Move code challenge check to auth code request

This commit is contained in:
sephster 2018-08-13 21:47:53 +01:00
parent 7f2fd7b22c
commit 491852b521
No known key found for this signature in database
GPG Key ID: 077754CA23023F4F
2 changed files with 44 additions and 4 deletions

View File

@ -151,7 +151,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
// Validate code challenge
if (!empty($authCodePayload->code_challenge)) {
$codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
$codeVerifier = $this->getRequestParameter('code_verifier', $request, null);
if ($codeVerifier === null) {
throw OAuthServerException::invalidRequest('code_verifier');
@ -193,8 +193,6 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
);
// @codeCoverageIgnoreEnd
}
} else if ($this->requireCodeChallengeForPublicClients && !$client->isConfidential()) {
throw OAuthServerException::invalidRequest('code_challenge', 'Code challenge must be provided for public clients');
}
// Issue and persist access + refresh tokens
@ -296,7 +294,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
$authorizationRequest->setScopes($scopes);
$codeChallenge = $this->getQueryStringParameter('code_challenge', $request);
$codeChallenge = $this->getQueryStringParameter('code_challenge', $request);
if ($codeChallenge !== null) {
$codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain');
@ -319,6 +317,8 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
$authorizationRequest->setCodeChallenge($codeChallenge);
$authorizationRequest->setCodeChallengeMethod($codeChallengeMethod);
} else if ($this->requireCodeChallengeForPublicClients && !$client->isConfidential()) {
throw OAuthServerException::invalidRequest('code_challenge', 'Code challenge must be provided for public clients');
}
return $authorizationRequest;

View File

@ -1784,4 +1784,44 @@ class AuthCodeGrantTest extends TestCase
$grant->completeAuthorizationRequest(new AuthorizationRequest());
}
public function testPublicClientAuthCodeRequestRejectedWhenCodeChallengeRequiredButNotGiven()
{
$client = new ClientEntity();
$client->setRedirectUri('http://foo/bar');
$clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
$clientRepositoryMock->method('getClientEntity')->willReturn($client);
$scope = new ScopeEntity();
$scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
$scopeRepositoryMock->method('getScopeEntityByIdentifier')->willReturn($scope);
$grant = new AuthCodeGrant(
$this->getMockBuilder(AuthCodeRepositoryInterface::class)->getMock(),
$this->getMockBuilder(RefreshTokenRepositoryInterface::class)->getMock(),
new \DateInterval('PT10M')
);
$grant->setClientRepository($clientRepositoryMock);
$grant->setScopeRepository($scopeRepositoryMock);
$grant->setDefaultScope(self::DEFAULT_SCOPE);
$request = new ServerRequest(
[],
[],
null,
null,
'php://input',
[],
[],
[
'response_type' => 'code',
'client_id' => 'foo',
'redirect_uri' => 'http://foo/bar',
]
);
$this->assertInstanceOf(AuthorizationRequest::class, $grant->validateAuthorizationRequest($request));
}
}