Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate confidential clients and determine if the client handles the grant type #1420

Merged
merged 14 commits into from
Feb 6, 2025
Merged

Validate confidential clients and determine if the client handles the grant type #1420

merged 14 commits into from
Feb 6, 2025
+189 −125

Conversation

hafezdivandari
Copy link
Contributor

@hafezdivandari hafezdivandari commented Jun 30, 2024
edited
Loading

Fixes #1174
Fixes #1369
Fixes #1073
Closes #1036

This PR can be considered as a security enhancement and does 2 main changes:

  1. Validate confidential clients:
  2. New ClientTarit::supportsGrantType() function:
    • RFC6749 section 5.2
    • Fixes Add Unauthorized_Client support #1174
    • This function is implemented on ClientTrait that returns true by default to avoid BC breaking changes.
    • Currently there is no way to check if the client handles the grant type before proceeding the request, e.g. We don't want to make auth code on "auth code grant" or make device code on "device code auth" grant or response with the access token on "implicit token" grant if the specified client doesn't handle the grant type. This PR makes this possible to avoid handling the requested grant type if the specified client doesn't supports that.
    • It also makes it possible for us to disable issuing refresh token if the client doesn't handle this grant.

This was referenced Jun 30, 2024
Draft
Closed
@hafezdivandari hafezdivandari mentioned this pull request Aug 29, 2024
Closed
@hafezdivandari hafezdivandari changed the title Always validate client Always validate the client and determine if it handles the grant type Oct 1, 2024
@hafezdivandari hafezdivandari mentioned this pull request Oct 10, 2024
Open
8 tasks
@hafezdivandari hafezdivandari changed the title Always validate the client and determine if it handles the grant type Validate confidential clients and determine if the client handles the grant type Oct 18, 2024
@hafezdivandari hafezdivandari mentioned this pull request Nov 21, 2024
Merged
Sephster
Sephster reviewed Feb 5, 2025
View reviewed changes
Copy link
Member

@Sephster Sephster left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good @hafezdivandari - I like the way you've supported the unauthorized_grant without introducing breaking changes. A nice solution.

Only concern I have is around the validation of the redirect URI. I've left a comment. Thanks for your hard work on this

src/Grant/AbstractGrant.php Show resolved Hide resolved
@Sephster Sephster merged commit f654cb3 into thephpleague:master Feb 6, 2025
19 checks passed
@hafezdivandari hafezdivandari deleted the always-validate-client branch February 6, 2025 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Sephster Sephster Sephster left review comments

@eugene-borovov eugene-borovov eugene-borovov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@hafezdivandari @eugene-borovov @Sephster