Closed akshare closed 10 months ago
Figured it out.
I needed to set isConfidential to true in ClientEntity.php and then add the conditions to check for client_id and secret within validateClient() in ClientRepository.php
My updated ClientEntity.php
class ClientEntity implements \League\OAuth2\Server\Entities\ClientEntityInterface
{
use \League\OAuth2\Server\Entities\Traits\ClientTrait;
use \League\OAuth2\Server\Entities\Traits\EntityTrait;
public function __construct()
{
$this->isConfidential = true;
$this->name = 'The client App';
$this->setIdentifier("MyApp");
$this->redirectUri = "link to process-auth-code.php";
}
}
My updated ClientRepository.php
class ClientRepository implements \League\OAuth2\Server\Repositories\ClientRepositoryInterface
{
public function getClientEntity($clientIdentifier)
{
$theClient = new ClientEntity();
$theClient->setIdentifier($clientIdentifier);
return $theClient;
}
public function validateClient($clientIdentifier, $clientSecret, $grantType)
{
if($clientIdentifier == "MyApp" && $clientSecret == "MyAppSecret"){
return true;
}
return false;
}
}
I'm able to generate access token and refresh token with authorization code grant + pkce using thephpleague client+server.
When auth code is exchanged for access token, how can I validate the client (client_secret), so that only authorized clients from a list have access?
Right now, I can set random clients/secrets and access_token is generated nonetheless.
Any help to point me in the right direction would be really appreciated!
This is my ClientEntity.php
This is my ClientRepository.php (I'm guessing, I have to use validateClient() somewhere in access-token.php?)
This is my access-token.php endpoint.