Merge branch 'master' into master-fix-events

Author: hafezdivandari

CHANGELOG.md

@@ -5,6 +5,12 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Added a new function to the provided ClientTrait, `supportsGrantType` to allow the auth server to issue the response `unauthorized_client` when applicable (PR #1420)
+
+### Fixed
+- Clients only validated for Refresh, Device Code, and Password grants if the client is confidential (PR #1420)
+
 ### Changed
 - Key permission checks ignored on Windows regardless of userland choice as cannot be run successfully on this OS (PR #1447)
 - Fixed bug on setting interval visibility of device authorization grant (PR #1410)

examples/README.md

@@ -1,12 +1,11 @@
-# Example implementations
+# Example implementations (via [`Slim 3`](https://github.com/slimphp/Slim/tree/3.x))
 
 ## Installation
 
 0. Run `composer install` in this directory to install dependencies
 0. Create a private key `openssl genrsa -out private.key 2048`
-0. Create a public key `openssl rsa -in private.key -pubout > public.key`
-0. `cd` into the public directory
-0. Start a PHP server `php -S localhost:4444`
+0. Export the public key `openssl rsa -in private.key -pubout > public.key`
+0. Start local PHP server `php -S 127.0.0.1:4444 -t public/`
 
 ## Testing the client credentials grant example
 

examples/src/Repositories/AuthCodeRepository.php

@@ -21,31 +21,31 @@ class AuthCodeRepository implements AuthCodeRepositoryInterface
     /**
      * {@inheritdoc}
      */
-    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity)
+    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity): void
     {
         // Some logic to persist the auth code to a database
     }
 
     /**
      * {@inheritdoc}
      */
-    public function revokeAuthCode($codeId)
+    public function revokeAuthCode($codeId): void
     {
         // Some logic to revoke the auth code in a database
     }
 
     /**
      * {@inheritdoc}
      */
-    public function isAuthCodeRevoked($codeId)
+    public function isAuthCodeRevoked($codeId): bool
     {
         return false; // The auth code has not been revoked
     }
 
     /**
      * {@inheritdoc}
      */
-    public function getNewAuthCode()
+    public function getNewAuthCode(): AuthCodeEntityInterface
     {
         return new AuthCodeEntity();
     }

src/Entities/ClientEntityInterface.php

@@ -38,4 +38,11 @@ public function getRedirectUri(): string|array;
      * Returns true if the client is confidential.
      */
     public function isConfidential(): bool;
+
+    /*
+     * Returns true if the client supports the given grant type.
+     *
+     * To be added in a future major release.
+     */
+    // public function supportsGrantType(string $grantType): bool;
 }

src/Entities/Traits/ClientTrait.php

@@ -52,4 +52,12 @@ public function isConfidential(): bool
     {
         return $this->isConfidential;
     }
+
+    /**
+     * Returns true if the client supports the given grant type.
+     */
+    public function supportsGrantType(string $grantType): bool
+    {
+        return true;
+    }
 }

src/Exception/OAuthServerException.php

@@ -252,8 +252,17 @@ public static function slowDown(string $hint = '', ?Throwable $previous = null):
     }
 
     /**
+     * Unauthorized client error.
+     */
+    public static function unauthorizedClient(?string $hint = null): static
     {
-        return $this->errorType;
+        return new static(
+            'The authenticated client is not authorized to use this authorization grant type.',
+            14,
+            'unauthorized_client',
+            400,
+            $hint
+        );
     }
 
     /**

src/Grant/AbstractGrant.php

@@ -151,18 +151,18 @@ protected function validateClient(ServerRequestInterface $request): ClientEntity
     {
         [$clientId, $clientSecret] = $this->getClientCredentials($request);
 
-        if ($this->clientRepository->validateClient($clientId, $clientSecret, $this->getIdentifier()) === false) {
-            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
-
-            throw OAuthServerException::invalidClient($request);
-        }
         $client = $this->getClientEntityOrFail($clientId, $request);
 
-        // If a redirect URI is provided ensure it matches what is pre-registered
-        $redirectUri = $this->getRequestParameter('redirect_uri', $request);
+        if ($client->isConfidential()) {
+            if ($clientSecret === '') {
+                throw OAuthServerException::invalidRequest('client_secret');
+            }
 
-        if ($redirectUri !== null) {
-            $this->validateRedirectUri($redirectUri, $client, $request);
+            if ($this->clientRepository->validateClient($clientId, $clientSecret, $this->getIdentifier()) === false) {
+                $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
+
+                throw OAuthServerException::invalidClient($request);
+            }
         }
 
         return $client;
@@ -189,9 +189,22 @@ protected function getClientEntityOrFail(string $clientId, ServerRequestInterfac
             throw OAuthServerException::invalidClient($request);
         }
 
+        if ($this->supportsGrantType($client, $this->getIdentifier()) === false) {
+            throw OAuthServerException::unauthorizedClient();
+        }
+
         return $client;
     }
 
+    /**
+     * Returns true if the given client is authorized to use the given grant type.
+     */
+    protected function supportsGrantType(ClientEntityInterface $client, string $grantType): bool
+    {
+        return method_exists($client, 'supportsGrantType') === false
+            || $client->supportsGrantType($grantType) === true;
+    }
+
     /**
      * Gets the client credentials from the request from the request body or
      * the Http Basic Authorization header
@@ -484,6 +497,10 @@ protected function issueAuthCode(
      */
     protected function issueRefreshToken(AccessTokenEntityInterface $accessToken): ?RefreshTokenEntityInterface
     {
+        if ($this->supportsGrantType($accessToken->getClient(), 'refresh_token') === false) {
+            return null;
+        }
+
         $refreshToken = $this->refreshTokenRepository->getNewRefreshToken();
 
         if ($refreshToken === null) {

src/Grant/AuthCodeGrant.php

@@ -97,14 +97,7 @@ public function respondToAccessTokenRequest(
         ResponseTypeInterface $responseType,
         DateInterval $accessTokenTTL
     ): ResponseTypeInterface {
-        list($clientId) = $this->getClientCredentials($request);
-
-        $client = $this->getClientEntityOrFail($clientId, $request);
-
-        // Only validate the client if it is confidential
-        if ($client->isConfidential()) {
-            $this->validateClient($request);
-        }
+        $client = $this->validateClient($request);
 
         $encryptedAuthCode = $this->getRequestParameter('code', $request);
 

src/Grant/ClientCredentialsGrant.php

@@ -34,19 +34,14 @@ public function respondToAccessTokenRequest(
         ResponseTypeInterface $responseType,
         DateInterval $accessTokenTTL
     ): ResponseTypeInterface {
-        list($clientId) = $this->getClientCredentials($request);
-
-        $client = $this->getClientEntityOrFail($clientId, $request);
+        $client = $this->validateClient($request);
 
         if (!$client->isConfidential()) {
             $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
 
             throw OAuthServerException::invalidClient($request);
         }
 
-        // Validate request
-        $this->validateClient($request);
-
         $scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
 
         // Finalize the requested scopes

tests/AuthorizationServerTest.php

@@ -183,7 +183,7 @@ public function testMultipleRequestsGetDifferentResponseTypeInstances(): void
         $privateKey = 'file://' . __DIR__ . '/Stubs/private.key';
         $encryptionKey = 'file://' . __DIR__ . '/Stubs/public.key';
 
-        $responseTypePrototype = new class () extends BearerTokenResponse {
+        $responseTypePrototype = new class extends BearerTokenResponse {
             protected CryptKeyInterface $privateKey;
             protected Key|string|null $encryptionKey = null;