         "psr-4": {

lib/thenetworg/oauth2-azure/src/Grant/JwtBearer.php

@@ -4,12 +4,12 @@ namespace TheNetworg\OAuth2\Client\Grant;
 
 class JwtBearer extends \League\OAuth2\Client\Grant\AbstractGrant
 {
-    protected function getName()
+    protected function getName(): string
     {
         return 'urn:ietf:params:oauth:grant-type:jwt-bearer';
     }
 
-    protected function getRequiredRequestParameters()
+    protected function getRequiredRequestParameters(): array
     {
         return [
             'requested_token_use',

lib/thenetworg/oauth2-azure/src/Provider/Azure.php

@@ -89,7 +89,7 @@ class Azure extends AbstractProvider
         if (!array_key_exists($version, $this->openIdConfiguration[$tenant])) {
             $versionInfix = $this->getVersionUriInfix($version);
 	          $openIdConfigurationUri = $this->urlLogin . $tenant . $versionInfix . '/.well-known/openid-configuration?appid=' . $this->clientId;
-            
+
             $factory = $this->getRequestFactory();
             $request = $factory->getRequestWithOptions(
                 'get',
@@ -161,6 +161,11 @@ class Azure extends AbstractProvider
                 $options['resource'] = $this->resource ? $this->resource : $this->urlAPI;
             }
         }
+
+        if (empty($options['scope'])) {
+            $options['scope'] = $this->getDefaultScopes();
+        }
+
         return parent::getAccessToken($grant, $options);
     }
 
@@ -324,7 +329,9 @@ class Azure extends AbstractProvider
         $logoutUri = $openIdConfiguration['end_session_endpoint'];
 
         if (!empty($post_logout_redirect_uri)) {
-            $logoutUri .= '?post_logout_redirect_uri=' . rawurlencode($post_logout_redirect_uri);
+            $query = parse_url($logoutUri, PHP_URL_QUERY);
+            $logoutUri .= $query ? '&' : '?';
+            $logoutUri .= 'post_logout_redirect_uri=' . rawurlencode($post_logout_redirect_uri);
         }
 
         return $logoutUri;
@@ -356,21 +363,21 @@ class Azure extends AbstractProvider
      */
     public function validateTokenClaims($tokenClaims) {
         if ($this->getClientId() != $tokenClaims['aud']) {
-            throw new \RuntimeException('The client_id / audience is invalid!');
+            throw new \RuntimeException('The audience claim of the token does not match the configured Client ID.');
         }
-        if ($tokenClaims['nbf'] > time() || $tokenClaims['exp'] < time()) {
+        if ($tokenClaims['nbf'] > time() + JWT::$leeway || $tokenClaims['exp'] < time() - JWT::$leeway) {
             // Additional validation is being performed in firebase/JWT itself
-            throw new \RuntimeException('The id_token is invalid!');
+            throw new \RuntimeException(sprintf('The token is not yet valid or has already expired. Verify whether your system clock is skewed, the current time is %s.', date('c')));
         }
 
-        if ('common' == $this->tenant) {
-            $this->tenant = $tokenClaims['tid'];
+        if ('common' === $this->tenant) {
+            $this->tenant = $tokenClaims['tid'] ?? null;
         }
 
         $version = array_key_exists('ver', $tokenClaims) ? $tokenClaims['ver'] : $this->defaultEndPointVersion;
         $tenant = $this->getTenantDetails($this->tenant, $version);
         if ($tokenClaims['iss'] != $tenant['issuer']) {
-            throw new \RuntimeException('Invalid token issuer (tokenClaims[iss]' . $tokenClaims['iss'] . ', tenant[issuer] ' . $tenant['issuer'] . ')!');
+            throw new \RuntimeException(sprintf('The token issuer "%s" does not match the tenant configuration of "%s".', $tokenClaims['iss'], $tenant['issuer']));
         }
     }
 

lib/thenetworg/oauth2-azure/src/Provider/AzureResourceOwner.php

@@ -53,6 +53,16 @@ class AzureResourceOwner implements ResourceOwnerInterface
         return $this->claim('family_name');
     }
 
+    /**
+     * Retrieves preferred username of resource owner.
+     *
+     * @return string|null
+     */
+    public function getPreferredUsername()
+    {
+        return $this->claim('preferred_username');
+    }
+
     /**
      * Retrieves user principal name of resource owner.
      *
@@ -63,6 +73,16 @@ class AzureResourceOwner implements ResourceOwnerInterface
         return $this->claim('upn');
     }
 
+    /**
+     * Retrieves email of resource owner.
+     *
+     * @return string|null
+     */
+    public function getEmail()
+    {
+        return $this->claim('email');
+    }
+
     /**
      * Retrieves tenant id of resource owner.
      *