mirror of
https://github.com/elyby/oauth2-server.git
synced 2025-05-31 14:12:07 +05:30
Compare commits
12 Commits
8.0.0
...
adaptation
| Author | SHA1 | Date | |
|---|---|---|---|
|
08e470e81a | ||
|
|
677c10a61d | ||
|
|
3684a76ade | ||
|
|
a777ca2adc | ||
|
|
7db4cdb875 | ||
|
|
4673e7de89 | ||
|
0b0b43d433 | ||
|
|
cd8742f630 | ||
|
|
2097edd6eb | ||
|
|
705120c974 | ||
|
|
8a78e00a2e | ||
|
3413c20590 |
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
|
||||
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
|
||||
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
### Fixed
|
||||
- Clients are now explicitly prevented from using the Client Credentials grant unless they are confidential to conform
|
||||
with the OAuth2 spec (PR #1035)
|
||||
|
||||
## [8.0.0] - released 2019-07-13
|
||||
|
||||
### Added
|
||||
|
||||
@@ -40,12 +40,12 @@ class AuthorizationServer implements EmitterAwareInterface
|
||||
protected $grantTypeAccessTokenTTL = [];
|
||||
|
||||
/**
|
||||
* @var CryptKey
|
||||
* @var CryptKeyInterface
|
||||
*/
|
||||
protected $privateKey;
|
||||
|
||||
/**
|
||||
* @var CryptKey
|
||||
* @var CryptKeyInterface
|
||||
*/
|
||||
protected $publicKey;
|
||||
|
||||
@@ -85,7 +85,7 @@ class AuthorizationServer implements EmitterAwareInterface
|
||||
* @param ClientRepositoryInterface $clientRepository
|
||||
* @param AccessTokenRepositoryInterface $accessTokenRepository
|
||||
* @param ScopeRepositoryInterface $scopeRepository
|
||||
* @param CryptKey|string $privateKey
|
||||
* @param CryptKeyInterface|string $privateKey
|
||||
* @param string|Key $encryptionKey
|
||||
* @param null|ResponseTypeInterface $responseType
|
||||
*/
|
||||
@@ -101,7 +101,7 @@ class AuthorizationServer implements EmitterAwareInterface
|
||||
$this->accessTokenRepository = $accessTokenRepository;
|
||||
$this->scopeRepository = $scopeRepository;
|
||||
|
||||
if ($privateKey instanceof CryptKey === false) {
|
||||
if ($privateKey instanceof CryptKeyInterface === false) {
|
||||
$privateKey = new CryptKey($privateKey);
|
||||
}
|
||||
|
||||
|
||||
@@ -14,7 +14,7 @@ use InvalidArgumentException;
|
||||
use Lcobucci\JWT\Parser;
|
||||
use Lcobucci\JWT\Signer\Rsa\Sha256;
|
||||
use Lcobucci\JWT\ValidationData;
|
||||
use League\OAuth2\Server\CryptKey;
|
||||
use League\OAuth2\Server\CryptKeyInterface;
|
||||
use League\OAuth2\Server\CryptTrait;
|
||||
use League\OAuth2\Server\Exception\OAuthServerException;
|
||||
use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
|
||||
@@ -31,7 +31,7 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
|
||||
private $accessTokenRepository;
|
||||
|
||||
/**
|
||||
* @var CryptKey
|
||||
* @var CryptKeyInterface
|
||||
*/
|
||||
protected $publicKey;
|
||||
|
||||
@@ -46,9 +46,9 @@ class BearerTokenValidator implements AuthorizationValidatorInterface
|
||||
/**
|
||||
* Set the public key
|
||||
*
|
||||
* @param CryptKey $key
|
||||
* @param CryptKeyInterface $key
|
||||
*/
|
||||
public function setPublicKey(CryptKey $key)
|
||||
public function setPublicKey(CryptKeyInterface $key)
|
||||
{
|
||||
$this->publicKey = $key;
|
||||
}
|
||||
|
||||
@@ -14,7 +14,7 @@ namespace League\OAuth2\Server;
|
||||
use LogicException;
|
||||
use RuntimeException;
|
||||
|
||||
class CryptKey
|
||||
class CryptKey implements CryptKeyInterface
|
||||
{
|
||||
const RSA_KEY_PATTERN =
|
||||
'/^(-----BEGIN (RSA )?(PUBLIC|PRIVATE) KEY-----)\R.*(-----END (RSA )?(PUBLIC|PRIVATE) KEY-----)\R?$/s';
|
||||
@@ -101,22 +101,12 @@ class CryptKey
|
||||
return 'file://' . $keyPath;
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrieve key path.
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getKeyPath()
|
||||
public function getKeyPath(): string
|
||||
{
|
||||
return $this->keyPath;
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrieve key pass phrase.
|
||||
*
|
||||
* @return null|string
|
||||
*/
|
||||
public function getPassPhrase()
|
||||
public function getPassPhrase(): ?string
|
||||
{
|
||||
return $this->passPhrase;
|
||||
}
|
||||
|
||||
21
src/CryptKeyInterface.php
Normal file
21
src/CryptKeyInterface.php
Normal file
@@ -0,0 +1,21 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace League\OAuth2\Server;
|
||||
|
||||
interface CryptKeyInterface
|
||||
{
|
||||
/**
|
||||
* Retrieve key path.
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getKeyPath(): string;
|
||||
|
||||
/**
|
||||
* Retrieve key pass phrase.
|
||||
*
|
||||
* @return null|string
|
||||
*/
|
||||
public function getPassPhrase(): ?string;
|
||||
}
|
||||
@@ -9,14 +9,14 @@
|
||||
|
||||
namespace League\OAuth2\Server\Entities;
|
||||
|
||||
use League\OAuth2\Server\CryptKey;
|
||||
use League\OAuth2\Server\CryptKeyInterface;
|
||||
|
||||
interface AccessTokenEntityInterface extends TokenInterface
|
||||
{
|
||||
/**
|
||||
* Set a private key used to encrypt the access token.
|
||||
*/
|
||||
public function setPrivateKey(CryptKey $privateKey);
|
||||
public function setPrivateKey(CryptKeyInterface $privateKey);
|
||||
|
||||
/**
|
||||
* Generate a string representation of the access token.
|
||||
|
||||
@@ -14,21 +14,21 @@ use Lcobucci\JWT\Builder;
|
||||
use Lcobucci\JWT\Signer\Key;
|
||||
use Lcobucci\JWT\Signer\Rsa\Sha256;
|
||||
use Lcobucci\JWT\Token;
|
||||
use League\OAuth2\Server\CryptKey;
|
||||
use League\OAuth2\Server\CryptKeyInterface;
|
||||
use League\OAuth2\Server\Entities\ClientEntityInterface;
|
||||
use League\OAuth2\Server\Entities\ScopeEntityInterface;
|
||||
|
||||
trait AccessTokenTrait
|
||||
{
|
||||
/**
|
||||
* @var CryptKey
|
||||
* @var CryptKeyInterface
|
||||
*/
|
||||
private $privateKey;
|
||||
|
||||
/**
|
||||
* Set the private key used to encrypt this access token.
|
||||
*/
|
||||
public function setPrivateKey(CryptKey $privateKey)
|
||||
public function setPrivateKey(CryptKeyInterface $privateKey)
|
||||
{
|
||||
$this->privateKey = $privateKey;
|
||||
}
|
||||
@@ -36,11 +36,11 @@ trait AccessTokenTrait
|
||||
/**
|
||||
* Generate a JWT from the access token
|
||||
*
|
||||
* @param CryptKey $privateKey
|
||||
* @param CryptKeyInterface $privateKey
|
||||
*
|
||||
* @return Token
|
||||
*/
|
||||
private function convertToJWT(CryptKey $privateKey)
|
||||
private function convertToJWT(CryptKeyInterface $privateKey)
|
||||
{
|
||||
return (new Builder())
|
||||
->setAudience($this->getClient()->getIdentifier())
|
||||
|
||||
@@ -294,14 +294,9 @@ class OAuthServerException extends Exception
|
||||
|
||||
$payload = $this->getPayload();
|
||||
|
||||
if ($this->redirectUri !== null) {
|
||||
if ($useFragment === true) {
|
||||
$this->redirectUri .= (strstr($this->redirectUri, '#') === false) ? '#' : '&';
|
||||
} else {
|
||||
$this->redirectUri .= (strstr($this->redirectUri, '?') === false) ? '?' : '&';
|
||||
}
|
||||
|
||||
return $response->withStatus(302)->withHeader('Location', $this->redirectUri . http_build_query($payload));
|
||||
$redirectUri = $this->getRedirectUri($useFragment);
|
||||
if ($redirectUri !== null) {
|
||||
return $response->withStatus(302)->withHeader('Location', $redirectUri);
|
||||
}
|
||||
|
||||
foreach ($headers as $header => $content) {
|
||||
@@ -359,6 +354,31 @@ class OAuthServerException extends Exception
|
||||
return $this->redirectUri !== null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the redirectUri with all necessary args.
|
||||
*
|
||||
* Null will be returned if the exception doesn't contain the redirectUri.
|
||||
*
|
||||
* @param bool $useFragment True if errors should be in the URI fragment instead of query string
|
||||
*
|
||||
* @return string|null
|
||||
*/
|
||||
public function getRedirectUri(bool $useFragment = false): ?string
|
||||
{
|
||||
if ($this->redirectUri === null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$redirectUri = $this->redirectUri;
|
||||
if ($useFragment) {
|
||||
$redirectUri .= strpos($this->redirectUri, '#') === false ? '#' : '&';
|
||||
} else {
|
||||
$redirectUri .= strpos($this->redirectUri, '?') === false ? '?' : '&';
|
||||
}
|
||||
|
||||
return $redirectUri . http_build_query($this->getPayload());
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the HTTP status code to send when the exceptions is output.
|
||||
*
|
||||
|
||||
@@ -15,7 +15,7 @@ use DateTimeImmutable;
|
||||
use Error;
|
||||
use Exception;
|
||||
use League\Event\EmitterAwareTrait;
|
||||
use League\OAuth2\Server\CryptKey;
|
||||
use League\OAuth2\Server\CryptKeyInterface;
|
||||
use League\OAuth2\Server\CryptTrait;
|
||||
use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
|
||||
use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
|
||||
@@ -83,7 +83,7 @@ abstract class AbstractGrant implements GrantTypeInterface
|
||||
protected $refreshTokenTTL;
|
||||
|
||||
/**
|
||||
* @var CryptKey
|
||||
* @var CryptKeyInterface
|
||||
*/
|
||||
protected $privateKey;
|
||||
|
||||
@@ -151,9 +151,9 @@ abstract class AbstractGrant implements GrantTypeInterface
|
||||
/**
|
||||
* Set the private key
|
||||
*
|
||||
* @param CryptKey $key
|
||||
* @param CryptKeyInterface $key
|
||||
*/
|
||||
public function setPrivateKey(CryptKey $key)
|
||||
public function setPrivateKey(CryptKeyInterface $key)
|
||||
{
|
||||
$this->privateKey = $key;
|
||||
}
|
||||
|
||||
@@ -12,6 +12,7 @@
|
||||
namespace League\OAuth2\Server\Grant;
|
||||
|
||||
use DateInterval;
|
||||
use League\OAuth2\Server\Exception\OAuthServerException;
|
||||
use League\OAuth2\Server\RequestEvent;
|
||||
use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
@@ -29,8 +30,19 @@ class ClientCredentialsGrant extends AbstractGrant
|
||||
ResponseTypeInterface $responseType,
|
||||
DateInterval $accessTokenTTL
|
||||
) {
|
||||
list($clientId) = $this->getClientCredentials($request);
|
||||
|
||||
$client = $this->getClientEntityOrFail($clientId, $request);
|
||||
|
||||
if (!$client->isConfidential()) {
|
||||
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
|
||||
|
||||
throw OAuthServerException::invalidClient($request);
|
||||
}
|
||||
|
||||
// Validate request
|
||||
$client = $this->validateClient($request);
|
||||
$this->validateClient($request);
|
||||
|
||||
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
|
||||
|
||||
// Finalize the requested scopes
|
||||
|
||||
@@ -14,7 +14,7 @@ namespace League\OAuth2\Server\Grant;
|
||||
use DateInterval;
|
||||
use Defuse\Crypto\Key;
|
||||
use League\Event\EmitterAwareInterface;
|
||||
use League\OAuth2\Server\CryptKey;
|
||||
use League\OAuth2\Server\CryptKeyInterface;
|
||||
use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
|
||||
use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
|
||||
use League\OAuth2\Server\Repositories\ScopeRepositoryInterface;
|
||||
@@ -131,9 +131,9 @@ interface GrantTypeInterface extends EmitterAwareInterface
|
||||
/**
|
||||
* Set the path to the private key.
|
||||
*
|
||||
* @param CryptKey $privateKey
|
||||
* @param CryptKeyInterface $privateKey
|
||||
*/
|
||||
public function setPrivateKey(CryptKey $privateKey);
|
||||
public function setPrivateKey(CryptKeyInterface $privateKey);
|
||||
|
||||
/**
|
||||
* Set the encryption key
|
||||
|
||||
@@ -23,7 +23,7 @@ class ResourceServer
|
||||
private $accessTokenRepository;
|
||||
|
||||
/**
|
||||
* @var CryptKey
|
||||
* @var CryptKeyInterface
|
||||
*/
|
||||
private $publicKey;
|
||||
|
||||
@@ -36,7 +36,7 @@ class ResourceServer
|
||||
* New server instance.
|
||||
*
|
||||
* @param AccessTokenRepositoryInterface $accessTokenRepository
|
||||
* @param CryptKey|string $publicKey
|
||||
* @param CryptKeyInterface|string $publicKey
|
||||
* @param null|AuthorizationValidatorInterface $authorizationValidator
|
||||
*/
|
||||
public function __construct(
|
||||
@@ -46,7 +46,7 @@ class ResourceServer
|
||||
) {
|
||||
$this->accessTokenRepository = $accessTokenRepository;
|
||||
|
||||
if ($publicKey instanceof CryptKey === false) {
|
||||
if ($publicKey instanceof CryptKeyInterface === false) {
|
||||
$publicKey = new CryptKey($publicKey);
|
||||
}
|
||||
$this->publicKey = $publicKey;
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
|
||||
namespace League\OAuth2\Server\ResponseTypes;
|
||||
|
||||
use League\OAuth2\Server\CryptKey;
|
||||
use League\OAuth2\Server\CryptKeyInterface;
|
||||
use League\OAuth2\Server\CryptTrait;
|
||||
use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
|
||||
use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
|
||||
@@ -31,7 +31,7 @@ abstract class AbstractResponseType implements ResponseTypeInterface
|
||||
protected $refreshToken;
|
||||
|
||||
/**
|
||||
* @var CryptKey
|
||||
* @var CryptKeyInterface
|
||||
*/
|
||||
protected $privateKey;
|
||||
|
||||
@@ -54,9 +54,9 @@ abstract class AbstractResponseType implements ResponseTypeInterface
|
||||
/**
|
||||
* Set the private key
|
||||
*
|
||||
* @param CryptKey $key
|
||||
* @param CryptKeyInterface $key
|
||||
*/
|
||||
public function setPrivateKey(CryptKey $key)
|
||||
public function setPrivateKey(CryptKeyInterface $key)
|
||||
{
|
||||
$this->privateKey = $key;
|
||||
}
|
||||
|
||||
@@ -4,7 +4,6 @@ namespace LeagueTests;
|
||||
|
||||
use DateInterval;
|
||||
use League\OAuth2\Server\AuthorizationServer;
|
||||
use League\OAuth2\Server\CryptKey;
|
||||
use League\OAuth2\Server\Exception\OAuthServerException;
|
||||
use League\OAuth2\Server\Grant\AuthCodeGrant;
|
||||
use League\OAuth2\Server\Grant\ClientCredentialsGrant;
|
||||
@@ -62,8 +61,11 @@ class AuthorizationServerTest extends TestCase
|
||||
|
||||
public function testRespondToRequest()
|
||||
{
|
||||
$client = new ClientEntity();
|
||||
$client->setConfidential();
|
||||
|
||||
$clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
|
||||
$clientRepository->method('getClientEntity')->willReturn(new ClientEntity());
|
||||
$clientRepository->method('getClientEntity')->willReturn($client);
|
||||
|
||||
$scope = new ScopeEntity();
|
||||
$scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
|
||||
@@ -150,7 +152,7 @@ class AuthorizationServerTest extends TestCase
|
||||
$encryptionKey = 'file://' . __DIR__ . '/Stubs/public.key';
|
||||
|
||||
$responseTypePrototype = new class extends BearerTokenResponse {
|
||||
/* @return null|CryptKey */
|
||||
/* @return null|\League\OAuth2\Server\CryptKeyInterface */
|
||||
public function getPrivateKey()
|
||||
{
|
||||
return $this->privateKey;
|
||||
|
||||
@@ -71,6 +71,14 @@ class OAuthServerExceptionTest extends TestCase
|
||||
$exceptionWithRedirect = OAuthServerException::accessDenied('some hint', 'https://example.com/error');
|
||||
|
||||
$this->assertTrue($exceptionWithRedirect->hasRedirect());
|
||||
$this->assertSame(
|
||||
'https://example.com/error?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request.&hint=some+hint&message=The+resource+owner+or+authorization+server+denied+the+request.',
|
||||
$exceptionWithRedirect->getRedirectUri()
|
||||
);
|
||||
$this->assertSame(
|
||||
'https://example.com/error#error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request.&hint=some+hint&message=The+resource+owner+or+authorization+server+denied+the+request.',
|
||||
$exceptionWithRedirect->getRedirectUri(true)
|
||||
);
|
||||
}
|
||||
|
||||
public function testDoesNotHaveRedirect()
|
||||
@@ -78,6 +86,7 @@ class OAuthServerExceptionTest extends TestCase
|
||||
$exceptionWithoutRedirect = OAuthServerException::accessDenied('Some hint');
|
||||
|
||||
$this->assertFalse($exceptionWithoutRedirect->hasRedirect());
|
||||
$this->assertNull($exceptionWithoutRedirect->getRedirectUri());
|
||||
}
|
||||
|
||||
public function testHasPrevious()
|
||||
|
||||
@@ -29,6 +29,8 @@ class ClientCredentialsGrantTest extends TestCase
|
||||
public function testRespondToRequest()
|
||||
{
|
||||
$client = new ClientEntity();
|
||||
$client->setConfidential();
|
||||
|
||||
$clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
|
||||
$clientRepositoryMock->method('getClientEntity')->willReturn($client);
|
||||
|
||||
|
||||
@@ -24,8 +24,11 @@ class AuthorizationServerMiddlewareTest extends TestCase
|
||||
|
||||
public function testValidResponse()
|
||||
{
|
||||
$client = new ClientEntity();
|
||||
$client->setConfidential();
|
||||
|
||||
$clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
|
||||
$clientRepository->method('getClientEntity')->willReturn(new ClientEntity());
|
||||
$clientRepository->method('getClientEntity')->willReturn($client);
|
||||
|
||||
$scopeEntity = new ScopeEntity;
|
||||
$scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
|
||||
|
||||
Reference in New Issue
Block a user