Commit Graph

1284 Commits

Author SHA1 Message Date
ErickSkrauch
3684a76ade Add getter for the OAuthServerException::redirectUri param and make it public 2019-08-23 00:00:15 +03:00
Andrew Millington
8a78e00a2e
Add blank line above throw 2019-07-25 19:04:44 +01:00
Matt Allan
3413c20590 Prevent public clients from using the client_credentials grant type
See https://tools.ietf.org/html/rfc6749#section-4.4.2
2019-07-22 18:21:29 -04:00
Andrew Millington
f5e910e6ec
Remove jti replication from JWT Header 2019-07-13 17:51:56 +01:00
sephster
1a6ebdf81c
Fix order of imports 2019-07-02 19:24:19 +01:00
sephster
46c86ed5b1
Apply style fix 2019-07-02 19:21:13 +01:00
sephster
c4c354e2df
Fix phpstan issues 2019-07-01 19:17:43 +01:00
sephster
0db54cf1e5
Reinstate use for ClientEntityInterface 2019-06-23 17:40:39 +01:00
sephster
c7d047f7f5
Remove extra line spaces 2019-06-23 17:35:24 +01:00
sephster
e1324b88b2
Merge remote-tracking branch 'upstream/8.0.0' into protect-client-entity-gets 2019-06-23 17:23:40 +01:00
sephster
a1cf22a3a9
Remove duplicate setting of expirydatetime 2019-05-14 16:11:34 +01:00
sephster
86d1581cd9
Remove unused imports 2019-05-14 15:57:13 +01:00
sephster
521ed9a8cb
Merge master into 8.0.0 branch 2019-05-14 15:46:01 +01:00
Andrew Millington
1bbcb57d63
Merge pull request #1009 from iansltx/skip-s256-if-not-installed
Skip SHA256 verifier if system doesn't support sha256
2019-05-14 14:55:39 +01:00
Ian Littman
27d5c5ed8d
Ensure unvalidated ClientEntity gets throw/emit if they return null
In many cases, we validate client info before pulling from client itself
from the repository, in which case it's safe to assume that you can grab
the client once validation passes. However on implicit/auth code grants
we don't have this guarantee due to non-confidential clients that just
reference the client ID. In those cases the client may supply a client
ID that doesn't exist, and we don't do a validation step before pulling
it from the repo.

The issue with that is that ClientRepository doesn't actually enforce
returning a ClientInterface via typehint, nor does it even suggest an
exception to throw if the client doesn't exist. So in most places we
do an instanceof check after the repository returns and throw/emit an
error event if the client doesn't exist.

This approach ends up being a bit error-prone; we missed one case where
we should've been doing this check: in the access token request on an
auth code grant. We don't do enough validation beforehand to assume that
the incoming request has an accurate client ID, so L96 could absolutely
be a method call on a non-object.

This commit centralizes the return-check-emit-throw logic so it's a
one-liner for wherever we need it, including the access token request
processor for auth code grants.
2019-05-11 14:35:59 -05:00
Ian Littman
4ecd3131c1
Skip SHA256 verifier if system doesn't support sha256 2019-05-11 14:23:56 -05:00
Ian Littman
42df2d9c47
Add typehints to OAuthServerException calls 2019-05-11 13:35:24 -05:00
sephster
86869eafbb
Add whitespace around control blocks 2019-05-05 09:03:13 +01:00
David
1e9a468e66
Merge branch 'master' into master 2019-04-12 11:17:37 +02:00
Marc Bennewitz
b88198a9a4 spec compliant 'error_description' but keep 'message' for BC 2019-03-29 16:00:26 +01:00
filecage
0742d5150c explicit is better than implicit :) 2019-03-13 10:08:57 +01:00
filecage
64f0d89fad getNewRefreshToken() can also return NULL 2019-03-11 23:28:47 +01:00
filecage
ebf78132d7 refreshTokenRepository parameter can not be null, condition is obsolete 2019-03-11 23:28:20 +01:00
filecage
aa5bbe5f06 boyscout: style CI tweaks 2019-03-11 23:26:35 +01:00
filecage
2ea76ca4fd Adds handling for null issued refresh token to Grant implementations 2019-03-08 18:19:16 +01:00
filecage
b2840474fd AbstractGrant no longer tries to issue a refresh token if the Repository returned null 2019-03-08 18:16:16 +01:00
sephster
16f37560d4
Merge latest version of 8 branch 2018-12-19 13:03:10 +00:00
sephster
c2cd12e0b8
Remove return types 2018-12-19 12:54:26 +00:00
Chris Tanaskoski
b6955a6c65 Fixed respondToAccessTokenRequest such that it accepts client_id through request body and Http Basic Auth 2018-11-30 10:19:06 +01:00
sephster
8b421818f2
Add blank line to better format 2018-11-21 21:26:54 +00:00
Marc Ypes
f1454cde36 Fix bc breaking change 2018-11-16 12:44:41 +01:00
sephster
443d7c485a
Revert interface change so class can be extende 2018-11-15 22:22:08 +00:00
sephster
2b4974b697
Change to use invalid_grant 2018-11-13 18:18:07 +00:00
sephster
94e75ba6f3
Fix bug 2018-11-13 12:56:06 +00:00
sephster
7982275757
Fix docblock alignment 2018-11-13 12:34:16 +00:00
sephster
f6c1070ccc
Add use Throwable 2018-11-13 12:32:52 +00:00
sephster
d64fb3f526
Merge master into this branch 2018-11-13 12:28:39 +00:00
Marc Ypes
4bb5b747c1 Replace fqn with unqualified name 2018-11-13 01:33:11 +01:00
Marc Ypes
3b983ad0b4 Include previous exception in catch and throw 2018-11-12 13:58:31 +01:00
sephster
34ec35019b
Remove additional whitespace 2018-11-08 13:10:22 +00:00
Marc Bennewitz
16f9de86f2 cleanup DateTime handline
* DateTime -> DateTimeImmutable
* DateTime::format('U') -> DateTime::getTimestamp()
* (new DateTime())->getTimestamp() -> time()
2018-11-08 12:45:18 +01:00
Andrew Millington
ac818bd921
Minor formatting adjustment 2018-11-06 21:42:05 +00:00
Marc Bennewitz
d288a2ad8a Make AuthorizationServer stateless 2018-11-05 09:08:02 +01:00
Andrew Millington
a34f5dd7db
Merge pull request #953 from Sephster/code-tidyup
Code Tidyup
2018-10-13 17:06:21 +01:00
sephster
c0efdf0dd0
Revert changes to throws and returns ordering 2018-10-13 16:54:31 +01:00
sephster
f96fca3b48
Minor code tidyup 2018-10-13 16:44:40 +01:00
sephster
20b355b025
Re-order docblock throws 2018-10-13 16:31:36 +01:00
sephster
793f65d3a3
Remove unused scope entity interface 2018-10-13 16:14:15 +01:00
sephster
322b55eddf
Remove getScopes function and use validateScopes instead 2018-10-13 16:11:44 +01:00
sephster
50ab9dd8ac
Remove unused import 2018-10-13 15:28:39 +01:00