authbucket / oauth2-php Goto Github PK
View Code? Open in Web Editor NEWThe standard compliant OAuth2.0 library based on the Symfony Components.
Home Page: http://oauth2-php.authbucket.com/
License: MIT License
The standard compliant OAuth2.0 library based on the Symfony Components.
Home Page: http://oauth2-php.authbucket.com/
License: MIT License
Relevant bit of code: https://github.com/authbucket/oauth2-php/blob/master/src/AuthBucket/OAuth2/Security/Authentication/Provider/TokenProvider.php#L48
More information:
This is a security enhancement (it's not a traditional vulnerability, as the cost of exploitation is very high -- nonetheless, the fix is even simpler).
Now there is no way to define "which scope(s)" is required for "which path" in security.php. Once path protected by oauth2_resource
, we just check if it is a valid access_token, now.
For the long run, it should update from:
'oauth2_resource' => array(
'pattern' => '^/oauth2/resource$',
'oauth2_resource' => true,
),
To something similar as:
'oauth2_resource' => array(
'pattern' => '^/oauth2/resource$',
'oauth2_resource' => array(
'scope' => array('demoscope1', 'demoscope2', 'demoscope3'),
),
),
Should add a new authorization server endpoint called /oauth2/scope/*
for available scope CURD management, e.g.
/oauth2/scope
: List all available scope/oauth2/scope/add
: Add a new scope/oauth2/scope/{scope_id}/edit
: Edit scope with id {scope_id}/oauth2/scope/{scope_id/}delete
: Delete scope with id {scope_id}Assume resource server is independent with authorization server, refer to http://tools.ietf.org/html/rfc6749#section-7:
The methods used by the resource server to validate the access token (as well as any error responses) are beyond the scope of this specification but generally involve an interaction or coordination between the resource server and the authorization server.
Here we propose to utilize the authorization server debug endpoint:
For the long run, it should update from:
'oauth2_debug' => array(
'pattern' => '^/oauth2/debug$',
'oauth2_debug' => true,
),
To something similar as:
// Authorization Server
'{token_endpoint} => array(
'pattern' => '{token_path}',
'oauth2_token' => true,
),
'{debug_endpoint}' => array(
'pattern' => '{debug_path}',
'oauth2_resource' => array(
'resource_type' => 'model',
'scope' => array('debug'),
),
),
// Resource Server
'{resource_endpoint}' => array(
'pattern' => '{resource_path}',
'oauth2_resource' => array(
'resource_type' => 'debug_endpoint',
'scope' => array('{scope}'),
'options' => array(
'token_path' => '{token_path}',
'debug_path' => '{debug_path}',
'client_id' => '{client_id}',
'client_secret' => '{client_secret}',
),
),
),
Im using silex 2.* and authbucket. After register authbucket in web/index.php:
$app->register(new AuthBucket\OAuth2\Provider\AuthBucketOAuth2ServiceProvider());
im getting error :
Fatal error: Interface 'Silex\ServiceProviderInterface' not found in ..\vendor\authbucket\oauth2-php\src\Provider\AuthBucketOAuth2ServiceProvider.php on line 34
When accessing authorization endpoint, if resource owner not yet authorize corresponding scope, we should show a page for them to confirm that scope.
The workflow should be:
Should add a new authorization server endpoint called /oauth2/authorize/*
for authorization CRUD management, e.g.
/oauth2/authorize
: (RFC6749) Authorization endpoint/oauth2/authorize/scope
: (Create) Authorize scope confirmation page/oauth2/{username}/authorize
: (Read) List all authorized scope(s) for user {username}/oauth2/{username}/authorize/{authorize_id}
: (Read) List specific {authorize_id} detail for user {username}/oauth2/{username}/authorize/{authorize_id}/edit
: (Update) Update authorized scope(s) for user {username}/oauth2/{username}/authorize/{authorize_id}/delete
: (Delete) Remove authorized scope(s) for user {username}Hi there,
First of all, really new to Silex & Symfony & Doctrine. That may explain why the following question could be stupid ;)
I am trying to use your oauth2-php in my own configuration where we have a simple Service for authentification with absolutely nothing else (Repo). My ROLE_ADMIN will manage the clients themselves, API Clients won't be created by anyone else than them. That was for context.
I don't reeally understand how to use your ORM implemantation of your own Class. It stands in the test, I have tried my best but I can't find a way to instantiate it. You can have a look at my code if you wish. I would be really grateful if you'd either explain to me what I am missing. I have tried copy your ORM stuff into my own folder and namespace (Perseids\Entity) but I get the message
#My command in my install folder
php ../vendor/bin/doctrine orm:schema-tool:create
#Results
PHP Fatal error: Class 'Perseids\Entity\AbstractEntityRepository' not found in /home/thibault/dev/oauth/src/Entity/AuthorizeRepository.php on line 23
Just adding some stuff :
If I had the following lines to install/bootstrap.php
:
require_once "../src/Entity/AbstractEntityRepository.php";
use Perseids\Entity\AbstractEntityRepository;
I get the following message :
#My command in my install folder
php ../vendor/bin/doctrine orm:schema-tool:create
#Results
No Metadata Classes to process.
uniqid() does not generate cryptographically secure tokens, in fact without being passed any additional parameters the return value is little different from microtime(). If you need to generate cryptographically secure tokens use openssl_random_pseudo_bytes().
Should add a new authorization server endpoint called /oauth2/client/*
for client identity CURD management, e.g.
/oauth2/client
: List all available client/oauth2/client/add
: Add a new client/oauth2/client/{client_id}/edit
: Edit client with id {client_id}/oauth2/client/{client_id/}delete
: Delete client with id {client_id}Right now Tokens have the following expire times:
This force any app to request tokens every hour, which is not the most desired behavior in many cases.
The idea is to be able to override these values through a configuration file and assume a default value in case said configuration file is not present or doesn't have the overrided key
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.