Commit Graph

2443 Commits

Author SHA1 Message Date
Matt Allan
3413c20590 Prevent public clients from using the client_credentials grant type
See https://tools.ietf.org/html/rfc6749#section-4.4.2
2019-07-22 18:21:29 -04:00
Andrew Millington
e1dc4d708c
Update changelog for release of version 8 2019-07-13 19:58:26 +01:00
Andrew Millington
18dabd36e3
Remove branch 8.0.0 from travis checks 2019-07-13 19:56:44 +01:00
Andrew Millington
1a3107b4fc
Merge pull request #1033 from thephpleague/8.0.0
8.0.0
2019-07-13 19:46:10 +01:00
Andrew Millington
1d9ca35fec
Merge pull request #1032 from thephpleague/update-examples-for-version-8
Update Examples for Version 8
2019-07-13 19:39:38 +01:00
Andrew Millington
c7f998ee02
Add PR number for JTI PR to changelog 2019-07-13 18:03:24 +01:00
Andrew Millington
4b1c9ed503
Merge pull request #1031 from Sephster/remove-jti-from-header
Remove JTI Claim From JWT Header
2019-07-13 17:50:20 +01:00
Andrew Millington
dc3c74601a
Update changelog 2019-07-13 17:52:35 +01:00
Andrew Millington
f5e910e6ec
Remove jti replication from JWT Header 2019-07-13 17:51:56 +01:00
Andrew Millington
2b7923c593
Fix inheritdoc case 2019-07-13 17:49:26 +01:00
Andrew Millington
3f95c0d11e
Update validateClient arguments list 2019-07-13 17:40:38 +01:00
Andrew Millington
4be97e6fd0
Update composer dependencies and remove mustValidateSecret 2019-07-13 17:37:45 +01:00
Andrew Millington
aba5353257
Add validateClient() function to ClientRepository 2019-07-13 17:31:09 +01:00
sephster
7f0879b8b4
Change header type 2019-07-02 22:52:13 +01:00
sephster
cb9aa25c89
Re-add removed changelog instances 2019-07-02 22:51:12 +01:00
sephster
a6a499f8fb
Remove Simon Hamp from README 2019-07-02 22:20:37 +01:00
Andrew Millington
ccf36588ee
Merge pull request #1024 from Sephster/update-dependencies
Update Dependencies
2019-07-02 22:15:29 +01:00
sephster
6b2a3db185
Removing php stan strict rules 2019-07-02 22:10:17 +01:00
sephster
1a6ebdf81c
Fix order of imports 2019-07-02 19:24:19 +01:00
sephster
46c86ed5b1
Apply style fix 2019-07-02 19:21:13 +01:00
sephster
a92a274d15
Use reflection instead of extension in test 2019-07-02 19:09:47 +01:00
sephster
c4c354e2df
Fix phpstan issues 2019-07-01 19:17:43 +01:00
sephster
7bc1ec643e
Remove unused import 2019-06-27 13:24:58 +01:00
sephster
51b97f87c1
Fix issues setting attributes on requests 2019-06-27 13:15:37 +01:00
sephster
e3b23fa826
Update dependencies and fix PHPUnit tests 2019-06-27 12:54:22 +01:00
Andrew Millington
bac79a26a8
Merge pull request #1010 from iansltx/protect-client-entity-gets
Ensure unvalidated ClientEntity gets throw/emit if they return null
2019-06-23 13:54:14 -04:00
sephster
012808f094
Update changelog 2019-06-23 17:56:32 +01:00
sephster
0db54cf1e5
Reinstate use for ClientEntityInterface 2019-06-23 17:40:39 +01:00
sephster
c7d047f7f5
Remove extra line spaces 2019-06-23 17:35:24 +01:00
sephster
e1324b88b2
Merge remote-tracking branch 'upstream/8.0.0' into protect-client-entity-gets 2019-06-23 17:23:40 +01:00
Andrew Millington
c60e8e3581
Merge pull request #1011 from iansltx/readme-release-notes-73-cleanup
Update release notes, clean up readme, add PHP 7.3 test for v8
2019-06-18 17:41:52 -04:00
sephster
e0ee244506
Remove duplicate entries from changelog 2019-06-18 22:30:17 +01:00
Ian Littman
8b5841870f
Add more detail/precision to 8.0.0 changelog around breaking changes 2019-05-19 21:01:46 -05:00
Ian Littman
048e45d8cd
Add more recent 7.x releases to changelog 2019-05-19 21:01:46 -05:00
Ian Littman
bf75596989
Update security contact email to current maintainer 2019-05-19 21:01:41 -05:00
Ian Littman
c5cfc0a371
Remove dead Commercial Support link 2019-05-19 20:52:28 -05:00
Andrew Millington
5ab4323856
Merge pull request #1014 from Sephster/drop-php-70-support
Drop php 7.0 support
2019-05-14 21:42:12 +01:00
sephster
28709f300f
Add pull request number to changelog 2019-05-14 21:30:30 +01:00
sephster
bd483d701b
Remove support for PHP 7.0 2019-05-14 21:26:17 +01:00
Andrew Millington
3dc324af6e
Merge pull request #1013 from Sephster/8.0.0
Add The Latest Changes from Master into 8.0.0 Branch
2019-05-14 21:09:46 +01:00
sephster
17923634bf
Set private keys in tests 2019-05-14 20:56:54 +01:00
sephster
a1cf22a3a9
Remove duplicate setting of expirydatetime 2019-05-14 16:11:34 +01:00
sephster
86d1581cd9
Remove unused imports 2019-05-14 15:57:13 +01:00
sephster
521ed9a8cb
Merge master into 8.0.0 branch 2019-05-14 15:46:01 +01:00
Andrew Millington
1bbcb57d63
Merge pull request #1009 from iansltx/skip-s256-if-not-installed
Skip SHA256 verifier if system doesn't support sha256
2019-05-14 14:55:39 +01:00
Andrew Millington
93d4b947d8
Merge pull request #1008 from iansltx/typehints-and-exts
Typehint ServerRequestInterface on OAuthServerException, explicitly require ext-json
2019-05-13 10:25:32 +01:00
Ian Littman
27d5c5ed8d
Ensure unvalidated ClientEntity gets throw/emit if they return null
In many cases, we validate client info before pulling from client itself
from the repository, in which case it's safe to assume that you can grab
the client once validation passes. However on implicit/auth code grants
we don't have this guarantee due to non-confidential clients that just
reference the client ID. In those cases the client may supply a client
ID that doesn't exist, and we don't do a validation step before pulling
it from the repo.

The issue with that is that ClientRepository doesn't actually enforce
returning a ClientInterface via typehint, nor does it even suggest an
exception to throw if the client doesn't exist. So in most places we
do an instanceof check after the repository returns and throw/emit an
error event if the client doesn't exist.

This approach ends up being a bit error-prone; we missed one case where
we should've been doing this check: in the access token request on an
auth code grant. We don't do enough validation beforehand to assume that
the incoming request has an accurate client ID, so L96 could absolutely
be a method call on a non-object.

This commit centralizes the return-check-emit-throw logic so it's a
one-liner for wherever we need it, including the access token request
processor for auth code grants.
2019-05-11 14:35:59 -05:00
Ian Littman
4ecd3131c1
Skip SHA256 verifier if system doesn't support sha256 2019-05-11 14:23:56 -05:00
Ian Littman
3fdfbe11f6
Explicitly require ext-json
Makes phpstorm happier; take or leave
2019-05-11 13:37:22 -05:00
Ian Littman
42df2d9c47
Add typehints to OAuthServerException calls 2019-05-11 13:35:24 -05:00