From 4a717104fa57287182f73b57a7788b32b629bfb9 Mon Sep 17 00:00:00 2001 From: Alex Bilbie Date: Sat, 1 Jul 2017 15:30:21 +0100 Subject: [PATCH] Shuffle the contents of the authorization code payload --- src/Grant/AuthCodeGrant.php | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/src/Grant/AuthCodeGrant.php b/src/Grant/AuthCodeGrant.php index 119c1f96..5adb2a69 100644 --- a/src/Grant/AuthCodeGrant.php +++ b/src/Grant/AuthCodeGrant.php @@ -311,6 +311,26 @@ class AuthCodeGrant extends AbstractAuthorizeGrant $authorizationRequest->getScopes() ); + $payload = [ + 'client_id' => $authCode->getClient()->getIdentifier(), + 'redirect_uri' => $authCode->getRedirectUri(), + 'auth_code_id' => $authCode->getIdentifier(), + 'scopes' => $authCode->getScopes(), + 'user_id' => $authCode->getUserIdentifier(), + 'expire_time' => (new \DateTime())->add($this->authCodeTTL)->format('U'), + 'code_challenge' => $authorizationRequest->getCodeChallenge(), + 'code_challenge_method ' => $authorizationRequest->getCodeChallengeMethod(), + '_padding' => base64_encode(random_bytes(mt_rand(8, 256))) + ]; + + // Shuffle the payload so that the structure is no longer know and obvious + $keys = array_keys($payload); + shuffle($keys); + $shuffledPayload = []; + foreach ($keys as $key) { + $shuffledPayload[$key] = $payload[$key]; + } + $response = new RedirectResponse(); $response->setRedirectUri( $this->makeRedirectUri( @@ -318,16 +338,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant [ 'code' => $this->encrypt( json_encode( - [ - 'client_id' => $authCode->getClient()->getIdentifier(), - 'redirect_uri' => $authCode->getRedirectUri(), - 'auth_code_id' => $authCode->getIdentifier(), - 'scopes' => $authCode->getScopes(), - 'user_id' => $authCode->getUserIdentifier(), - 'expire_time' => (new \DateTime())->add($this->authCodeTTL)->format('U'), - 'code_challenge' => $authorizationRequest->getCodeChallenge(), - 'code_challenge_method ' => $authorizationRequest->getCodeChallengeMethod(), - ] + $shuffledPayload ) ), 'state' => $authorizationRequest->getState(),