search

thephpleague / oauth2-server

A spec compliant, secure by default PHP OAuth 2.0 Server
https://oauth2.thephpleague.com
MIT License
6.52k stars 1.12k forks source link

Add custom encoders for token ID and refresh token, not just bin2hex #765

Open mcd-php opened 7 years ago

mcd-php commented 7 years ago

Bin2hex is too lengthy. Is it strictly mandated by standard, or is anything other proven insecure ?

BearerTokenResponse.php#L35 is asking for something like this:

interface Codec {
    public function encode($rawData);
    public function decode($encodedData);
}

$codecChain = new CodecChain([
    new CodecBase58(),
    new CodecCrypt($algo, $key),
    new CodecGzip(),
    new CodecTryDecode([
        new CodecThrift(),
        new CodecProtobuf(),
        new CodecMsgPack(),
        new CodecJson()
    ])
]);
alexbilbie commented 7 years ago

Are you sure BearerTokenResponse.php#L35 is the right file?

Do you mean AbstractGrant.php#463?

Regardless the identifier needs to be encoded to a UTF-8 string to be returned in the JSON payload; so even with protobuf, thrift and gzip it needs passing through bin2hex or base64_encode

mcd-php commented 7 years ago

I have seen two places with too lengthy encodings: bin2hex without option, JSON, no compression etc, first is BearerTokenResponse.php#L35 and second is AbstractGrant.php#463.

Since you are the primary author, I advice you to list all such places and apply pluggable codecs to them, so user-programmers can encode more efficiently, compress etc.

I tried to find the decoding counterpart of BearerTokenResponse.php#L35 but failed to do so quickly, since the artifact being created is not wrapped to any class or interface.