search

thephpleague / oauth2-server

A spec compliant, secure by default PHP OAuth 2.0 Server
https://oauth2.thephpleague.com
MIT License
6.49k stars 1.12k forks source link

Custom unique identifier generator #1365

Open AurelienPillevesse opened 11 months ago

AurelienPillevesse commented 11 months ago

Currently, the unique identifier generator is a function available here that cannot be easily modified: https://github.com/thephpleague/oauth2-server/blob/eb91b4190e7f6169053ebf8ffa352d47e756b2ce/src/Grant/AbstractGrant.php#L569

Would it be possible to customize the generation of the unique identifier? In my case, I'd like to use the UUID, for example, to make sure that the identifier is unique. In someone else's case, he'd like to use the auto-incremented ID.

What do you think of this improvement to make unique ID generation more easily modifiable?

An idea could be :

public function enableGrantType(GrantTypeInterface $grantType, DateInterval $accessTokenTTL = null, UniqueIdGeneratorInterface $uniqueIdGenerator = null)
{
    if ($accessTokenTTL === null) {
        $accessTokenTTL = new DateInterval('PT1H');
    }

    --> if ($uniqueIdGenerator === null) {
    -->     $uniqueIdGenerator = /*a class which represents the current unique id generator behavior */;
    --> }

    $grantType->setAccessTokenRepository($this->accessTokenRepository);
    $grantType->setClientRepository($this->clientRepository);
    $grantType->setScopeRepository($this->scopeRepository);
    $grantType->setDefaultScope($this->defaultScope);
    $grantType->setPrivateKey($this->privateKey);
    $grantType->setEmitter($this->getEmitter());
    $grantType->setEncryptionKey($this->encryptionKey);
    $grantType->revokeRefreshTokens($this->revokeRefreshTokens);
    --> $grantType->setUniqueIdGenerator($uniqueIdGenerator);

    $this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;
    $this->grantTypeAccessTokenTTL[$grantType->getIdentifier()] = $accessTokenTTL;
}

Or another idea : 

(instead of this)

while ($maxGenerationAttempts-- > 0) {
    $accessToken->setIdentifier($this->generateUniqueIdentifier());
    try {
        $this->accessTokenRepository->persistNewAccessToken($accessToken);
        return $accessToken;
    } catch (UniqueTokenIdentifierConstraintViolationException $e) {
        if ($maxGenerationAttempts === 0) {
            throw $e;
        }
    }
}

(doing this)        

$accessToken->setIdentifier($this->accessTokenRepository->getUniqueIdentifier());
$this->accessTokenRepository->persistNewAccessToken($accessToken);
return $accessToken;
marcriemer commented 1 month ago

I suggest that the creation of unique identifiers should be handled within the repositories.

For example: The new getNewToken() function should be responsible for setting the identifier.

Additionally, it might be beneficial to check for an existing identifier to prevent overwriting in case the repository has already generated a unique identifier.