diff options
Diffstat (limited to 'vendor/bshaffer/oauth2-server-php/src/OAuth2/GrantType')
-rw-r--r-- | vendor/bshaffer/oauth2-server-php/src/OAuth2/GrantType/AuthorizationCode.php | 35 | ||||
-rw-r--r-- | vendor/bshaffer/oauth2-server-php/src/OAuth2/GrantType/JwtBearer.php | 8 |
2 files changed, 39 insertions, 4 deletions
diff --git a/vendor/bshaffer/oauth2-server-php/src/OAuth2/GrantType/AuthorizationCode.php b/vendor/bshaffer/oauth2-server-php/src/OAuth2/GrantType/AuthorizationCode.php index 784f6b3a3..5bcb4f253 100644 --- a/vendor/bshaffer/oauth2-server-php/src/OAuth2/GrantType/AuthorizationCode.php +++ b/vendor/bshaffer/oauth2-server-php/src/OAuth2/GrantType/AuthorizationCode.php @@ -84,6 +84,41 @@ class AuthorizationCode implements GrantTypeInterface return false; } + if (isset($authCode['code_challenge']) && $authCode['code_challenge']) { + if (!($code_verifier = $request->request('code_verifier'))) { + $response->setError(400, 'code_verifier_missing', "The PKCE code verifier parameter is required."); + + return false; + } + // Validate code_verifier according to RFC-7636 + // @see: https://tools.ietf.org/html/rfc7636#section-4.1 + if (preg_match('/^[A-Za-z0-9-._~]{43,128}$/', $code_verifier) !== 1) { + $response->setError(400, 'code_verifier_invalid', "The PKCE code verifier parameter is invalid."); + + return false; + } + $code_verifier = $request->request('code_verifier'); + switch ($authCode['code_challenge_method']) { + case 'S256': + $code_verifier_hashed = strtr(rtrim(base64_encode(hash('sha256', $code_verifier, true)), '='), '+/', '-_'); + break; + + case 'plain': + $code_verifier_hashed = $code_verifier; + break; + + default: + $response->setError(400, 'code_challenge_method_invalid', "Unknown PKCE code challenge method."); + + return FALSE; + } + if ($code_verifier_hashed !== $authCode['code_challenge']) { + $response->setError(400, 'code_verifier_mismatch', "The PKCE code verifier parameter does not match the code challenge."); + + return FALSE; + } + } + if (!isset($authCode['code'])) { $authCode['code'] = $code; // used to expire the code after the access token is granted } diff --git a/vendor/bshaffer/oauth2-server-php/src/OAuth2/GrantType/JwtBearer.php b/vendor/bshaffer/oauth2-server-php/src/OAuth2/GrantType/JwtBearer.php index 62c1efabd..10d01ff51 100644 --- a/vendor/bshaffer/oauth2-server-php/src/OAuth2/GrantType/JwtBearer.php +++ b/vendor/bshaffer/oauth2-server-php/src/OAuth2/GrantType/JwtBearer.php @@ -46,13 +46,13 @@ class JwtBearer implements GrantTypeInterface, ClientAssertionTypeInterface $jwtUtil = new Jwt(); } - $this->config = array_merge(array( + $config = array_merge(array( 'allowed_algorithms' => array('RS256', 'RS384', 'RS512') ), $config); $this->jwtUtil = $jwtUtil; - $this->allowedAlgorithms = $this->config['allowed_algorithms']; + $this->allowedAlgorithms = $config['allowed_algorithms']; } /** @@ -127,7 +127,7 @@ class JwtBearer implements GrantTypeInterface, ClientAssertionTypeInterface } // Check expiration - if (ctype_digit($jwt['exp'])) { + if (ctype_digit((string)$jwt['exp'])) { if ($jwt['exp'] <= time()) { $response->setError(400, 'invalid_grant', "JWT has expired"); @@ -141,7 +141,7 @@ class JwtBearer implements GrantTypeInterface, ClientAssertionTypeInterface // Check the not before time if ($notBefore = $jwt['nbf']) { - if (ctype_digit($notBefore)) { + if (ctype_digit((string)$notBefore)) { if ($notBefore > time()) { $response->setError(400, 'invalid_grant', "JWT cannot be used before the Not Before (nbf) time"); |