Add tests

Prevent public clients from using the client_credentials grant type

.travis.yml

@@ -30,4 +30,3 @@ after_script:
 branches:
   only:
     - master
-    - 8.0.0

CHANGELOG.md

@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Fixed
+- Clients are now explicitly prevented from using the Client Credentials grant unless they are confidential to conform
+ with the OAuth2 spec (PR #1035)
+
+## [8.0.0] - released 2019-07-13
+
 ### Added
 - Flag, `requireCodeChallengeForPublicClients`, used to reject public clients that do not provide a code challenge for the Auth Code Grant; use AuthCodeGrant::disableRequireCodeCallengeForPublicClients() to turn off this requirement (PR #938)
 - Public clients can now use the Auth Code Grant (PR #938)
@@ -25,6 +31,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Removed
 - `enableCodeExchangeProof` flag (PR #938)
 - Support for PHP 7.0 (PR #1014)
+- Remove JTI claim from JWT header (PR #1031)
 
 ## [7.4.0] - released 2019-05-05
 
@@ -465,7 +472,8 @@ Version 5 is a complete code rewrite.
 
 - First major release
 
-[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/7.4.0...HEAD
+[Unreleased]: https://github.com/thephpleague/oauth2-server/compare/8.0.0...HEAD
+[8.0.0]: https://github.com/thephpleague/oauth2-server/compare/7.4.0...8.0.0
 [7.4.0]: https://github.com/thephpleague/oauth2-server/compare/7.3.3...7.4.0
 [7.3.3]: https://github.com/thephpleague/oauth2-server/compare/7.3.2...7.3.3
 [7.3.2]: https://github.com/thephpleague/oauth2-server/compare/7.3.1...7.3.2

src/Entities/Traits/AccessTokenTrait.php

@@ -44,7 +44,7 @@ trait AccessTokenTrait
     {
         return (new Builder())
             ->setAudience($this->getClient()->getIdentifier())
-            ->setId($this->getIdentifier(), true)
+            ->setId($this->getIdentifier())
             ->setIssuedAt(time())
             ->setNotBefore(time())
             ->setExpiration($this->getExpiryDateTime()->getTimestamp())

src/Exception/OAuthServerException.php

@@ -294,14 +294,9 @@ class OAuthServerException extends Exception
 
         $payload = $this->getPayload();
 
-        if ($this->redirectUri !== null) {
-            if ($useFragment === true) {
-                $this->redirectUri .= (strstr($this->redirectUri, '#') === false) ? '#' : '&';
-            } else {
-                $this->redirectUri .= (strstr($this->redirectUri, '?') === false) ? '?' : '&';
-            }
-
-            return $response->withStatus(302)->withHeader('Location', $this->redirectUri . http_build_query($payload));
+        $redirectUri = $this->getRedirectUri($useFragment);
+        if ($redirectUri !== null) {
+            return $response->withStatus(302)->withHeader('Location', $redirectUri);
         }
 
         foreach ($headers as $header => $content) {
@@ -359,6 +354,31 @@ class OAuthServerException extends Exception
         return $this->redirectUri !== null;
     }
 
+    /**
+     * Returns the redirectUri with all necessary args.
+     *
+     * Null will be returned if the exception doesn't contain the redirectUri.
+     *
+     * @param bool $useFragment True if errors should be in the URI fragment instead of query string
+     *
+     * @return string|null
+     */
+    public function getRedirectUri(bool $useFragment = false): ?string
+    {
+        if ($this->redirectUri === null) {
+            return null;
+        }
+
+        $redirectUri = $this->redirectUri;
+        if ($useFragment) {
+            $redirectUri .= strpos($this->redirectUri, '#') === false ? '#' : '&';
+        } else {
+            $redirectUri .= strpos($this->redirectUri, '?') === false ? '?' : '&';
+        }
+
+        return $redirectUri . http_build_query($this->getPayload());
+    }
+
     /**
      * Returns the HTTP status code to send when the exceptions is output.
      *

src/Grant/ClientCredentialsGrant.php

@@ -12,6 +12,7 @@
 namespace League\OAuth2\Server\Grant;
 
 use DateInterval;
+use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\RequestEvent;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use Psr\Http\Message\ServerRequestInterface;
@@ -29,8 +30,19 @@ class ClientCredentialsGrant extends AbstractGrant
         ResponseTypeInterface $responseType,
         DateInterval $accessTokenTTL
     ) {
+        list($clientId) = $this->getClientCredentials($request);
+
+        $client = $this->getClientEntityOrFail($clientId, $request);
+
+        if (!$client->isConfidential()) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+
+            throw OAuthServerException::invalidClient($request);
+        }
+
         // Validate request
-        $client = $this->validateClient($request);
+        $this->validateClient($request);
+
         $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
 
         // Finalize the requested scopes

tests/AuthorizationServerTest.php

@@ -62,8 +62,11 @@ class AuthorizationServerTest extends TestCase
 
     public function testRespondToRequest()
     {
+        $client = new ClientEntity();
+        $client->setConfidential();
+
         $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
-        $clientRepository->method('getClientEntity')->willReturn(new ClientEntity());
+        $clientRepository->method('getClientEntity')->willReturn($client);
 
         $scope = new ScopeEntity();
         $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();

tests/Exception/OAuthServerExceptionTest.php

@@ -71,6 +71,14 @@ class OAuthServerExceptionTest extends TestCase
         $exceptionWithRedirect = OAuthServerException::accessDenied('some hint', 'https://example.com/error');
 
         $this->assertTrue($exceptionWithRedirect->hasRedirect());
+        $this->assertSame(
+            'https://example.com/error?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request.&hint=some+hint&message=The+resource+owner+or+authorization+server+denied+the+request.',
+            $exceptionWithRedirect->getRedirectUri()
+        );
+        $this->assertSame(
+            'https://example.com/error#error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request.&hint=some+hint&message=The+resource+owner+or+authorization+server+denied+the+request.',
+            $exceptionWithRedirect->getRedirectUri(true)
+        );
     }
 
     public function testDoesNotHaveRedirect()
@@ -78,6 +86,7 @@ class OAuthServerExceptionTest extends TestCase
         $exceptionWithoutRedirect = OAuthServerException::accessDenied('Some hint');
 
         $this->assertFalse($exceptionWithoutRedirect->hasRedirect());
+        $this->assertNull($exceptionWithoutRedirect->getRedirectUri());
     }
 
     public function testHasPrevious()

tests/Grant/ClientCredentialsGrantTest.php

@@ -29,6 +29,8 @@ class ClientCredentialsGrantTest extends TestCase
     public function testRespondToRequest()
     {
         $client = new ClientEntity();
+        $client->setConfidential();
+
         $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
         $clientRepositoryMock->method('getClientEntity')->willReturn($client);
 

tests/Middleware/AuthorizationServerMiddlewareTest.php

@@ -24,8 +24,11 @@ class AuthorizationServerMiddlewareTest extends TestCase
 
     public function testValidResponse()
     {
+        $client = new ClientEntity();
+        $client->setConfidential();
+
         $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
-        $clientRepository->method('getClientEntity')->willReturn(new ClientEntity());
+        $clientRepository->method('getClientEntity')->willReturn($client);
 
         $scopeEntity = new ScopeEntity;
         $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();