Commit Graph

1206 Commits

Author SHA1 Message Date
Andrew Millington
9cd86a9154 Remove default scope for the ClientCredentialsGrant 2017-11-06 21:21:14 +00:00
Andrew Millington
42ea0de9fb Add default scope to the AbstractAuthorizeGrant 2017-11-06 21:19:38 +00:00
Andrew Millington
ab760a805c Remove default scope from abstract grant
This should be added to the AbstractAuthorizeGrant instead as it is 
only used for an authorization request
2017-11-06 21:19:07 +00:00
Andrew Millington
ac48653bb5
Merge pull request #797 from thephpleague/Update-Readme
Update readme file to bring in Andy, Brian, and Simon
2017-11-05 11:52:28 +00:00
Andrew Millington
4806eda45a Change to throw invalid scope instead of missing scope exception 2017-10-31 22:59:01 +00:00
Andrew Millington
b2fe909a71 Removed the missing scope exception as should be using invalid_scope 2017-10-31 22:58:07 +00:00
Ron Arts
f79d3f27cf Incorporate https://github.com/thephpleague/oauth2-server/pull/731. Thanks.
Now can handle cr/lf, cr, and lf endings. And on php5 large keys as well.
2017-10-31 10:14:46 +01:00
Andrew Millington
3828f87b19 Fix tests as no longer set the default scope in the constructor
Use new setDefaultScope() method instead. Also changed default scope to
be a blank string instead of null
2017-10-30 23:48:02 +00:00
Andrew Millington
a49f6ff80d Remove setting default scope in the constructor 2017-10-30 23:36:19 +00:00
Ron Arts
4563685375 Also accept an RSA key with crlf 2017-10-30 16:21:17 +01:00
Luca Santarella
a4fc05c31e
Fixed indentation in comment to match code style 2017-10-25 18:33:54 -04:00
Luca Santarella
825017f27e
Ability to specify query delimiter, such as ? instead of the hard-coded # 2017-10-25 18:30:17 -04:00
Brian Retterer
23c7138d48 Apply fixes from StyleCI 2017-10-23 15:26:10 +00:00
Andrew Millington
63861704b6 Merge pull request #749 from dmelo/issue-748
Replaces array_key_exists by isset, which is faster, on ImplicitGrant.
2017-10-20 18:28:18 +01:00
Diogo Oliveira de Melo
203be5ca20 Revert comparison order, as suggested by @Sephster 2017-10-20 09:23:36 -02:00
Andrew Millington
5a28fb8af4 Set a default scope for the authorization server 2017-10-18 22:09:53 +01:00
Andrew Millington
c996b66528 Add means to set default scopes for grants 2017-10-18 22:08:41 +01:00
Andrew Millington
c70451abd5 Add an exception for a missing scope 2017-10-18 22:08:11 +01:00
Andrew Millington
e7ee483d11 Changed function comment to reflect we are setting the public, instead of private key 2017-10-13 23:02:29 +01:00
Erick Torres
4270f5bac1 Merge branch 'master' of github.com:erickjth/oauth2-server into fix-pkce-implementation
# Conflicts:
#	src/Grant/AuthCodeGrant.php
2017-09-07 17:24:48 -05:00
Alex Bilbie
3b58ab1df2 Merge pull request #724 from davedevelopment/change-token-type-case
Change case for implict grant token_type
2017-08-11 08:16:08 +01:00
Alex Bilbie
c86c7dde70 Fix #759 2017-08-03 16:07:11 +01:00
Alex Bilbie
e184691ded Merge pull request #776 from yannickl88/fix/perm-key-check
Removed chmod from CryptKey and add toggle to disable checking
2017-08-03 16:04:08 +01:00
Yannick de Lange
2aca909d20 Removed chmod from CryptKey and add toggle to disable checking 2017-08-03 15:57:39 +02:00
Hugo Hamon
79038ced78 [BC Break] Fixes invalid code challenge method payload key name
I guess this change might be a BC break for existing and active authorization tokens when they're validated by the server. The good thing is that an authorization token has a very short expiration time and is used once to request an access token.
2017-08-02 17:55:11 +02:00
Benjamin Dieleman
ecc07abb33 Updated PHPDoc about the unicity violation exception throwing
UniqueTokenIdentifierConstraintViolationException can be thrown when persisting tokens
2017-07-27 17:31:01 +02:00
Alex Bilbie
80fc8e654b Trigger E_USER_NOTICE instead of throwing an exception if key cannot be chmod to 600 2017-07-19 07:57:47 +01:00
Erick Torres
88ccb6ff13 Fix codeVerifier check. Keep code style. 2017-07-07 12:35:42 -05:00
Erick Torres
fbb3586cae Merge branch 'master' of github.com:erickjth/oauth2-server into fix-pkce-implementation
# Conflicts:
#	src/Grant/AuthCodeGrant.php
#	tests/Grant/AuthCodeGrantTest.php
2017-07-07 12:06:32 -05:00
Jérôme Parmentier
88bf8b2367 Fix missing sprintf 2017-07-03 20:28:28 +02:00
Alex Bilbie
f5c3ba0b24 Removed dead code 2017-07-01 18:22:51 +01:00
Alex Bilbie
523434902c Removed dead code 2017-07-01 18:15:41 +01:00
Alex Bilbie
76c2b6f88c AuthorizationServer no longer needs to know about the public key 2017-07-01 18:11:10 +01:00
Alex Bilbie
72349ef22f Encryption key is now always required so remove redundent code 2017-07-01 18:10:53 +01:00
Alex Bilbie
850793ab88 Added missing methods 2017-07-01 18:08:49 +01:00
Alex Bilbie
0f73bf0054 Encryption key just uses Defuse\Crypto now, no key based crypto 2017-07-01 18:07:51 +01:00
Alex Bilbie
aee1779432 Apply fixes from StyleCI 2017-07-01 16:19:23 +00:00
Alex Bilbie
765a01021b Updated error message 2017-07-01 16:45:29 +01:00
Alex Bilbie
0706d66c76 Don’t pad and shuffle the payload if an encryption key has been set 2017-07-01 16:45:29 +01:00
Alex Bilbie
e123fe82d0 Ignore error_log messages in code coverage 2017-07-01 16:45:29 +01:00
Alex Bilbie
1954120c3d Use catch all exception 2017-07-01 16:45:29 +01:00
Alex Bilbie
dd5eee150d Ensure response type also has access to the encryption key 2017-07-01 16:45:29 +01:00
Alex Bilbie
1af4012df4 New property on AuthorizationServer to receive an encryption key which is used for future encryption/decryption instead of keybased encryption/decryption 2017-07-01 16:45:29 +01:00
Alex Bilbie
4a717104fa Shuffle the contents of the authorization code payload 2017-07-01 16:45:29 +01:00
Alex Bilbie
63530443fe Better error checking when saving a temporary key to ensure file was written successfully and the server is the exclusive mode 2017-07-01 16:44:57 +01:00
Alex Bilbie
2f8de3d230 Ensure the server is the exclusive owner of the key 2017-07-01 16:44:51 +01:00
Alex Bilbie
57d199b889 Stricter validation of code challenge value to match RFC 7636 requirements 2017-07-01 16:44:43 +01:00
Alex Bilbie
6bdd108145 Escape scope parameter to reduce pontential XSS vector 2017-07-01 16:43:31 +01:00
Diogo Oliveira de Melo
170ce2fd2d Replaces array_key_exists by isset, which is faster, on ImplicitGrant. 2017-06-30 15:42:23 -03:00
Erick Torres
880e3b4590 Fix invalid code_challenge_method key. 2017-06-16 12:03:04 -05:00
Erick Torres
2167edf1d9 Validate codeVerifier and codeChallenge correctly. 2017-06-16 12:02:48 -05:00
Erick Torres
2482630221 Fix codeVerifier hash verification. 2017-06-16 12:02:34 -05:00
Dave Marshall
83228bdcd5 Change case for implict grant token_type 2017-03-27 12:11:25 +01:00
Stanimir Stoyanov
d73b15ae32
Getter and setter for the payload and ability to pass options to json_encode 2017-03-20 14:52:35 +02:00
Ian Littman
d8ece093d5 Add hasRedirect() method for OAuthServerException
Resolves #694.
2017-02-04 14:50:46 -05:00
François Kooman
6426e597a3
Fix PKCE code verifier encoding to match specification
The current implementation of PKCE does not follow the specification
correctly regarding the encoding of the code verifier. This patch
correctly encodes the hash of the code verifier according to
Appenix A of RFC 7636.
2017-01-24 11:36:34 +01:00
jeremykendall
01677a564e Fix WWW-Authenticate entry in $headers array
In this context the header name should be the array key and the header
value the array value.
2016-10-11 22:27:24 -05:00
Alex Bilbie
b1bfff7325 Don't pass in user because we don't know who user is 2016-09-19 10:05:55 +01:00
Alex Bilbie
11ccc305d0 Applied fixes from StyleCI 2016-09-13 14:17:09 +00:00
Alex Bilbie
d7df2f7e24 Fix for #650 2016-09-13 15:16:58 +01:00
Julián Gutiérrez
065ef5db99 CryptKey tests 2016-07-19 17:15:36 +02:00
Julián Gutiérrez
039537ebe2 touch! 2016-07-19 15:06:32 +02:00
Julián Gutiérrez
d8930af5ee key file auto-generation from string 2016-07-19 15:01:31 +02:00
Ian Littman
090c01d3d1 Allow easy addition of custom fields to Bearer token response 2016-07-16 10:27:33 -05:00
Pierre Rineau
57323f38f7 while(array_shift()) makes the AuthorizationServer class configuration mutable 2016-07-13 12:03:05 +02:00
Lukáš Unger
c874c59b9c Explicitly compare to false when checking not instanceof 2016-07-09 12:09:21 +02:00
Lukáš Unger
c3a4670c11 Updated PHPDoc 2016-07-09 02:01:53 +02:00
Luca Degasperi
655a4b2715 Make ClientRepositoryInterface more flexible
This small change will allow the use of the ```ClientRepositoryInterface``` for more use cases than simply validating clients when authorizing them. There might be some places where this change will affect the behavior. I also think the ```$mustValidateSecret``` is redundant since in an implementation a check could be done wether ```$clientSecret``` is null or not.
2016-06-30 16:49:47 +02:00
Alex Bilbie
5ee1583c5b Ensure state is in access denied redirect. Fixes #597 2016-06-28 09:03:01 +01:00
Alex Bilbie
66de05a395 Merge pull request #605 from jfilla/master
Added catch Runtime exception when parsing JWT string
2016-06-28 08:49:29 +01:00
Alex Bilbie
df20da1235 Merge pull request #601 from zerkms/ISSUE-596_UNIQUE_ACCESS_TOKEN
Added a check for unique access token constraint violation
2016-06-28 08:48:38 +01:00
Jakub Filla
9eccc40eb6 Added catch Runtime exception when parsing JWT string 2016-06-22 12:38:03 +02:00
Ian Littman
9775c0076b Look at Authorization header directly for HTTP Basic auth check
Should allow for better compatibility with server implementations that aren't sitting on top of a standard SAPI (e.g. persistent web servers building a PSR-7 compatible request from a socket-received message).

One catch here is that I've seen Apache hijack the HTTP Authorization header in the past, though that would probably impact the other aspects of the server just as much as it would this, so I think that risk is manageable.

Added tests to cover all paths through the new code, so the AbstractGrant type still has 100% coverage :)

Did notice that, as of the latest versions of PHPUnit, the mock creation method is deprecated. Maybe that needs to be updated? Haven't checked to see whether the replacements are PHPUnit 4.8 compatible though, so maybe they need to stay in order to test on older PHP versions?
2016-06-21 21:08:38 -05:00
Ivan Kurnosov
b68ef973df Added a check for unique access token constraint violation 2016-06-20 20:19:03 +12:00
Ivan Kurnosov
6b88cbeb13 Removed isExpired() from interfaces and traits 2016-06-17 19:50:04 +12:00
Julián Gutiérrez
22e6a350dd unify middleware exception responses 2016-05-11 14:13:58 +02:00
İsmail BASKIN
9a58bc15f6
Include redirect_uri check on authorization endpoint on implicit grant 2016-05-07 17:44:02 +03:00
Alex Bilbie
8e8aed1a50 Implemented RFC7636. Fixes #574 2016-05-06 15:23:16 +01:00
İsmail BASKIN
7285ede563
Include redirect_uri check on authorization endpoint 2016-05-04 13:34:37 +03:00
Alex Bilbie
db055f790d Revert "Remove redundant parameters in example" #553
This reverts commit 9a93dca05c.
2016-05-04 09:10:05 +01:00
Alex Bilbie
cf63403585 Merge branch 'master' of github.com:thephpleague/oauth2-server 2016-05-04 08:56:04 +01:00
Alex Bilbie
cdf43e498e Use constant for event name instead of explicit string. Fixes #563 2016-05-04 08:55:57 +01:00
Alex Bilbie
a12fc98b0d Merge pull request #569 from ismailbaskin/patch-2
Correct wrong phpdoc
2016-05-04 08:45:58 +01:00
Lee
0bb968f413 Fixed typo in exception string 2016-05-04 15:13:48 +08:00
ismail BASKIN
88b19ad2d0 Correct wrong phpdoc 2016-05-04 00:54:36 +03:00
ismail BASKIN
72cd9a62e1 Remove unused request property 2016-04-30 05:08:28 +03:00
Alex Bilbie
acf262f879 Merge pull request #553 from markinjapan/patch-1
Remove redundant parameters in getNewToken()
2016-04-27 20:58:29 +01:00
Alex Bilbie
5241309bdb Fixes #560 2016-04-27 20:53:12 +01:00
Mark
a6b7a5cedc Remove use of redundant parameters 2016-04-20 16:52:36 +09:00
Mark
78b6bddc4d Remove redundant parameters 2016-04-20 16:29:37 +09:00
Alex Bilbie
7bfd5b7d0d Added abstract methods for required methods 2016-04-18 12:22:15 +01:00
Alex Bilbie
143a2e32f7 Client may return an array of redirect URIs 2016-04-18 12:21:42 +01:00
Alex Bilbie
8f418cff08 Added missing state parameter in redirect response 2016-04-18 12:19:54 +01:00
Alex Bilbie
fcec1f3442 Cody tidy 2016-04-18 12:19:36 +01:00
Alex Bilbie
46e7eef14e Client could potentially return an array of redirect URIs 2016-04-18 12:12:36 +01:00
Alex Bilbie
51f44fdf17 Code tidy 2016-04-18 12:12:06 +01:00
Alex Bilbie
f8b2e80ef3 Removed unnecessary parameter usage 2016-04-18 12:10:57 +01:00
Alex Bilbie
fb8f47e868 Added $mustValidateSecret parameter to ClientRepositoryInterface:: getClientEntity(). Fixes #550 2016-04-18 08:32:49 +01:00
Alex Bilbie
78c2067698 Merge pull request #548 from thephpleague/analysis-z9mQxo
Applied fixes from StyleCI
2016-04-17 13:07:15 +01:00
Alex Bilbie
257318e524 Merge pull request #547 from lookyman/scope-fixes
Fix scope loading in grants
2016-04-17 13:06:57 +01:00
Alex Bilbie
77737e7894 Applied fixes from StyleCI 2016-04-17 08:06:17 -04:00
Alex Bilbie
f007e25070 Added copyright docblocks 2016-04-17 13:06:05 +01:00
Alex Bilbie
f6f39698d9 Renamed Server to AuthorizationServer 2016-04-17 12:54:25 +01:00
Lukáš Unger
3904767873 Fix scope loading in grants 2016-04-17 13:50:56 +02:00
Alex Bilbie
6205611a71 Removed unused methods 2016-04-17 12:42:42 +01:00
Alex Bilbie
08c356a1e1 Added ResourceServer class 2016-04-17 12:33:29 +01:00
Alex Bilbie
94a1c18fa9 Implict grant does not return return refresh tokens 2016-04-17 12:12:49 +01:00
Luca Degasperi
de635f826f Update AbstractGrant.php
The hint is not necessary since it gets created by the exception with the parameter.
2016-04-11 15:59:47 +02:00
Alex Bilbie
3e8577f889 Merge pull request #536 from Bobselp/V5-WIP
less verbose exceptions for RefreshTokenGrant
2016-04-11 08:24:31 +01:00
ivyhjk
f7413c2f15 Update BearerTokenResponse.php 2016-04-10 19:05:32 -03:00
Bobselp
6e583fdf8a less verbose exceptions for RefreshTokenGrant
For the LogicException you could also use `throw OAuthServerException::invalidRequest('refresh_token', 'Cannot decrypt the authorization code');`, to get the exact same error AuthCodeGrant-php throws if decryption of `code` fails there.
The second error hint provides information which doesn't help users of the API, although it is next to impossible to trigger this error due to the encryption.
2016-04-10 22:19:42 +02:00
Alex Bilbie
2328f59601 Applied fixes from StyleCI 2016-04-10 12:16:40 -04:00
Bobselp
eb7526ae97 finalize scopes for AuthCodeGrant 2016-04-10 18:07:18 +02:00
Bobselp
03e8eb6157 revoke an used auth code 2016-04-10 18:05:16 +02:00
Alex Bilbie
92a483b3bd Improved tests 2016-04-10 16:14:01 +01:00
Alex Bilbie
5969082963 Fix tests and improve code coverate 2016-04-10 15:58:01 +01:00
Alex Bilbie
7c86d3b848 Merge branch 'V5-authorization-request-flow' of github.com:thephpleague/oauth2-server into V5-authorization-request-flow 2016-04-10 14:31:25 +01:00
Alex Bilbie
ba30e34511 Lazy set $accessTokenTTL 2016-04-10 14:31:05 +01:00
Alex Bilbie
e24dff2723 Fixed expires_in 2016-04-10 14:30:44 +01:00
Alex Bilbie
1512960d92 Applied fixes from StyleCI 2016-04-10 09:23:10 -04:00
Alex Bilbie
273ea0ba68 Updated implicit grant to use the new auth request flow 2016-04-10 14:22:56 +01:00
Alex Bilbie
096a4a2883 Remove unused params 2016-04-10 14:22:32 +01:00
Alex Bilbie
a0c4900ee7 Client is not required here because of finalizeScopes method 2016-04-10 13:53:16 +01:00
Alex Bilbie
c034c3b13c Merge pull request #524 from thephpleague/analysis-qJ2LoW
Applied fixes from StyleCI
2016-04-10 11:56:33 +01:00
Alex Bilbie
634578997f Merge pull request #523 from thephpleague/analysis-XajbB0
Applied fixes from StyleCI
2016-04-10 11:56:17 +01:00
Alex Bilbie
79aa1988d8 Removed HtmlResponse 2016-04-10 11:55:17 +01:00
Alex Bilbie
7c35985c1e Applied fixes from StyleCI 2016-04-10 06:52:27 -04:00
Alex Bilbie
c75d0e0f0e Removed templating code 2016-04-10 11:52:18 +01:00
Alex Bilbie
5d3516c7b4 Applied fixes from StyleCI 2016-04-10 06:48:46 -04:00
Alex Bilbie
d4fb00628e Updated server methods 2016-04-10 11:48:32 +01:00
Alex Bilbie
4bc835c007 Updated AuthCodeGrant with new methods to validate and complete an authorization request 2016-04-10 11:48:21 +01:00
Alex Bilbie
fdb1d70874 Updated header key 2016-04-10 11:47:41 +01:00
Alex Bilbie
5410a42bb6 Fix to broken methods 2016-04-10 10:28:12 +01:00
Alex Bilbie
b7064befe4 Checkin 2016-04-10 10:07:08 +01:00
Alex Bilbie
44937f3600 Updated method calls 2016-04-09 16:22:22 +01:00
Alex Bilbie
76ea6b5a6c Renamed grant type canRespondToRequest to canRespondToAccessTokenRequest 2016-04-09 16:22:00 +01:00
Alex Bilbie
4689802c30 Renamed server respondToRequest to respondToAccessTokenRequest 2016-04-09 16:20:30 +01:00
Alex Bilbie
2c2ef800d4 Applied fixes from StyleCI 2016-04-09 10:46:40 -04:00
Alex Bilbie
d8d49f742e Removed unnecessary abstract classes 2016-04-09 15:46:30 +01:00
Alex Bilbie
b59106dc64 Added ClientTrait 2016-04-09 15:27:44 +01:00
Alex Bilbie
c6faa228fe Updated references to interfaces 2016-04-09 15:25:45 +01:00
Alex Bilbie
4eee48ca4e Moved entity interfaces into parent folder. Fixes #504 2016-04-09 15:25:32 +01:00
Alex Bilbie
00518dded7 Removed built-in entities, all functinality available using traits 2016-04-09 15:21:15 +01:00
Alex Bilbie
5ca2152313 Updated examples 2016-04-09 15:17:11 +01:00
Alex Bilbie
be9bd76f35 Added AccessTokenTrait 2016-04-09 15:09:13 +01:00
Alex Bilbie
198f4c4b6f Merge branch 'token_from_repo' of https://github.com/frederikbosch/oauth2-server into frederikbosch-token_from_repo
# Conflicts:
#	tests/Grant/AuthCodeGrantTest.php
#	tests/Grant/ImplicitGrantTest.php
#	tests/Grant/RefreshTokenGrantTest.php
2016-04-09 14:12:06 +01:00
Alex Bilbie
6f0a0cca4e Merge pull request #498 from frederikbosch/client_user_id_replaced
Client identifier passed where user identifier is expected
2016-04-09 13:55:16 +01:00
Alex Bilbie
1ccfd9be32 Applied fixes from StyleCI 2016-04-09 08:53:29 -04:00
Alex Bilbie
a83c56f570 Comment improvement 2016-04-09 13:53:14 +01:00
Alex Bilbie
d7dd07cf18 Merge branch 'v5-fix' of https://github.com/assembledadam/oauth2-server into assembledadam-v5-fix 2016-04-09 13:51:57 +01:00