From 3413c205903f1a4ed6e88e13d13d9a72a4d7e678 Mon Sep 17 00:00:00 2001
From: Matt Allan <mattallan@fastmail.com>
Date: Mon, 22 Jul 2019 17:34:54 -0400
Subject: [PATCH 1/5] Prevent public clients from using the client_credentials
 grant type

See https://tools.ietf.org/html/rfc6749#section-4.4.2
---
 src/Grant/ClientCredentialsGrant.php                | 13 ++++++++++++-
 tests/AuthorizationServerTest.php                   |  5 ++++-
 tests/Grant/ClientCredentialsGrantTest.php          |  1 +
 .../AuthorizationServerMiddlewareTest.php           |  5 ++++-
 4 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/Grant/ClientCredentialsGrant.php b/src/Grant/ClientCredentialsGrant.php
index 9f647965..fab5932c 100644
--- a/src/Grant/ClientCredentialsGrant.php
+++ b/src/Grant/ClientCredentialsGrant.php
@@ -12,6 +12,7 @@
 namespace League\OAuth2\Server\Grant;
 
 use DateInterval;
+use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\RequestEvent;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use Psr\Http\Message\ServerRequestInterface;
@@ -29,8 +30,18 @@ class ClientCredentialsGrant extends AbstractGrant
         ResponseTypeInterface $responseType,
         DateInterval $accessTokenTTL
     ) {
+        list($clientId) = $this->getClientCredentials($request);
+
+        $client = $this->getClientEntityOrFail($clientId, $request);
+
+        if (!$client->isConfidential()) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient($request);
+        }
+
         // Validate request
-        $client = $this->validateClient($request);
+        $this->validateClient($request);
+
         $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
 
         // Finalize the requested scopes
diff --git a/tests/AuthorizationServerTest.php b/tests/AuthorizationServerTest.php
index bcd87b5b..870d546f 100644
--- a/tests/AuthorizationServerTest.php
+++ b/tests/AuthorizationServerTest.php
@@ -62,8 +62,11 @@ class AuthorizationServerTest extends TestCase
 
     public function testRespondToRequest()
     {
+        $client = new ClientEntity();
+        $client->setConfidential();
+
         $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
-        $clientRepository->method('getClientEntity')->willReturn(new ClientEntity());
+        $clientRepository->method('getClientEntity')->willReturn($client);
 
         $scope = new ScopeEntity();
         $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
diff --git a/tests/Grant/ClientCredentialsGrantTest.php b/tests/Grant/ClientCredentialsGrantTest.php
index 54be52fd..18e85bb2 100644
--- a/tests/Grant/ClientCredentialsGrantTest.php
+++ b/tests/Grant/ClientCredentialsGrantTest.php
@@ -29,6 +29,7 @@ class ClientCredentialsGrantTest extends TestCase
     public function testRespondToRequest()
     {
         $client = new ClientEntity();
+        $client->setConfidential();
         $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
         $clientRepositoryMock->method('getClientEntity')->willReturn($client);
 
diff --git a/tests/Middleware/AuthorizationServerMiddlewareTest.php b/tests/Middleware/AuthorizationServerMiddlewareTest.php
index c8ed7d1a..e861c7c4 100644
--- a/tests/Middleware/AuthorizationServerMiddlewareTest.php
+++ b/tests/Middleware/AuthorizationServerMiddlewareTest.php
@@ -24,8 +24,11 @@ class AuthorizationServerMiddlewareTest extends TestCase
 
     public function testValidResponse()
     {
+        $client = new ClientEntity();
+        $client->setConfidential();
+
         $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
-        $clientRepository->method('getClientEntity')->willReturn(new ClientEntity());
+        $clientRepository->method('getClientEntity')->willReturn($client);
 
         $scopeEntity = new ScopeEntity;
         $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();

From 8a78e00a2eaefc8e19e784f9bb271b5edbc10d22 Mon Sep 17 00:00:00 2001
From: Andrew Millington <andrew@noexceptions.io>
Date: Thu, 25 Jul 2019 19:04:44 +0100
Subject: [PATCH 2/5] Add blank line above throw

---
 src/Grant/ClientCredentialsGrant.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Grant/ClientCredentialsGrant.php b/src/Grant/ClientCredentialsGrant.php
index fab5932c..691f421b 100644
--- a/src/Grant/ClientCredentialsGrant.php
+++ b/src/Grant/ClientCredentialsGrant.php
@@ -36,6 +36,7 @@ class ClientCredentialsGrant extends AbstractGrant
 
         if (!$client->isConfidential()) {
             $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+
             throw OAuthServerException::invalidClient($request);
         }
 

From 705120c974bfc9b3e20923be347524bf932f1cf3 Mon Sep 17 00:00:00 2001
From: Andrew Millington <andrew@noexceptions.io>
Date: Thu, 25 Jul 2019 19:09:47 +0100
Subject: [PATCH 3/5] Add blank space to keep formatting consistent

---
 tests/Grant/ClientCredentialsGrantTest.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/Grant/ClientCredentialsGrantTest.php b/tests/Grant/ClientCredentialsGrantTest.php
index 18e85bb2..78408a33 100644
--- a/tests/Grant/ClientCredentialsGrantTest.php
+++ b/tests/Grant/ClientCredentialsGrantTest.php
@@ -30,6 +30,7 @@ class ClientCredentialsGrantTest extends TestCase
     {
         $client = new ClientEntity();
         $client->setConfidential();
+
         $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
         $clientRepositoryMock->method('getClientEntity')->willReturn($client);
 

From 2097edd6ebc0411e687ac3d99c9a5eb159d2a31a Mon Sep 17 00:00:00 2001
From: Andrew Millington <andrew@noexceptions.io>
Date: Thu, 25 Jul 2019 19:12:33 +0100
Subject: [PATCH 4/5] Update changelog

---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 04c42c32..863446df 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Fixed
+- Clients are now prevented from using the Client Credentials grant unless they are confidential (PR #1035)
+
 ## [8.0.0] - released 2019-07-13
 
 ### Added

From cd8742f630084274905acacea0f29e2ff0544c06 Mon Sep 17 00:00:00 2001
From: Andrew Millington <andrew@noexceptions.io>
Date: Thu, 25 Jul 2019 19:14:08 +0100
Subject: [PATCH 5/5] Reword changelog

---
 CHANGELOG.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 863446df..d9276547 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,7 +7,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [Unreleased]
 
 ### Fixed
-- Clients are now prevented from using the Client Credentials grant unless they are confidential (PR #1035)
+- Clients are now explicitly prevented from using the Client Credentials grant unless they are confidential to conform
+ with the OAuth2 spec (PR #1035)
 
 ## [8.0.0] - released 2019-07-13