mirror of
https://github.com/elyby/oauth2-server.git
synced 2024-11-30 10:42:02 +05:30
Shuffle the contents of the authorization code payload
This commit is contained in:
parent
63530443fe
commit
4a717104fa
@ -311,14 +311,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
||||
$authorizationRequest->getScopes()
|
||||
);
|
||||
|
||||
$response = new RedirectResponse();
|
||||
$response->setRedirectUri(
|
||||
$this->makeRedirectUri(
|
||||
$finalRedirectUri,
|
||||
[
|
||||
'code' => $this->encrypt(
|
||||
json_encode(
|
||||
[
|
||||
$payload = [
|
||||
'client_id' => $authCode->getClient()->getIdentifier(),
|
||||
'redirect_uri' => $authCode->getRedirectUri(),
|
||||
'auth_code_id' => $authCode->getIdentifier(),
|
||||
@ -327,7 +320,25 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
||||
'expire_time' => (new \DateTime())->add($this->authCodeTTL)->format('U'),
|
||||
'code_challenge' => $authorizationRequest->getCodeChallenge(),
|
||||
'code_challenge_method ' => $authorizationRequest->getCodeChallengeMethod(),
|
||||
]
|
||||
'_padding' => base64_encode(random_bytes(mt_rand(8, 256)))
|
||||
];
|
||||
|
||||
// Shuffle the payload so that the structure is no longer know and obvious
|
||||
$keys = array_keys($payload);
|
||||
shuffle($keys);
|
||||
$shuffledPayload = [];
|
||||
foreach ($keys as $key) {
|
||||
$shuffledPayload[$key] = $payload[$key];
|
||||
}
|
||||
|
||||
$response = new RedirectResponse();
|
||||
$response->setRedirectUri(
|
||||
$this->makeRedirectUri(
|
||||
$finalRedirectUri,
|
||||
[
|
||||
'code' => $this->encrypt(
|
||||
json_encode(
|
||||
$shuffledPayload
|
||||
)
|
||||
),
|
||||
'state' => $authorizationRequest->getState(),
|
||||
|
Loading…
Reference in New Issue
Block a user