-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate confidential clients and determine if the client handles the grant type #1420
Open
hafezdivandari
wants to merge
12
commits into
thephpleague:master
Choose a base branch
from
hafezdivandari:always-validate-client
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 10 commits
Commits
Show all changes
12 commits
Select commit
Hold shift + click to select a range
3bb50c1
always validate the client
hafezdivandari 07871d8
pass grant type to getClientEntity
hafezdivandari de05074
fix tests
hafezdivandari f7b9acb
add ClientEntityInterface::hasGrantType()
hafezdivandari 3f36fe5
use unauthorized_client error
hafezdivandari 0c5fd78
Merge branch 'master' into always-validate-client
hafezdivandari 9d88ce9
validate confidential clients
hafezdivandari 34d83aa
require client_secret for confidential clients
hafezdivandari c4c7362
redirect uri is required on auth code
hafezdivandari cd2f0bd
fix tests
hafezdivandari 44bb1bd
Merge branch 'master' into always-validate-client
hafezdivandari 4998c4a
fix tests
hafezdivandari File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be a grant type settings. Otherwise the client must know about all grant types.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the client may know the grant types it can handle, for example by having
grant_types
according to RFC7591There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RFC7591 describes the proccess of filling the client repository. It responses with a client information record.
ClientRepositoryInterface
hasvalidateClient($clientIdentifier, $clientSecret, $grantType)
method. The client's support for the grant type should be done in this method. Do you agree with it?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was just an example of how client may define its supported grant types.
That's exactly what I don't agree with in the current implementation, and this PR tries to fix.
First of all, this method returns
bool
, and causesinvalid_client
error when it returnsfalse
, but we needunauthorized_client
error, when the client doesn't support the given grant type.Second this method (
validateClient
) main intention is to validate the client secret, you may check its description.Third, this method is being called too late, in the last step of the flow, on
respondToAccessTokenRequest
method of all grants. But we want to check if the client actually handles the grant type in the very beginning of the flow.Lets assume we have a client that only supports
client_credentials
grant, currently you can use this client to get an authorizationcode
with no problem, and then in the last step when you want to use thatcode
to get anaccess_token
the server callsvalidateClient
method, and you'll getinvalid_client
error. After this PR, you will getunauthorized_client
error, in the first step, when you want to use that client to get an authorization code, because this client doesn't actually handle "authorization code" grant but only "client credentials" grant.