mirror of
https://github.com/elyby/oauth2-server.git
synced 2024-12-25 14:40:00 +05:30
Start to add code challenge verifier interfaces
This commit is contained in:
parent
e3e7abf41e
commit
6a1645aebc
@ -9,6 +9,9 @@
|
|||||||
|
|
||||||
namespace League\OAuth2\Server\Grant;
|
namespace League\OAuth2\Server\Grant;
|
||||||
|
|
||||||
|
use League\OAuth2\Server\CodeChallengeVerifiers\CodeChallengeVerifierInterface;
|
||||||
|
use League\OAuth2\Server\CodeChallengeVerifiers\PlainVerifier;
|
||||||
|
use League\OAuth2\Server\CodeChallengeVerifiers\S256Verifier;
|
||||||
use League\OAuth2\Server\Entities\ClientEntityInterface;
|
use League\OAuth2\Server\Entities\ClientEntityInterface;
|
||||||
use League\OAuth2\Server\Entities\ScopeEntityInterface;
|
use League\OAuth2\Server\Entities\ScopeEntityInterface;
|
||||||
use League\OAuth2\Server\Entities\UserEntityInterface;
|
use League\OAuth2\Server\Entities\UserEntityInterface;
|
||||||
@ -33,6 +36,11 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
*/
|
*/
|
||||||
private $requireCodeChallengeForPublicClients = true;
|
private $requireCodeChallengeForPublicClients = true;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var CodeChallengeVerifierInterface[]
|
||||||
|
*/
|
||||||
|
private $codeChallengeVerifiers = [];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param AuthCodeRepositoryInterface $authCodeRepository
|
* @param AuthCodeRepositoryInterface $authCodeRepository
|
||||||
* @param RefreshTokenRepositoryInterface $refreshTokenRepository
|
* @param RefreshTokenRepositoryInterface $refreshTokenRepository
|
||||||
@ -47,6 +55,15 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
$this->setRefreshTokenRepository($refreshTokenRepository);
|
$this->setRefreshTokenRepository($refreshTokenRepository);
|
||||||
$this->authCodeTTL = $authCodeTTL;
|
$this->authCodeTTL = $authCodeTTL;
|
||||||
$this->refreshTokenTTL = new \DateInterval('P1M');
|
$this->refreshTokenTTL = new \DateInterval('P1M');
|
||||||
|
|
||||||
|
// SHOULD ONLY DO THIS IS SHA256 is supported
|
||||||
|
$s256Verifier = new S256Verifier();
|
||||||
|
$plainVerifier = new PlainVerifier();
|
||||||
|
|
||||||
|
$codeChallengeVerifiers = [
|
||||||
|
$s256Verifier->getMethod() => $s256Verifier,
|
||||||
|
$plainVerifier->getMethod() => $plainVerifier,
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -161,32 +178,19 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
switch ($authCodePayload->code_challenge_method) {
|
if (isset($this->codeChallengeVerifiers[$authCodePayLoad->code_challenge_method])) {
|
||||||
case 'plain':
|
$codeChallengeVerifier = $this->codeChallengeVerifiers[$authCodePayload->code_challenge_method];
|
||||||
if (hash_equals($codeVerifier, $authCodePayload->code_challenge) === false) {
|
|
||||||
throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
|
|
||||||
}
|
|
||||||
|
|
||||||
break;
|
if ($codeChallengeVerifier->verifyCodeChallenge($codeVerifier, $authCodePayload->code_challenge) === false) {
|
||||||
case 'S256':
|
|
||||||
if (
|
|
||||||
hash_equals(
|
|
||||||
strtr(rtrim(base64_encode(hash('sha256', $codeVerifier, true)), '='), '+/', '-_'),
|
|
||||||
$authCodePayload->code_challenge
|
|
||||||
) === false
|
|
||||||
) {
|
|
||||||
throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
|
throw OAuthServerException::invalidGrant('Failed to verify `code_verifier`.');
|
||||||
}
|
}
|
||||||
// @codeCoverageIgnoreStart
|
} else {
|
||||||
break;
|
|
||||||
default:
|
|
||||||
throw OAuthServerException::serverError(
|
throw OAuthServerException::serverError(
|
||||||
sprintf(
|
sprintf(
|
||||||
'Unsupported code challenge method `%s`',
|
'Unsupported code challenge method `%s`',
|
||||||
$authCodePayload->code_challenge_method
|
$authCodePayload->code_challenge_method
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
// @codeCoverageIgnoreEnd
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -289,10 +293,13 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
if ($codeChallenge !== null) {
|
if ($codeChallenge !== null) {
|
||||||
$codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain');
|
$codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain');
|
||||||
|
|
||||||
if (in_array($codeChallengeMethod, ['plain', 'S256'], true) === false) {
|
if (array_key_exitst($codeChallengeMethod, $this->codeChallengeVerifiers) === false) {
|
||||||
throw OAuthServerException::invalidRequest(
|
throw OAuthServerException::invalidRequest(
|
||||||
'code_challenge_method',
|
'code_challenge_method',
|
||||||
'Code challenge method must be `plain` or `S256`'
|
'Code challenge method must be one of ' . implode(', ', array_map(
|
||||||
|
function ($method) { return '`' . $method . '`'; },
|
||||||
|
array_keys($this->codeChallengeVerifiers)
|
||||||
|
))
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user