oauth2-server

mirror of https://github.com/elyby/oauth2-server.git synced 2024-11-01 08:23:03 +05:30

Author	SHA1	Message	Date
Matt Allan	3413c20590	Prevent public clients from using the client_credentials grant type See https://tools.ietf.org/html/rfc6749#section-4.4.2	2019-07-22 18:21:29 -04:00
Andrew Millington	f5e910e6ec	Remove jti replication from JWT Header	2019-07-13 17:51:56 +01:00
sephster	1a6ebdf81c	Fix order of imports	2019-07-02 19:24:19 +01:00
sephster	46c86ed5b1	Apply style fix	2019-07-02 19:21:13 +01:00
sephster	c4c354e2df	Fix phpstan issues	2019-07-01 19:17:43 +01:00
sephster	0db54cf1e5	Reinstate use for ClientEntityInterface	2019-06-23 17:40:39 +01:00
sephster	c7d047f7f5	Remove extra line spaces	2019-06-23 17:35:24 +01:00
sephster	e1324b88b2	Merge remote-tracking branch 'upstream/8.0.0' into protect-client-entity-gets	2019-06-23 17:23:40 +01:00
sephster	a1cf22a3a9	Remove duplicate setting of expirydatetime	2019-05-14 16:11:34 +01:00
sephster	86d1581cd9	Remove unused imports	2019-05-14 15:57:13 +01:00
sephster	521ed9a8cb	Merge master into 8.0.0 branch	2019-05-14 15:46:01 +01:00
Andrew Millington	1bbcb57d63	Merge pull request #1009 from iansltx/skip-s256-if-not-installed Skip SHA256 verifier if system doesn't support sha256	2019-05-14 14:55:39 +01:00
Ian Littman	27d5c5ed8d	Ensure unvalidated ClientEntity gets throw/emit if they return null In many cases, we validate client info before pulling from client itself from the repository, in which case it's safe to assume that you can grab the client once validation passes. However on implicit/auth code grants we don't have this guarantee due to non-confidential clients that just reference the client ID. In those cases the client may supply a client ID that doesn't exist, and we don't do a validation step before pulling it from the repo. The issue with that is that ClientRepository doesn't actually enforce returning a ClientInterface via typehint, nor does it even suggest an exception to throw if the client doesn't exist. So in most places we do an instanceof check after the repository returns and throw/emit an error event if the client doesn't exist. This approach ends up being a bit error-prone; we missed one case where we should've been doing this check: in the access token request on an auth code grant. We don't do enough validation beforehand to assume that the incoming request has an accurate client ID, so L96 could absolutely be a method call on a non-object. This commit centralizes the return-check-emit-throw logic so it's a one-liner for wherever we need it, including the access token request processor for auth code grants.	2019-05-11 14:35:59 -05:00
Ian Littman	4ecd3131c1	Skip SHA256 verifier if system doesn't support sha256	2019-05-11 14:23:56 -05:00
Ian Littman	42df2d9c47	Add typehints to OAuthServerException calls	2019-05-11 13:35:24 -05:00
sephster	86869eafbb	Add whitespace around control blocks	2019-05-05 09:03:13 +01:00
David	1e9a468e66	Merge branch 'master' into master	2019-04-12 11:17:37 +02:00
Marc Bennewitz	b88198a9a4	spec compliant 'error_description' but keep 'message' for BC	2019-03-29 16:00:26 +01:00
filecage	0742d5150c	explicit is better than implicit :)	2019-03-13 10:08:57 +01:00
filecage	64f0d89fad	`getNewRefreshToken()` can also return `NULL`	2019-03-11 23:28:47 +01:00
filecage	ebf78132d7	`refreshTokenRepository` parameter can not be null, condition is obsolete	2019-03-11 23:28:20 +01:00
filecage	aa5bbe5f06	boyscout: style CI tweaks	2019-03-11 23:26:35 +01:00
filecage	2ea76ca4fd	Adds handling for `null` issued refresh token to Grant implementations	2019-03-08 18:19:16 +01:00
filecage	b2840474fd	AbstractGrant no longer tries to issue a refresh token if the Repository returned `null`	2019-03-08 18:16:16 +01:00
sephster	16f37560d4	Merge latest version of 8 branch	2018-12-19 13:03:10 +00:00
sephster	c2cd12e0b8	Remove return types	2018-12-19 12:54:26 +00:00
Chris Tanaskoski	b6955a6c65	Fixed respondToAccessTokenRequest such that it accepts client_id through request body and Http Basic Auth	2018-11-30 10:19:06 +01:00
sephster	8b421818f2	Add blank line to better format	2018-11-21 21:26:54 +00:00
Marc Ypes	f1454cde36	Fix bc breaking change	2018-11-16 12:44:41 +01:00
sephster	443d7c485a	Revert interface change so class can be extende	2018-11-15 22:22:08 +00:00
sephster	2b4974b697	Change to use invalid_grant	2018-11-13 18:18:07 +00:00
sephster	94e75ba6f3	Fix bug	2018-11-13 12:56:06 +00:00
sephster	7982275757	Fix docblock alignment	2018-11-13 12:34:16 +00:00
sephster	f6c1070ccc	Add use Throwable	2018-11-13 12:32:52 +00:00
sephster	d64fb3f526	Merge master into this branch	2018-11-13 12:28:39 +00:00
Marc Ypes	4bb5b747c1	Replace fqn with unqualified name	2018-11-13 01:33:11 +01:00
Marc Ypes	3b983ad0b4	Include previous exception in catch and throw	2018-11-12 13:58:31 +01:00
sephster	34ec35019b	Remove additional whitespace	2018-11-08 13:10:22 +00:00
Marc Bennewitz	16f9de86f2	cleanup DateTime handline * DateTime -> DateTimeImmutable * DateTime::format('U') -> DateTime::getTimestamp() * (new DateTime())->getTimestamp() -> time()	2018-11-08 12:45:18 +01:00
Andrew Millington	ac818bd921	Minor formatting adjustment	2018-11-06 21:42:05 +00:00
Marc Bennewitz	d288a2ad8a	Make AuthorizationServer stateless	2018-11-05 09:08:02 +01:00
Andrew Millington	a34f5dd7db	Merge pull request #953 from Sephster/code-tidyup Code Tidyup	2018-10-13 17:06:21 +01:00
sephster	c0efdf0dd0	Revert changes to throws and returns ordering	2018-10-13 16:54:31 +01:00
sephster	f96fca3b48	Minor code tidyup	2018-10-13 16:44:40 +01:00
sephster	20b355b025	Re-order docblock throws	2018-10-13 16:31:36 +01:00
sephster	793f65d3a3	Remove unused scope entity interface	2018-10-13 16:14:15 +01:00
sephster	322b55eddf	Remove getScopes function and use validateScopes instead	2018-10-13 16:11:44 +01:00
sephster	50ab9dd8ac	Remove unused import	2018-10-13 15:28:39 +01:00
sephster	b624124d5a	Chaneg param types to satisfy PHPStan	2018-10-13 15:25:49 +01:00
sephster	dbf2b55bc5	Fix docblock alignment	2018-10-13 15:16:50 +01:00

1 2 3 4 5 ...

1282 Commits