search

laminas-api-tools / api-tools-oauth2

Laminas module for implementing an OAuth2 server
https://api-tools.getlaminas.org/documentation
BSD 3-Clause "New" or "Revised" License
11 stars 15 forks source link

OAuth2 Request & Response are not extendable #23

Closed TomHAnderson closed 4 years ago

TomHAnderson commented 4 years ago

Feature Request

Q A
New Feature yes
RFC yes
BC Break no

Summary

OAuth2 client libraries expect error messages to be under the hashtag in the URI. This is a valid response from the OAuth2 server when a user denies access to a client:

http://docker.lcdb:4200/login#error=access_denied&error_description=The%20user%20denied%20access%20to%20your%20application&state=VWd4TGxPSVJZeUFZVWdSQmlnUXg4THl2bWFsWFE1QXFadjY5Ml9nZGJaUmdJ;%252F

However the OAuth2 library formats errors as Request parameters such as

http://docker.lcdb:4200/login?error=access_denied&error_description=The%20user%20denied%20access%20to%20your%20application&state=VWd4TGxPSVJZeUFZVWdSQmlnUXg4THl2bWFsWFE1QXFadjY5Ml9nZGJaUmdJ;%252F

Detail

This is an issue in the OAuth2\Response class in the setRedirect function which assigns the error messages to the request parameters. The proper way to resolve this would be to extend the OAuth2\Response class and override the setRedirect function. However, api-tools-oauth2 uses static namespaces for Response and Request classes for the OAuth2 namespace.

Therefore there is no method available to set a custom Request or Response class for OAuth2. Overriding these classes is built into OAuth2 by design. But to restate, this repository does not allow for custom classes for Request and Response.

The Request class takes parameters https://github.com/laminas-api-tools/api-tools-oauth2/blob/1.7.x/src/Controller/AuthController.php#L314 and the Response class does not. But to fix this I think the same method needs to be applied to each.

Proposed Solution

I propose the api-tools-oauth2 configuration be extended to include two required keys which default to the following:

$config = [
    'api-tools-oauth2' => [
        'oauth2-request-class' => 'OAuth2\Request',
        'oauth2-response-class' => 'OAuth2\Response',
    ],
];

The Auth controller will be modified to use these values instead of the static namespaces used now. These values will be added to https://github.com/laminas-api-tools/api-tools-oauth2/blob/1.7.x/config/module.config.php

TomHAnderson commented 4 years ago

Closing. This can be accomplished by overriding the controller and creating both a custom controller and response class.