friendsofsymfony / oauth2-php Goto Github PK
View Code? Open in Web Editor NEWThis project forked from arnaud-lb/oauth2-php
A server implementation of OAuth 2.0
License: MIT License
This project forked from arnaud-lb/oauth2-php
A server implementation of OAuth 2.0
License: MIT License
Problem:
There is inconsistency in token type value. In header name Bearer
is required, but while creating access token bearer
is used by default. This leads to problem described here:
FriendsOfSymfony/FOSOAuthServerBundle#180
class OAuth2\OAuth2 line 181:
const TOKEN_BEARER_HEADER_NAME = 'Bearer';
class OAuth2\Oauth2 line 259:
const TOKEN_TYPE_BEARER = 'bearer';
Suggestion:
change default value of TOKEN_TYPE_BEARER field to Bearer
Hi,
When you're requesting an access token based of user credentials, you get a wrong response when your credentials are invalid.
Expected result:
{
"error_description" : "Invalid username and password combination",
"error" : "invalid_grant"
}
Instead, it only returns:
{
"error" : "invalid_grant"
}
I will create a pull-request if necessary.
Best wishes,
Steffen Brem
Is there a particular reason why makeRequest()
of OAuth2Client
only allows GET and POST HTTP methods?
A typical REST API involves PUT, PATCH, and DELETE which are impossible to use with the client at this time.
In the code i see a comment // Method override as we always do a POST. but not quite sure why is it that "we ALWAYS do a POST".
In our current project we will be overriding makeRequest()
method to support PUT, PATCH, and DELETE, if you are interested I can submit a PR to add such support here as well.
Can we bump the version number to 1.1.2 to release the feature from #75 ?
composer.json limits to symfony 2.1 on master
PHPDoc is invalid since the changes for strict type compat in bundle:
- '#Parameter \#1 \$httpStatusCode of class OAuth2\\OAuth2ServerException constructor expects string, int given#'
- '#Parameter \#1 \$httpCode of class OAuth2\\OAuth2AuthenticateException constructor expects string, int given#'
What about using Symfony’s SecureRandom
or random_bytes()
to generate tokens?
the new fix concerning the handling of scopes is a big issue i think. so it would be great to have a new tag based on that, if there is no breaking change since the last tag.
thanks
According to the OAuth specs, it's possible to add the assertion grant type (see example here http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.5). Is it possible to handle such grant types with this library?
When you use the Implicit Grant, if occurs some error not related with the redirect_uri, for example: 'The user denied access to your application', the error respose should be in the fragment component of the redirection URI. Now the response is a query string:
http://your_redirect_uri?error=access_denied&error_description=The+user+denied+access+to+your+application
and should be:
http://your_redirect_uri#error=access_denied&error_description=The+user+denied+access+to+your+application
Described here: http://tools.ietf.org/html/rfc6749#section-4.2.2.1
I see in the OAuth2RedirectException.php (line 44) that the $params variable is always filled with array('query' => $this->errorData); but when we use the Implicit Grant (token) this should be array('fragment' => $this->errorData);
/**
* Redirect the user agent.
*
* @ingroup oauth2_section_4
*/
public function getResponseHeaders() {
$params = array('query' => $this->errorData);
return array(
'Location' => $this->buildUri($this->redirectUri, $params),
);
}
I hope that helps you
The php function filter_var_array() with flag FILTER_SANITIZE_URL strips umlauts from the input string. But umlauts actually are valid url characters.
I suggest to use htmlspecialchars() function instead to sanitize the redirect url.
Or nothing at all, the requested redirect uri gets checked against the redirect url of the registered client anyway.
Undefined variables in OAuth2::grantAccessTokenExtension() : $inputData and $authHeaders
Also, the $client variable is not passed to IOAuth2GrantExtension::checkGrantExtension()
I'm working on an interesting scenario where I'm hoping to allow users to sign up and authorize another computer (not my web server) somewhere to update their data but only for something like 24 hours.
Here's the flow idea I have:
First of all, that sounds a bit complex, but it's my thoughts on accomplishing this particular scenario while making sure everything's authenticated properly. Any thoughts on how to make that simpler?
If that's indeed the way to go, I can do pretty much all of those steps except for the last one because I don't think there's a way to specify only an access token and only 24 hours from a grant extension...yet :).
It should be minimally intrusive. Just have the grant extension in its return value specify an expiry length and a way to say no refresh tokens.
If I send a pull request, will you take it?
if i want to do a request against my oauth2 server with client_id and client_secret and add a basic authentication to this request the OAuth2::getClientCredentials() will never return inputData client_id and client_secret.
curl -v -k -umyuser:secretpass -X POST -d "client_id=512238f5e96231e153000000_1a5t3bby1okks4w0cwcwok84kss0g4sk4sws8cgwsgkko44gwk&client_secret=1t5omo9yzt340wkkgwkwccog8g00k4k80o0w4k0sk0gkoww008&grant_type=client_credentials" https://testserver.com/oauth/v2/token
Hi,
I don't get why Symfony 2.1 is required on 1.0.3 and next releases (dev-master included).
Thanks !
This lib is really good. But I find the classnames really hard to read and looks too much similar. I started a patch with the following:
OAuth2
partException
and Storage
I
prefix of interface's name by the Interface
suffixsrc
folder instead of lib/OAuth2
to looks like other php package, optionally loaded with PSR-4I ended up with the following architecture:
Exception
subnamespace
AuthenticateException
Exception
RedirectException
ServerException
Model
subnamespace
Foo
FooInterface
Bar
BarInterface
Storage
subnamespace
GrantFooInterface
GrantBarInterface
StorageInterface
Client
OAuth2
Are you interested to discuss that in order to maybe include it in a new version?
I tried to minimize BC by making old classes & interfaces extending new ones but due to the single inheritance's nature of PHP, some few BC breaks were inevitable. Some small changes are also required with typehint in implementations.
i have been using the FOSOAuthBundle that use this library. On the call to grantAccessToken its required to send the user password as plain text. Is this secure? Why is this required?
Tomas Votruba did a nice article there to migrate test code fast, I think this is worth the look as it slow down contribution.
https://tomasvotruba.com/blog/2019/11/04/still-on-phpunit-4-come-to-phpunit-8-together-in-a-day/
phpunit 4.x is really old now . We could leave it :) PR linked
(copy&paste from thephpleague/oauth2-server#1226 )
This might sound crazy, but there seems to be a growing "market" of those wanting to "have sensitive information in own hands" and who "want to maintain different identities for each domain or even each access to the same domain".
For that some free web hostings or similar might come handy so the only problem might be deployment and long time maintenance (incl. automated version updates, automated backup to a different place, and one-click restoration from backup).
I'd envision having one (huge) PHP file and one DB file (e.g. SQLite) which would just need to be copied over to the free hosting and voila - everything works by itself (assuming the hosting provides HTTPS - e.g. using Let's Encrypt). The DB file would be optional (if there won't be any it'll get automatically created on first HTTPS request) and it'd cover at the same time the "restore from backup" use case. Updates will be done by copying over a new version of the PHP file manually (with the possibility to automate it with some Javascript-on-client approval from some of the designated accounts). Backup would be simple notification on client side "hey it's been 24+ hours since you downloaded the encrypted DB file last time".
Bootstrap would just show the message "please create file admin.txt
next to the PHP file - all its contents until first CR or LF character is the initial password" and after that "please write your admin.txt
password here and choose password for the DB file (encryption at rest) and also name and password for the first admin account to be created" and after success the PHP file will delete admin.txt
.
Do you support this? If not, do you happen to know about any project aiming for this?
Hi, I'm considering your oauth2-php library to implement oauth client functionality in a project I'm working on. I'm a little confused because there is an OAuth2Client abstract class that looks like what I need, but after looking more closely it doesn't seem to handle the authorization process, it seems to rely on the access token already being stored, or a subclass handling this. But I don't see any subclasses in this repo. Am I missing something or is the OAuth authorization on the client side not within the scope of this project?
Any examples on how to get this to work with zend framework 2?
Thanks
I want to use the JWT token instead of the current solution to generate the Token(random).
Since @iamluc's PR #94 hasn't been accepted yet, I'm opting for this solution witch I think isn't the best way, so I need your feedbacks :
- Use the compiler pass to override the 'fos_oauth_server.server' service to point Class to my custom class that inherits from 'OAuth2'.
- Override the 'protected function genAccessToken()' to use the JWT token service for the generation.
Any other solutions are welcome!
In \OAuth2\lib\OAuth2.php we have the following function for setting the Response headers:
* Returns HTTP headers for JSON.
*
* @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.1
* @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
*
* @return array
*
* @ingroup oauth2_section_5
*/
private function getJsonHeaders()
{
return array(
'Content-Type' => 'application/json',
'Cache-Control' => 'no-store',
'Pragma' => 'no-cache',
);
}
It would be helpful to be able to customize, or at least add to, these headers. I opened up a related issue in FOSOAuthServerBundle, but it looks like that issue is a broader one which should be addressed here. As I mentioned in that issue, it's at least necessary to be able to add the Access-Control-Allow-Origin header to allow cross domain requests.
Similar to FriendsOfSymfony/FOSOAuthServerBundle#305 but for general: the library should allow for custom parameters in the response payloads in case the application wants to transmit custom information like a custom error code for e.g. login failures or the like.
We are writing files over an API endpoint in an app that leverages https://github.com/FriendsOfSymfony/FOSOAuthServerBundle where multipart forms are used by curl. But it seems that multipart forms are not supported by https://github.com/FriendsOfSymfony/oauth2-php/blob/master/lib/OAuth2.php#L645.
As a workaround, we have to make a special case of appending the access token as a query parameter instead.
Is this on purpose or simply an oversight?
Github Action could help to contribute faster : #124 (comment)
Let's contribute to drop PHP unit 4 support then enable PHP 7.4 and add PHP 8 support
The project has a lot of branches, and I wonder if we really need them?
Hello, how could we help in bringing PHP 8 support to this library?
In the mentioned function, if HTTP Content-Type header doesn't equal to exactly application/x-www-form-urlencoded
the function will return null. However the header can contain charset info, like application/x-www-form-urlencoded; charset=utf-8
. In such a case the function will not be able to find the access token albeit it is perfectly legal.
https://github.com/FriendsOfSymfony/oauth2-php/blob/master/lib/OAuth2/OAuth2.php#L639
Grant interfaces are expecting OAuth2/IOAuth2Client as fist parameter to the checkGrant method, which doesn't exist. Should be OAuth2/Model/IOAuth2Client
OAuth 2 defines extensions grant_type's as being a URI. According to https://www.ietf.org/rfc/rfc3305.txt a URI encapsulates both URL's and URN's.
The JWT Bearer grant extension is an example of the usage of a URN as a grant_type: https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12
I run this library, and I got this error.
PHP Fatal error: Declaration of OAuth2StoragePDO::checkClientCredentials() must be compatible with that of OAuth2\IOAuth2Storage::checkClientCredentials() in /Applications/MAMP/htdocs/oauth2/application/libraries/OAuth2StoragePDO.php on line 17
If I got it correctly, when a token request (e.g.) with a client_crendentials grant and without scope is received, a token for all configured scopes is granted.
See code around https://github.com/FriendsOfSymfony/oauth2-php/blob/master/lib/OAuth2.php#L846
RFC6749 3.3. seems to allow for arbitrary defaults, but IMHO a library limiting the default to all available scopes is bad practice.
I suggest to fallback to an empty scope and maybe support a configurable default.
Hi,
I would like to know if there are majors differences between this bundle and the FosOauthServerBundle ? I am on a project that use both bundles and currently I don't figure out why they have been implemented together.
Thank you for your help / advice :)
Hi,
Do you plan to support some part of the RFC 6750 "The OAuth 2.0 Authorization Framework: Bearer Token Usage"?
On my current project, I would like to implement the OAuth Extensions Error Registration part, especially the invalid_type
error value.
For now I've overwritten the verifyAccessToken
method of OAuth2\OAuth2
to handle this error type, but it should be interesting to add this support to the lib itself, or at least to make more flexible the convertion from an Exception to a Response...
I would be interested to contribute to this feature, but I'm a bit afraid of the BC breaks that can be related to these changes.
4.3 Client Credentials
http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.4.3
"A refresh token SHOULD NOT be included"
OAuth2.php#L1140
The createAccessToken function should be aware of the requested grant_type.
Dirty hotfix: set $this->issueRefreshToken in function grantAccessToken and check in createAccessToken
The generation of refresh tokens also seems to have - at least for the "client_credentials" grant_type - the side-effect of old refresh tokens not beeing expired:
OAuth2.php#L1145
If you read the OAuth 2.0 RFC - https://tools.ietf.org/html/rfc6749#section-4.1.3 - it states that the redirect_uri needs to be identical to the one passed in the authorization request.
It turns out that it's possible to pass something different to the validateRedirectUri() function during the Access Token Request, it can have additional characters added to it and will still work. I think this bug has crept in due to the fact that the same function is used to validate the initial callback redirect uri against the array of allowed domains for a particular client.
It would be great if this could be fixed so that in cases where an initial redirect uri of "127.0.0.1:8000/callback" and an access token request redirect uri of "127.0.0.1:8000/callback2", does not validate to true.
The client request with a valid authCode an accessToken.
The server checks if already a valid, not expired accessToken exists. If yes, this token would be sent. Otherwise a new token would be generated and send.
The server generates everytime a new accessToken. So I have multiple valid tokens for the same client.
Line 861 in a41fef6
Hi guys,
When someone makes a call to my API using both Authorization headers and access_token parameter (GET/POST) the OAuth2 class throws an exception here: https://github.com/FriendsOfSymfony/oauth2-php/blob/master/lib/OAuth2/OAuth2.php#L501
Why is this? Why can't it just check if the tokens are the same, if so, just process one of the tokens. If the tokens differ then throw an exception.
I could send a PR if you agree.
I've been banging my head around this one for 2 weeks already. Went through code and documentation and still havent managed to find a way how to refresh token after it expires.
Any help on this one?
How can I get rolemap id once an invitation sent to a user?. Right now it send json as an response and it has a user id in it but not rolemap id.
Can I get rolemap Id with user id ?
As I understand, files like OAuth2StorageStub.php are just for testing purpose and are not part of the library.
So why are they stored in lib/ folder and not in tests/ one?
The mongo server example is not working, it references MongoOAuth2, which does not exist.
In the function grantAccessTokenRefreshToken in OAuth2.php, it does a fetch for the current token object,
$token = $this->storage->getRefreshToken($input["refresh_token"]);
if ($token === null || $client->getPublicId() !== $token->getClientId()) {
.... }
In the above condition, $token->getClientId() leads to null as the client is not set on the token object.
I'm not sure if this is a bug or not, I'm a new user so just trying to understand the library and was runnin throught the refresh bit to get it working, I had to put in $token->setClient($client); before the condition is checked above to get it working -> but not happy with putting it in this way.
Could you check and let me know if you think its something specific to my implementation, i'm using sylius standard at the moment with the current build.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.