Prevent public clients from using the client_credentials grant type

See https://tools.ietf.org/html/rfc6749#section-4.4.2
2024-11-01 08:23:03 +05:30 · 2019-07-22 17:34:54 -04:00 · 2019-07-22 17:34:54 -04:00 · 3413c20590
commit 3413c20590
parent e1dc4d708c
4 changed files with 21 additions and 3 deletions
--- a/src/Grant/ClientCredentialsGrant.php
+++ b/src/Grant/ClientCredentialsGrant.php
@ -12,6 +12,7 @@
 namespace League\OAuth2\Server\Grant;

 use DateInterval;
+use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\RequestEvent;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use Psr\Http\Message\ServerRequestInterface;
@ -29,8 +30,18 @@ class ClientCredentialsGrant extends AbstractGrant
        ResponseTypeInterface $responseType,
        DateInterval $accessTokenTTL
    ) {
+        list($clientId) = $this->getClientCredentials($request);
+
+        $client = $this->getClientEntityOrFail($clientId, $request);
+
+        if (!$client->isConfidential()) {
+            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+            throw OAuthServerException::invalidClient($request);
+        }
+
        // Validate request
-        $client = $this->validateClient($request);
+        $this->validateClient($request);
+
        $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));

        // Finalize the requested scopes
--- a/tests/AuthorizationServerTest.php
+++ b/tests/AuthorizationServerTest.php
@ -62,8 +62,11 @@ class AuthorizationServerTest extends TestCase

    public function testRespondToRequest()
    {
+        $client = new ClientEntity();
+        $client->setConfidential();
+
        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
-        $clientRepository->method('getClientEntity')->willReturn(new ClientEntity());
+        $clientRepository->method('getClientEntity')->willReturn($client);

        $scope = new ScopeEntity();
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();
--- a/tests/Grant/ClientCredentialsGrantTest.php
+++ b/tests/Grant/ClientCredentialsGrantTest.php
@ -29,6 +29,7 @@ class ClientCredentialsGrantTest extends TestCase
    public function testRespondToRequest()
    {
        $client = new ClientEntity();
+        $client->setConfidential();
        $clientRepositoryMock = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
        $clientRepositoryMock->method('getClientEntity')->willReturn($client);

--- a/tests/Middleware/AuthorizationServerMiddlewareTest.php
+++ b/tests/Middleware/AuthorizationServerMiddlewareTest.php
@ -24,8 +24,11 @@ class AuthorizationServerMiddlewareTest extends TestCase

    public function testValidResponse()
    {
+        $client = new ClientEntity();
+        $client->setConfidential();
+
        $clientRepository = $this->getMockBuilder(ClientRepositoryInterface::class)->getMock();
-        $clientRepository->method('getClientEntity')->willReturn(new ClientEntity());
+        $clientRepository->method('getClientEntity')->willReturn($client);

        $scopeEntity = new ScopeEntity;
        $scopeRepositoryMock = $this->getMockBuilder(ScopeRepositoryInterface::class)->getMock();