Commit Graph

144 Commits

Author SHA1 Message Date
sephster 07ebe43b91 Change else if to elseif 2018-09-02 16:17:34 +01:00
sephster e85a8e31e8 Remove assignment as not needed 2018-09-02 14:58:02 +01:00
sephster 3eabbafe5b Client says if it is confidential instead of repository 2018-09-01 14:53:27 +01:00
sephster 46c2f99b06 Change function name to be more explicit 2018-09-01 13:17:36 +01:00
sephster 491852b521 Move code challenge check to auth code request 2018-08-13 21:47:53 +01:00
Andrew Millington 04807a1e2a Fix incorrect variable reference 2018-08-12 20:29:39 +01:00
Andrew Millington 838f206832 Tidy up comments 2018-08-12 20:09:55 +01:00
Andrew Millington 972808561d Add optional code challenge check for public clients 2018-08-12 20:06:34 +01:00
Andrew Millington 5ad00b0e33 Remove enableCodeExchangeProof function 2018-07-29 22:34:37 +01:00
Andrew Millington f49cc65c13 Change to store code challenge and method whenever sent for PKCE 2018-07-29 19:56:30 +01:00
Andrew Millington ca5fe10934 Fix merge issues 2018-06-24 01:30:15 +01:00
Ilya Bulah a31bc7d4cc Extract validateRedirectUri() 2018-06-14 23:50:58 +03:00
Andrew Millington 491c23c1e9 Merge remote-tracking branch 'upstream/master' into phpstan-level-7 2018-04-21 21:37:24 +01:00
Andrew Millington 80bc291c51 Added null checks before calling set functions 2018-04-21 21:29:21 +01:00
Andrew Millington 6991777ff3 Fix blank line spacing issue 2018-04-20 18:33:46 +01:00
Andrew Millington 9febc32e14 Add spacing around logical blocks 2018-04-20 18:27:47 +01:00
Andrew Millington c8b44ff5c7 Revert fix for client ID exception 2018-04-20 18:22:07 +01:00
Andrew Millington 6fd3024c48 Merge pull request #860 from Zaszczyk/new-events-to-emitter-#825
Add new event types: access_token_issued and refresh_token_issued.
2018-02-26 20:01:22 +00:00
Andrew Millington 62e06b7d3a Removing Yoda condition
Removed Yoda condition from code base
2018-02-26 19:51:03 +00:00
Simon Hamp 009c109716 TravisCI fix for PHPStan 2018-02-26 16:04:48 +00:00
Simon Hamp 6723aadfe8 Fix #837
Unifies how we fetch the client_id from the request and allows us to throw a more appropriate exception when the client_id parameter is missing.

Improves the test method for this validation by checking the culpable method in this particular case. The test was missing this by calling the wrong method.
2018-02-26 15:56:28 +00:00
Mateusz Błaszczyk 6700b113a8 Add new event types: access_token_issued and refresh_token_issued. 2018-02-23 17:48:51 +01:00
Andrew Millington e0cc5ee1b0 Merge branch 'master' of https://github.com/thephpleague/oauth2-server into fix-pkce-implementation 2018-02-18 13:57:19 +00:00
Lukáš Unger cd5233392e Updated dependencies, more strict static analysis 2018-02-17 18:07:16 +01:00
Andrew Millington ef06c29ee8 Merge pull request #840 from liverbool/master
BUGFIX: Wrong redirect uri.
2018-02-11 20:20:41 +00:00
Andrew Millington 5fb9fc929a Reinstate check on client redirect URI to fail if multiple redirect URIs have been listed for the client and one has not been specified in the auth request 2018-02-11 20:10:01 +00:00
liverbool b3cd73cac7 code cleaner
cc.

Co-Authored-By: Andrew Millington <sephster@users.noreply.github.com>
2018-02-09 05:54:05 +07:00
Erick Torres ce2662ece7 Merge branch 'master' of github.com:thephpleague/oauth2-server into fix-pkce-implementation
# Conflicts:
#	tests/Grant/AuthCodeGrantTest.php
2018-02-05 15:32:15 -05:00
Sergio Gómez 1b692e2298 Fix S256 code challenge method
According to [RFC7636#section-4.3](https://tools.ietf.org/html/rfc7636#section-4.3):

    If the "code_challenge_method" from Section 4.3 was "S256", the
    received "code_verifier" is hashed by SHA-256, base64url-encoded, and
    then compared to the "code_challenge", i.e.:

    BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) == code_challenge

So, the hash must be done before the base64_encode.

The tests are modified to use example data from the
[RFC7636#appendix-B](https://tools.ietf.org/html/rfc7636#appendix-B).
2018-01-18 05:31:44 +01:00
liverbool d22f222e65 BUGFIX: Wrong redirect uri.
This's bugfix when redirect on error.
2018-01-13 11:52:31 +07:00
Andrew Millington b6d9835281 Merge branch 'master' into fix-pkce-implementation 2017-12-28 16:37:37 +00:00
Andrew Millington 1c36b70dab Fixed ordering so we only hash after base64 encoding 2017-12-23 02:06:18 +00:00
Andrew Millington f11e4c81cd Merge pull request #697 from fkooman/fix-s256
Fix PKCE code verifier encoding to match specification
2017-12-23 01:52:33 +00:00
Andrew Millington 8c93fd74c9 Merge pull request #573 from ismailbaskin/master
Include redirect_uri check on authorization endpoint
2017-11-19 20:57:27 +00:00
Sephster c895885700 Modify grants so only auth requests use default scopes 2017-11-13 22:19:44 +00:00
Andrew Millington 0f08063864 Fixed use of default scope so it is only for authorization requests 2017-11-06 22:33:28 +00:00
Andrew Millington c996b66528 Add means to set default scopes for grants 2017-10-18 22:08:41 +01:00
Erick Torres 4270f5bac1 Merge branch 'master' of github.com:erickjth/oauth2-server into fix-pkce-implementation
# Conflicts:
#	src/Grant/AuthCodeGrant.php
2017-09-07 17:24:48 -05:00
Hugo Hamon 79038ced78 [BC Break] Fixes invalid code challenge method payload key name
I guess this change might be a BC break for existing and active authorization tokens when they're validated by the server. The good thing is that an authorization token has a very short expiration time and is used once to request an access token.
2017-08-02 17:55:11 +02:00
Erick Torres 88ccb6ff13 Fix codeVerifier check. Keep code style. 2017-07-07 12:35:42 -05:00
Erick Torres fbb3586cae Merge branch 'master' of github.com:erickjth/oauth2-server into fix-pkce-implementation
# Conflicts:
#	src/Grant/AuthCodeGrant.php
#	tests/Grant/AuthCodeGrantTest.php
2017-07-07 12:06:32 -05:00
Alex Bilbie f5c3ba0b24 Removed dead code 2017-07-01 18:22:51 +01:00
Alex Bilbie aee1779432 Apply fixes from StyleCI 2017-07-01 16:19:23 +00:00
Alex Bilbie 0706d66c76 Don’t pad and shuffle the payload if an encryption key has been set 2017-07-01 16:45:29 +01:00
Alex Bilbie 4a717104fa Shuffle the contents of the authorization code payload 2017-07-01 16:45:29 +01:00
Alex Bilbie 57d199b889 Stricter validation of code challenge value to match RFC 7636 requirements 2017-07-01 16:44:43 +01:00
Erick Torres 880e3b4590 Fix invalid code_challenge_method key. 2017-06-16 12:03:04 -05:00
Erick Torres 2167edf1d9 Validate codeVerifier and codeChallenge correctly. 2017-06-16 12:02:48 -05:00
Erick Torres 2482630221 Fix codeVerifier hash verification. 2017-06-16 12:02:34 -05:00
François Kooman 6426e597a3 Fix PKCE code verifier encoding to match specification
The current implementation of PKCE does not follow the specification
correctly regarding the encoding of the code verifier. This patch
correctly encodes the hash of the code verifier according to
Appenix A of RFC 7636.
2017-01-24 11:36:34 +01:00