From 3413c205903f1a4ed6e88e13d13d9a72a4d7e678 Mon Sep 17 00:00:00 2001 From: Matt Allan Date: Mon, 22 Jul 2019 17:34:54 -0400 Subject: [PATCH] Prevent public clients from using the client_credentials grant type See https://tools.ietf.org/html/rfc6749#section-4.4.2 --- src/Grant/ClientCredentialsGrant.php | 13 ++++++++++++- tests/AuthorizationServerTest.php | 5 ++++- tests/Grant/ClientCredentialsGrantTest.php | 1 + .../AuthorizationServerMiddlewareTest.php | 5 ++++- 4 files changed, 21 insertions(+), 3 deletions(-) diff --git a/src/Grant/ClientCredentialsGrant.php b/src/Grant/ClientCredentialsGrant.php index 9f647965..fab5932c 100644 --- a/src/Grant/ClientCredentialsGrant.php +++ b/src/Grant/ClientCredentialsGrant.php @@ -12,6 +12,7 @@ namespace League\OAuth2\Server\Grant; use DateInterval; +use League\OAuth2\Server\Exception\OAuthServerException; use League\OAuth2\Server\RequestEvent; use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface; use Psr\Http\Message\ServerRequestInterface; @@ -29,8 +30,18 @@ class ClientCredentialsGrant extends AbstractGrant ResponseTypeInterface $responseType, DateInterval $accessTokenTTL ) { + list($clientId) = $this->getClientCredentials($request); + + $client = $this->getClientEntityOrFail($clientId, $request); + + if (!$client->isConfidential()) { + $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request)); + throw OAuthServerException::invalidClient($request); + } + // Validate request - $client = $this->validateClient($request); + $this->validateClient($request); + $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope)); // Finalize the requested scopes diff --git a/tests/AuthorizationServerTest.php b/tests/AuthorizationServerTest.php index bcd87b5b..870d546f 100644 --- a/tests/AuthorizationServerTest.php +++ b/tests/AuthorizationServerTest.php @@ -62,8 +62,11 @@ class AuthorizationServerTest extends TestCase public function testRespondToRequest() { + $client = new ClientEntity(); + $client->setConfidential(); + $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock(); - $clientRepository->method('getClientEntity')->willReturn(new ClientEntity()); + $clientRepository->method('getClientEntity')->willReturn($client); $scope = new ScopeEntity(); $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock(); diff --git a/tests/Grant/ClientCredentialsGrantTest.php b/tests/Grant/ClientCredentialsGrantTest.php index 54be52fd..18e85bb2 100644 --- a/tests/Grant/ClientCredentialsGrantTest.php +++ b/tests/Grant/ClientCredentialsGrantTest.php @@ -29,6 +29,7 @@ class ClientCredentialsGrantTest extends TestCase public function testRespondToRequest() { $client = new ClientEntity(); + $client->setConfidential(); $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock(); $clientRepositoryMock->method('getClientEntity')->willReturn($client); diff --git a/tests/Middleware/AuthorizationServerMiddlewareTest.php b/tests/Middleware/AuthorizationServerMiddlewareTest.php index c8ed7d1a..e861c7c4 100644 --- a/tests/Middleware/AuthorizationServerMiddlewareTest.php +++ b/tests/Middleware/AuthorizationServerMiddlewareTest.php @@ -24,8 +24,11 @@ class AuthorizationServerMiddlewareTest extends TestCase public function testValidResponse() { + $client = new ClientEntity(); + $client->setConfidential(); + $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock(); - $clientRepository->method('getClientEntity')->willReturn(new ClientEntity()); + $clientRepository->method('getClientEntity')->willReturn($client); $scopeEntity = new ScopeEntity; $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();