friendsofsymfony / oauth2-php Goto Github PK

This lib is really good. But I find the classnames really hard to read and looks too much similar. I started a patch with the following:

• Removed OAuth2 part
• Introduced two new subnamespaces Exception and Storage
• Changed I prefix of interface's name by the Interface suffix
• [Optionnal] Moved new classes to the src folder instead of lib/OAuth2 to looks like other php package, optionally loaded with PSR-4

I ended up with the following architecture:

• Exception subnamespace
  • AuthenticateException
  • Exception
  • RedirectException
  • ServerException
• Model subnamespace
  • Foo
  • FooInterface
  • Bar
  • BarInterface
  • ...
• Storage subnamespace
  • GrantFooInterface
  • GrantBarInterface
  • ...
  • StorageInterface
• Client
• OAuth2

Are you interested to discuss that in order to maybe include it in a new version?

I tried to minimize BC by making old classes & interfaces extending new ones but due to the single inheritance's nature of PHP, some few BC breaks were inevitable. Some small changes are also required with typehint in implementations.

(copy&paste from thephpleague/oauth2-server#1226 )

This might sound crazy, but there seems to be a growing "market" of those wanting to "have sensitive information in own hands" and who "want to maintain different identities for each domain or even each access to the same domain".

For that some free web hostings or similar might come handy so the only problem might be deployment and long time maintenance (incl. automated version updates, automated backup to a different place, and one-click restoration from backup).

I'd envision having one (huge) PHP file and one DB file (e.g. SQLite) which would just need to be copied over to the free hosting and voila - everything works by itself (assuming the hosting provides HTTPS - e.g. using Let's Encrypt). The DB file would be optional (if there won't be any it'll get automatically created on first HTTPS request) and it'd cover at the same time the "restore from backup" use case. Updates will be done by copying over a new version of the PHP file manually (with the possibility to automate it with some Javascript-on-client approval from some of the designated accounts). Backup would be simple notification on client side "hey it's been 24+ hours since you downloaded the encrypted DB file last time".

Bootstrap would just show the message "please create file admin.txt next to the PHP file - all its contents until first CR or LF character is the initial password" and after that "please write your admin.txt password here and choose password for the DB file (encryption at rest) and also name and password for the first admin account to be created" and after success the PHP file will delete admin.txt.

Do you support this? If not, do you happen to know about any project aiming for this?

OAuth 2 defines extensions grant_type's as being a URI. According to https://www.ietf.org/rfc/rfc3305.txt a URI encapsulates both URL's and URN's.

The JWT Bearer grant extension is an example of the usage of a URN as a grant_type: https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12

I'm working on an interesting scenario where I'm hoping to allow users to sign up and authorize another computer (not my web server) somewhere to update their data but only for something like 24 hours.

Here's the flow idea I have:

• User logs in and is given the authorize dialog.
• User authorizes thing and is redirected to another spot on the website.
• That page they're redirected to makes sure the code / token is legit and then send a message via SQS or choose whatever queue service you like which goes to the other computer and it says that the given user has allowed access to that computer to update things for it.
• That computer makes an API request with its OAuth token to request a code that I'd make with my grant extension and sends it back to the computer.
• That computer then calls the token uri and requests an access token with my grant extension and the code included.
• My grant extension verifies the code it just gave and notifies the thing that gives the access tokens to only give an access token that lives for 24 hours or so.
• The computer uses that newly created access token to update the user's profile.

First of all, that sounds a bit complex, but it's my thoughts on accomplishing this particular scenario while making sure everything's authenticated properly. Any thoughts on how to make that simpler?

If that's indeed the way to go, I can do pretty much all of those steps except for the last one because I don't think there's a way to specify only an access token and only 24 hours from a grant extension...yet :).

It should be minimally intrusive. Just have the grant extension in its return value specify an expiry length and a way to say no refresh tokens.

If I send a pull request, will you take it?

Similar to FriendsOfSymfony/FOSOAuthServerBundle#305 but for general: the library should allow for custom parameters in the response payloads in case the application wants to transmit custom information like a custom error code for e.g. login failures or the like.

We are writing files over an API endpoint in an app that leverages https://github.com/FriendsOfSymfony/FOSOAuthServerBundle where multipart forms are used by curl. But it seems that multipart forms are not supported by https://github.com/FriendsOfSymfony/oauth2-php/blob/master/lib/OAuth2.php#L645.

As a workaround, we have to make a special case of appending the access token as a query parameter instead.

Is this on purpose or simply an oversight?

I want to use the JWT token instead of the current solution to generate the Token(random).
Since @iamluc's PR #94 hasn't been accepted yet, I'm opting for this solution witch I think isn't the best way, so I need your feedbacks :

- Use the compiler pass to override the 'fos_oauth_server.server' service to point Class to my custom class that inherits from 'OAuth2'. 
- Override the 'protected function genAccessToken()' to use the JWT token service for the generation.

Any other solutions are welcome!

What about using Symfony’s SecureRandom or random_bytes() to generate tokens?

Is there a particular reason why makeRequest() of OAuth2Client only allows GET and POST HTTP methods?

A typical REST API involves PUT, PATCH, and DELETE which are impossible to use with the client at this time.

In the code i see a comment // Method override as we always do a POST. but not quite sure why is it that "we ALWAYS do a POST".

In our current project we will be overriding makeRequest() method to support PUT, PATCH, and DELETE, if you are interested I can submit a PR to add such support here as well.

Scenario

The client request with a valid authCode an accessToken.

Expected behavior

The server checks if already a valid, not expired accessToken exists. If yes, this token would be sent. Otherwise a new token would be generated and send.

Actual behavior

The server generates everytime a new accessToken. So I have multiple valid tokens for the same client.

Grant interfaces are expecting OAuth2/IOAuth2Client as fist parameter to the checkGrant method, which doesn't exist. Should be OAuth2/Model/IOAuth2Client

Hi guys,

When someone makes a call to my API using both Authorization headers and access_token parameter (GET/POST) the OAuth2 class throws an exception here: https://github.com/FriendsOfSymfony/oauth2-php/blob/master/lib/OAuth2/OAuth2.php#L501

Why is this? Why can't it just check if the tokens are the same, if so, just process one of the tokens. If the tokens differ then throw an exception.

I could send a PR if you agree.

In the function grantAccessTokenRefreshToken in OAuth2.php, it does a fetch for the current token object,
$token = $this->storage->getRefreshToken($input["refresh_token"]);

if ($token === null || $client->getPublicId() !== $token->getClientId()) {
.... }
In the above condition, $token->getClientId() leads to null as the client is not set on the token object.

I'm not sure if this is a bug or not, I'm a new user so just trying to understand the library and was runnin throught the refresh bit to get it working, I had to put in $token->setClient($client); before the condition is checked above to get it working -> but not happy with putting it in this way.

Could you check and let me know if you think its something specific to my implementation, i'm using sylius standard at the moment with the current build.

If you read the OAuth 2.0 RFC - https://tools.ietf.org/html/rfc6749#section-4.1.3 - it states that the redirect_uri needs to be identical to the one passed in the authorization request.

It turns out that it's possible to pass something different to the validateRedirectUri() function during the Access Token Request, it can have additional characters added to it and will still work. I think this bug has crept in due to the fact that the same function is used to validate the initial callback redirect uri against the array of allowed domains for a particular client.

It would be great if this could be fixed so that in cases where an initial redirect uri of "127.0.0.1:8000/callback" and an access token request redirect uri of "127.0.0.1:8000/callback2", does not validate to true.

The project has a lot of branches, and I wonder if we really need them?

According to the OAuth specs, it's possible to add the assertion grant type (see example here http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.5). Is it possible to handle such grant types with this library?

Problem:
There is inconsistency in token type value. In header name Bearer is required, but while creating access token bearer is used by default. This leads to problem described here:
FriendsOfSymfony/FOSOAuthServerBundle#180

class OAuth2\OAuth2 line 181:

    const TOKEN_BEARER_HEADER_NAME = 'Bearer';

class OAuth2\Oauth2 line 259:

    const TOKEN_TYPE_BEARER = 'bearer';

Suggestion:
change default value of TOKEN_TYPE_BEARER field to Bearer

Hi, I'm considering your oauth2-php library to implement oauth client functionality in a project I'm working on. I'm a little confused because there is an OAuth2Client abstract class that looks like what I need, but after looking more closely it doesn't seem to handle the authorization process, it seems to rely on the access token already being stored, or a subclass handling this. But I don't see any subclasses in this repo. Am I missing something or is the OAuth authorization on the client side not within the scope of this project?

In \OAuth2\lib\OAuth2.php we have the following function for setting the Response headers:

     * Returns HTTP headers for JSON.
     *
     * @see     http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.1
     * @see     http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-5.2
     *
     * @return array
     *
     * @ingroup oauth2_section_5
     */
    private function getJsonHeaders()
    {
        return array(
            'Content-Type' => 'application/json',
            'Cache-Control' => 'no-store',
            'Pragma' => 'no-cache',
        );
    }

It would be helpful to be able to customize, or at least add to, these headers. I opened up a related issue in FOSOAuthServerBundle, but it looks like that issue is a broader one which should be addressed here. As I mentioned in that issue, it's at least necessary to be able to add the Access-Control-Allow-Origin header to allow cross domain requests.

When you use the Implicit Grant, if occurs some error not related with the redirect_uri, for example: 'The user denied access to your application', the error respose should be in the fragment component of the redirection URI. Now the response is a query string:

http://your_redirect_uri?error=access_denied&error_description=The+user+denied+access+to+your+application

and should be:

http://your_redirect_uri#error=access_denied&error_description=The+user+denied+access+to+your+application

Described here: http://tools.ietf.org/html/rfc6749#section-4.2.2.1

I see in the OAuth2RedirectException.php (line 44) that the $params variable is always filled with array('query' => $this->errorData); but when we use the Implicit Grant (token) this should be array('fragment' => $this->errorData);

/**
* Redirect the user agent.
*
* @ingroup oauth2_section_4
*/
public function getResponseHeaders() {
    $params = array('query' => $this->errorData);
    return array(
        'Location' => $this->buildUri($this->redirectUri, $params),
    );
}

I hope that helps you

@GuilhemN, could you please tag 1.3.1 with the recent changes from #121 .

Resolves:

• Update OAuth2.php #121

Thanks ! :)

PHPDoc is invalid since the changes for strict type compat in bundle:

        - '#Parameter \#1 \$httpStatusCode of class OAuth2\\OAuth2ServerException constructor expects string, int given#'
        - '#Parameter \#1 \$httpCode of class OAuth2\\OAuth2AuthenticateException constructor expects string, int given#'

How can I get rolemap id once an invitation sent to a user?. Right now it send json as an response and it has a user id in it but not rolemap id.

Can I get rolemap Id with user id ?

If I got it correctly, when a token request (e.g.) with a client_crendentials grant and without scope is received, a token for all configured scopes is granted.

See code around https://github.com/FriendsOfSymfony/oauth2-php/blob/master/lib/OAuth2.php#L846

RFC6749 3.3. seems to allow for arbitrary defaults, but IMHO a library limiting the default to all available scopes is bad practice.

I suggest to fallback to an empty scope and maybe support a configurable default.

4.3 Client Credentials
http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.4.3
"A refresh token SHOULD NOT be included"

OAuth2.php#L1140
The createAccessToken function should be aware of the requested grant_type.
Dirty hotfix: set $this->issueRefreshToken in function grantAccessToken and check in createAccessToken

The generation of refresh tokens also seems to have - at least for the "client_credentials" grant_type - the side-effect of old refresh tokens not beeing expired:
OAuth2.php#L1145

Can we bump the version number to 1.1.2 to release the feature from #75 ?

i have been using the FOSOAuthBundle that use this library. On the call to grantAccessToken its required to send the user password as plain text. Is this secure? Why is this required?

I've been banging my head around this one for 2 weeks already. Went through code and documentation and still havent managed to find a way how to refresh token after it expires.

Any help on this one?

the new fix concerning the handling of scopes is a big issue i think. so it would be great to have a new tag based on that, if there is no breaking change since the last tag.

thanks

composer.json limits to symfony 2.1 on master

In the mentioned function, if HTTP Content-Type header doesn't equal to exactly application/x-www-form-urlencoded the function will return null. However the header can contain charset info, like application/x-www-form-urlencoded; charset=utf-8. In such a case the function will not be able to find the access token albeit it is perfectly legal.

https://github.com/FriendsOfSymfony/oauth2-php/blob/master/lib/OAuth2/OAuth2.php#L639

Hello, how could we help in bringing PHP 8 support to this library?

Undefined variables in OAuth2::grantAccessTokenExtension() : $inputData and $authHeaders

Also, the $client variable is not passed to IOAuth2GrantExtension::checkGrantExtension()

The php function filter_var_array() with flag FILTER_SANITIZE_URL strips umlauts from the input string. But umlauts actually are valid url characters.
I suggest to use htmlspecialchars() function instead to sanitize the redirect url.
Or nothing at all, the requested redirect uri gets checked against the redirect url of the registered client anyway.

@GuilhemN, could you please tag 1.2.3 with the recent changes from #105.

Resolves:

• FriendsOfSymfony/FOSOAuthServerBundle#528

Hi,
I would like to know if there are majors differences between this bundle and the FosOauthServerBundle ? I am on a project that use both bundles and currently I don't figure out why they have been implemented together.

Thank you for your help / advice :)

Any examples on how to get this to work with zend framework 2?

Thanks

Hi,

I don't get why Symfony 2.1 is required on 1.0.3 and next releases (dev-master included).

Thanks !

I run this library, and I got this error.

PHP Fatal error: Declaration of OAuth2StoragePDO::checkClientCredentials() must be compatible with that of OAuth2\IOAuth2Storage::checkClientCredentials() in /Applications/MAMP/htdocs/oauth2/application/libraries/OAuth2StoragePDO.php on line 17

The mongo server example is not working, it references MongoOAuth2, which does not exist.

Hi,

Do you plan to support some part of the RFC 6750 "The OAuth 2.0 Authorization Framework: Bearer Token Usage"?
On my current project, I would like to implement the OAuth Extensions Error Registration part, especially the invalid_type error value.

For now I've overwritten the verifyAccessToken method of OAuth2\OAuth2 to handle this error type, but it should be interesting to add this support to the lib itself, or at least to make more flexible the convertion from an Exception to a Response...

I would be interested to contribute to this feature, but I'm a bit afraid of the BC breaks that can be related to these changes.

if i want to do a request against my oauth2 server with client_id and client_secret and add a basic authentication to this request the OAuth2::getClientCredentials() will never return inputData client_id and client_secret.

curl -v -k -umyuser:secretpass -X POST -d "client_id=512238f5e96231e153000000_1a5t3bby1okks4w0cwcwok84kss0g4sk4sws8cgwsgkko44gwk&client_secret=1t5omo9yzt340wkkgwkwccog8g00k4k80o0w4k0sk0gkoww008&grant_type=client_credentials" https://testserver.com/oauth/v2/token

Github Action could help to contribute faster : #124 (comment)

Let's contribute to drop PHP unit 4 support then enable PHP 7.4 and add PHP 8 support

As I understand, files like OAuth2StorageStub.php are just for testing purpose and are not part of the library.

So why are they stored in lib/ folder and not in tests/ one?

Hi,

When you're requesting an access token based of user credentials, you get a wrong response when your credentials are invalid.

Expected result:

{
  "error_description" : "Invalid username and password combination",
  "error" : "invalid_grant"
}

Instead, it only returns:

{
  "error" : "invalid_grant"
}

I will create a pull-request if necessary.

Best wishes,
Steffen Brem

Tomas Votruba did a nice article there to migrate test code fast, I think this is worth the look as it slow down contribution.

https://tomasvotruba.com/blog/2019/11/04/still-on-phpunit-4-come-to-phpunit-8-together-in-a-day/

phpunit 4.x is really old now . We could leave it :) PR linked