mirror of
https://github.com/elyby/oauth2-server.git
synced 2024-12-22 21:19:46 +05:30
Fix S256 code challenge method
According to [RFC7636#section-4.3](https://tools.ietf.org/html/rfc7636#section-4.3): If the "code_challenge_method" from Section 4.3 was "S256", the received "code_verifier" is hashed by SHA-256, base64url-encoded, and then compared to the "code_challenge", i.e.: BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) == code_challenge So, the hash must be done before the base64_encode. The tests are modified to use example data from the [RFC7636#appendix-B](https://tools.ietf.org/html/rfc7636#appendix-B).
This commit is contained in:
parent
92d8052a5b
commit
1b692e2298
@ -144,7 +144,7 @@ class AuthCodeGrant extends AbstractAuthorizeGrant
|
|||||||
case 'S256':
|
case 'S256':
|
||||||
if (
|
if (
|
||||||
hash_equals(
|
hash_equals(
|
||||||
hash('sha256', strtr(rtrim(base64_encode($codeVerifier), '='), '+/', '-_')),
|
strtr(rtrim(base64_encode(hash('sha256', $codeVerifier, true)), '='), '+/', '-_'),
|
||||||
$authCodePayload->code_challenge
|
$authCodePayload->code_challenge
|
||||||
) === false
|
) === false
|
||||||
) {
|
) {
|
||||||
|
@ -744,6 +744,10 @@ class AuthCodeGrantTest extends TestCase
|
|||||||
$grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
|
$grant->setRefreshTokenRepository($refreshTokenRepositoryMock);
|
||||||
$grant->setEncryptionKey($this->cryptStub->getKey());
|
$grant->setEncryptionKey($this->cryptStub->getKey());
|
||||||
|
|
||||||
|
// [RFC 7636] Appendix B. Example for the S256 code_challenge_method
|
||||||
|
$codeVerifier = 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk';
|
||||||
|
$codeChallenge = 'E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM';
|
||||||
|
|
||||||
$request = new ServerRequest(
|
$request = new ServerRequest(
|
||||||
[],
|
[],
|
||||||
[],
|
[],
|
||||||
@ -757,7 +761,7 @@ class AuthCodeGrantTest extends TestCase
|
|||||||
'grant_type' => 'authorization_code',
|
'grant_type' => 'authorization_code',
|
||||||
'client_id' => 'foo',
|
'client_id' => 'foo',
|
||||||
'redirect_uri' => 'http://foo/bar',
|
'redirect_uri' => 'http://foo/bar',
|
||||||
'code_verifier' => 'foobar',
|
'code_verifier' => $codeVerifier,
|
||||||
'code' => $this->cryptStub->doEncrypt(
|
'code' => $this->cryptStub->doEncrypt(
|
||||||
json_encode(
|
json_encode(
|
||||||
[
|
[
|
||||||
@ -767,7 +771,7 @@ class AuthCodeGrantTest extends TestCase
|
|||||||
'user_id' => 123,
|
'user_id' => 123,
|
||||||
'scopes' => ['foo'],
|
'scopes' => ['foo'],
|
||||||
'redirect_uri' => 'http://foo/bar',
|
'redirect_uri' => 'http://foo/bar',
|
||||||
'code_challenge' => hash('sha256', strtr(rtrim(base64_encode('foobar'), '='), '+/', '-_')),
|
'code_challenge' => $codeChallenge,
|
||||||
'code_challenge_method' => 'S256',
|
'code_challenge_method' => 'S256',
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user