authbucket / oauth2-php Goto Github PK

Relevant bit of code: https://github.com/authbucket/oauth2-php/blob/master/src/AuthBucket/OAuth2/Security/Authentication/Provider/TokenProvider.php#L48

More information:

• http://php.net/manual/en/function.hash-equals.php
• http://blog.astrumfutura.com/2010/10/nanosecond-scale-remote-timing-attacks-on-php-applications-time-to-take-them-seriously/

This is a security enhancement (it's not a traditional vulnerability, as the cost of exploitation is very high -- nonetheless, the fix is even simpler).

Now there is no way to define "which scope(s)" is required for "which path" in security.php. Once path protected by oauth2_resource, we just check if it is a valid access_token, now.

For the long run, it should update from:

'oauth2_resource' => array(
    'pattern' => '^/oauth2/resource$',
    'oauth2_resource' => true,
),

To something similar as:

'oauth2_resource' => array(
    'pattern' => '^/oauth2/resource$',
    'oauth2_resource' => array(
       'scope' => array('demoscope1', 'demoscope2', 'demoscope3'),
    ),
),

Should add a new authorization server endpoint called /oauth2/scope/* for available scope CURD management, e.g.

• /oauth2/scope: List all available scope
• /oauth2/scope/add: Add a new scope
• /oauth2/scope/{scope_id}/edit: Edit scope with id {scope_id}
• /oauth2/scope/{scope_id/}delete: Delete scope with id {scope_id}

Assume resource server is independent with authorization server, refer to http://tools.ietf.org/html/rfc6749#section-7:

The methods used by the resource server to validate the access token (as well as any error responses) are beyond the scope of this specification but generally involve an interaction or coordination between the resource server and the authorization server.

Here we propose to utilize the authorization server debug endpoint:

• Resource Server receive the RESTful request with an access_token from Client
• Resource Server therefore prepare its own access_token with debug permission by client credentials grant between Authorization Server
• Now Resource Server query debug endpoint with:
  • access_token: Resource Server's client credentials grant-ed token with debug permission
  • debug_token: the access_token provided by the Client
• Debug endpoint return with raw information of provided access_token
• Now Resource Server know the information about the access_token provided by Client, and so can start verify its permission accordingly

For the long run, it should update from:

'oauth2_debug' => array(
    'pattern' => '^/oauth2/debug$',
    'oauth2_debug' => true,
),

To something similar as:

// Authorization Server
'{token_endpoint} => array(
    'pattern' => '{token_path}',
    'oauth2_token' => true,
),
'{debug_endpoint}' => array(
    'pattern' => '{debug_path}',
    'oauth2_resource' => array(
        'resource_type' => 'model',
        'scope' => array('debug'),
    ),
),
// Resource Server
'{resource_endpoint}' => array(
    'pattern' => '{resource_path}',
    'oauth2_resource' => array(
        'resource_type' => 'debug_endpoint',
        'scope' => array('{scope}'),
        'options' => array(
            'token_path' => '{token_path}',
            'debug_path' => '{debug_path}',
            'client_id' => '{client_id}',
            'client_secret' => '{client_secret}',
        ),
    ),
),

Im using silex 2.* and authbucket. After register authbucket in web/index.php:
$app->register(new AuthBucket\OAuth2\Provider\AuthBucketOAuth2ServiceProvider());

im getting error :

Fatal error: Interface 'Silex\ServiceProviderInterface' not found in ..\vendor\authbucket\oauth2-php\src\Provider\AuthBucketOAuth2ServiceProvider.php on line 34

When accessing authorization endpoint, if resource owner not yet authorize corresponding scope, we should show a page for them to confirm that scope.

The workflow should be:

• Access authorization endpoint
• Firewall take action, check if coming with valid user token
  • If not yet authenticate, redirect to login form or using HTTP Basic
  • Once login, redirect back to original authorization endpoint
• Pass firewall, with valid user token
• Check the parameters from backend, including scope
  • If required scope not authorized yet, redirect to authorize scope confirmation page
  • Once scope authorized, saved into database, redirect back to original authorization endpoint
• Generate code/token due to response_type

Should add a new authorization server endpoint called /oauth2/authorize/* for authorization CRUD management, e.g.

• /oauth2/authorize: (RFC6749) Authorization endpoint
• /oauth2/authorize/scope: (Create) Authorize scope confirmation page
• /oauth2/{username}/authorize: (Read) List all authorized scope(s) for user {username}
• /oauth2/{username}/authorize/{authorize_id}: (Read) List specific {authorize_id} detail for user {username}
• /oauth2/{username}/authorize/{authorize_id}/edit: (Update) Update authorized scope(s) for user {username}
• /oauth2/{username}/authorize/{authorize_id}/delete: (Delete) Remove authorized scope(s) for user {username}

Hi there,
First of all, really new to Silex & Symfony & Doctrine. That may explain why the following question could be stupid ;)
I am trying to use your oauth2-php in my own configuration where we have a simple Service for authentification with absolutely nothing else (Repo). My ROLE_ADMIN will manage the clients themselves, API Clients won't be created by anyone else than them. That was for context.

I don't reeally understand how to use your ORM implemantation of your own Class. It stands in the test, I have tried my best but I can't find a way to instantiate it. You can have a look at my code if you wish. I would be really grateful if you'd either explain to me what I am missing. I have tried copy your ORM stuff into my own folder and namespace (Perseids\Entity) but I get the message

#My command in my install folder
php ../vendor/bin/doctrine orm:schema-tool:create
#Results
PHP Fatal error:  Class 'Perseids\Entity\AbstractEntityRepository' not found in /home/thibault/dev/oauth/src/Entity/AuthorizeRepository.php on line 23

Just adding some stuff :
If I had the following lines to install/bootstrap.php :

    require_once "../src/Entity/AbstractEntityRepository.php";
    use Perseids\Entity\AbstractEntityRepository;

I get the following message :

#My command in my install folder
php ../vendor/bin/doctrine orm:schema-tool:create
#Results
No Metadata Classes to process.

• http://php.net/manual/en/function.uniqid.php

uniqid() does not generate cryptographically secure tokens, in fact without being passed any additional parameters the return value is little different from microtime(). If you need to generate cryptographically secure tokens use openssl_random_pseudo_bytes().

• https://github.com/authbucket/oauth2-php/search?q=uniqid

Should add a new authorization server endpoint called /oauth2/client/* for client identity CURD management, e.g.

• /oauth2/client: List all available client
• /oauth2/client/add: Add a new client
• /oauth2/client/{client_id}/edit: Edit client with id {client_id}
• /oauth2/client/{client_id/}delete: Delete client with id {client_id}

(1/3) PDOExceptionSQLSTATE[HY000]: General error: 1 no such table: authbucket_oauth2_user

Right now Tokens have the following expire times:

• Bearer: 1 Hour
• Refresh: 1 Day

This force any app to request tokens every hour, which is not the most desired behavior in many cases.

The idea is to be able to override these values through a configuration file and assume a default value in case said configuration file is not present or doesn't have the overrided key