Loading classes/ClientAuthChecker.php +6 −7 Original line number Diff line number Diff line Loading @@ -15,19 +15,19 @@ class ClientAuthChecker { $this->locator = $locator; } public function validateClientAuth(): void { public function validateClientAuth(array $headers): BrowserBasedOAuth2Client { $basic = $this->getBasicAuthArray(); $basic = $this->getBasicAuthArray($headers); $clientId = $basic[0]; $clientSecret = $basic[1]; $this->locator->getBrowserBasedOAuth2ClientByIdAndSecret($clientId, $clientSecret); return $this->locator->getBrowserBasedOAuth2ClientByIdAndSecret($clientId, $clientSecret); } public function validateCliClientAuth(): CliOAuth2Client { public function validateCliClientAuth(array $headers): CliOAuth2Client { $basic = $this->getBasicAuthArray(); $basic = $this->getBasicAuthArray($headers); $clientId = $basic[0]; $clientSecret = $basic[1]; Loading @@ -35,8 +35,7 @@ class ClientAuthChecker { return $this->locator->getCliClientByIdAndSecret($clientId, $clientSecret); } private function getBasicAuthArray(): array { $headers = apache_request_headers(); private function getBasicAuthArray($headers): array { if (!isset($headers['Authorization'])) { throw new UnauthorizedException("Missing Authorization header"); Loading classes/ClientsLocator.php +1 −1 Original line number Diff line number Diff line Loading @@ -31,7 +31,7 @@ trait ClientsLocator { private function getClientConfigFromListByIdAndSecret(array $clients, string $clientId, string $secret): object { $client = $this->getClientConfigFromListById($clients, $clientId); $secretHash = hash('sha256', $secret); if ($client->secretHash !== $secretHash) { if ($client->secret !== $secretHash) { throw new UnauthorizedException("Wrong secret provided for client '$clientId'"); } return $client; Loading classes/JWKSHandler.php +4 −2 Original line number Diff line number Diff line Loading @@ -79,8 +79,10 @@ class JWKSHandler { public function loadAllJWKS(): array { foreach ($this->locator->config->jwksUrls as $url) { $this->loadJWKS($url); foreach ($this->locator->getBrowserBasedOAuth2Clients() as $client) { if ($client->jwks !== null) { $this->loadJWKS($client->jwks); } } $dao = $this->locator->getJWKSDAO(); Loading classes/Locator.php +0 −8 Original line number Diff line number Diff line Loading @@ -74,18 +74,10 @@ class Locator { } } public function getCallbackHandler(): CallbackHandler { return new CallbackHandler($this); } public function getUserHandler(): UserHandler { return new UserHandler($this); } public function getMailSender(): MailSender { return new MailSender($_SERVER['HTTP_HOST'], $this->getBasePath()); } public function getOAuth2RequestHandler(): OAuth2RequestHandler { return new OAuth2RequestHandler($this); } Loading classes/OAuth2RequestHandler.php +30 −7 Original line number Diff line number Diff line Loading @@ -76,7 +76,12 @@ class OAuth2RequestHandler { if ($state !== null) { // Authorization code grant flow $redirectUrl = $session->getOAuth2RequestData()->redirectUrl . '?code=' . $code . '&scope=profile&state=' . $state; . '?code=' . $code; $scope = $tokenData->scope; if ($scope !== null && count($scope) > 0) { $redirectUrl .= '&scope=' . implode("%20", $scope); } $redirectUrl .= '&state=' . $state; } else { // Implicit grant flow $idToken = $this->locator->getTokenBuilder()->getIdToken($tokenData, function(& $jwt) use($nonce) { Loading @@ -88,9 +93,27 @@ class OAuth2RequestHandler { return $redirectUrl; } public function handleGetTokenFromCodeRequest($params): array { public function handleAccessTokenRequest(array $params, array $headers): array { if ($params['grant_type'] === null) { throw new \RAP\BadRequestException("grant_type is required"); } switch ($params['grant_type']) { case "authorization_code": return $this->handleGetTokenFromCodeRequest($params, $headers); case "client_credentials": return $this->handleClientCredentialsRequest($headers); case "refresh_token": return $this->handleRefreshTokenRequest($params, $headers); default: throw new \RAP\BadRequestException("Unsupported grant type " . $params['grant_type']); } } private function handleGetTokenFromCodeRequest(array $params, array $headers): array { $this->locator->getClientAuthChecker()->validateClientAuth(); $this->locator->getClientAuthChecker()->validateClientAuth($headers); if ($params['code'] === null) { throw new BadRequestException("code id is required"); Loading Loading @@ -120,9 +143,9 @@ class OAuth2RequestHandler { return $response; } public function handleClientCredentialsRequest($params): array { private function handleClientCredentialsRequest(array $headers): array { $client = $this->locator->getClientAuthChecker()->validateCliClientAuth(); $client = $this->locator->getClientAuthChecker()->validateCliClientAuth($headers); $accessTokenData = new AccessTokenData(); $accessTokenData->clientId = $client->id; Loading @@ -133,9 +156,9 @@ class OAuth2RequestHandler { return $this->getAccessTokenResponse($accessTokenData, false); } public function handleRefreshTokenRequest($params): array { private function handleRefreshTokenRequest(array $params, array $headers): array { $this->locator->getClientAuthChecker()->validateClientAuth(); $this->locator->getClientAuthChecker()->validateClientAuth($headers); if ($params['refresh_token'] === null) { throw new BadRequestException("refresh_token is required"); Loading Loading
classes/ClientAuthChecker.php +6 −7 Original line number Diff line number Diff line Loading @@ -15,19 +15,19 @@ class ClientAuthChecker { $this->locator = $locator; } public function validateClientAuth(): void { public function validateClientAuth(array $headers): BrowserBasedOAuth2Client { $basic = $this->getBasicAuthArray(); $basic = $this->getBasicAuthArray($headers); $clientId = $basic[0]; $clientSecret = $basic[1]; $this->locator->getBrowserBasedOAuth2ClientByIdAndSecret($clientId, $clientSecret); return $this->locator->getBrowserBasedOAuth2ClientByIdAndSecret($clientId, $clientSecret); } public function validateCliClientAuth(): CliOAuth2Client { public function validateCliClientAuth(array $headers): CliOAuth2Client { $basic = $this->getBasicAuthArray(); $basic = $this->getBasicAuthArray($headers); $clientId = $basic[0]; $clientSecret = $basic[1]; Loading @@ -35,8 +35,7 @@ class ClientAuthChecker { return $this->locator->getCliClientByIdAndSecret($clientId, $clientSecret); } private function getBasicAuthArray(): array { $headers = apache_request_headers(); private function getBasicAuthArray($headers): array { if (!isset($headers['Authorization'])) { throw new UnauthorizedException("Missing Authorization header"); Loading
classes/ClientsLocator.php +1 −1 Original line number Diff line number Diff line Loading @@ -31,7 +31,7 @@ trait ClientsLocator { private function getClientConfigFromListByIdAndSecret(array $clients, string $clientId, string $secret): object { $client = $this->getClientConfigFromListById($clients, $clientId); $secretHash = hash('sha256', $secret); if ($client->secretHash !== $secretHash) { if ($client->secret !== $secretHash) { throw new UnauthorizedException("Wrong secret provided for client '$clientId'"); } return $client; Loading
classes/JWKSHandler.php +4 −2 Original line number Diff line number Diff line Loading @@ -79,8 +79,10 @@ class JWKSHandler { public function loadAllJWKS(): array { foreach ($this->locator->config->jwksUrls as $url) { $this->loadJWKS($url); foreach ($this->locator->getBrowserBasedOAuth2Clients() as $client) { if ($client->jwks !== null) { $this->loadJWKS($client->jwks); } } $dao = $this->locator->getJWKSDAO(); Loading
classes/Locator.php +0 −8 Original line number Diff line number Diff line Loading @@ -74,18 +74,10 @@ class Locator { } } public function getCallbackHandler(): CallbackHandler { return new CallbackHandler($this); } public function getUserHandler(): UserHandler { return new UserHandler($this); } public function getMailSender(): MailSender { return new MailSender($_SERVER['HTTP_HOST'], $this->getBasePath()); } public function getOAuth2RequestHandler(): OAuth2RequestHandler { return new OAuth2RequestHandler($this); } Loading
classes/OAuth2RequestHandler.php +30 −7 Original line number Diff line number Diff line Loading @@ -76,7 +76,12 @@ class OAuth2RequestHandler { if ($state !== null) { // Authorization code grant flow $redirectUrl = $session->getOAuth2RequestData()->redirectUrl . '?code=' . $code . '&scope=profile&state=' . $state; . '?code=' . $code; $scope = $tokenData->scope; if ($scope !== null && count($scope) > 0) { $redirectUrl .= '&scope=' . implode("%20", $scope); } $redirectUrl .= '&state=' . $state; } else { // Implicit grant flow $idToken = $this->locator->getTokenBuilder()->getIdToken($tokenData, function(& $jwt) use($nonce) { Loading @@ -88,9 +93,27 @@ class OAuth2RequestHandler { return $redirectUrl; } public function handleGetTokenFromCodeRequest($params): array { public function handleAccessTokenRequest(array $params, array $headers): array { if ($params['grant_type'] === null) { throw new \RAP\BadRequestException("grant_type is required"); } switch ($params['grant_type']) { case "authorization_code": return $this->handleGetTokenFromCodeRequest($params, $headers); case "client_credentials": return $this->handleClientCredentialsRequest($headers); case "refresh_token": return $this->handleRefreshTokenRequest($params, $headers); default: throw new \RAP\BadRequestException("Unsupported grant type " . $params['grant_type']); } } private function handleGetTokenFromCodeRequest(array $params, array $headers): array { $this->locator->getClientAuthChecker()->validateClientAuth(); $this->locator->getClientAuthChecker()->validateClientAuth($headers); if ($params['code'] === null) { throw new BadRequestException("code id is required"); Loading Loading @@ -120,9 +143,9 @@ class OAuth2RequestHandler { return $response; } public function handleClientCredentialsRequest($params): array { private function handleClientCredentialsRequest(array $headers): array { $client = $this->locator->getClientAuthChecker()->validateCliClientAuth(); $client = $this->locator->getClientAuthChecker()->validateCliClientAuth($headers); $accessTokenData = new AccessTokenData(); $accessTokenData->clientId = $client->id; Loading @@ -133,9 +156,9 @@ class OAuth2RequestHandler { return $this->getAccessTokenResponse($accessTokenData, false); } public function handleRefreshTokenRequest($params): array { private function handleRefreshTokenRequest(array $params, array $headers): array { $this->locator->getClientAuthChecker()->validateClientAuth(); $this->locator->getClientAuthChecker()->validateClientAuth($headers); if ($params['refresh_token'] === null) { throw new BadRequestException("refresh_token is required"); Loading
