search

trikoder / oauth2-bundle

Symfony bundle which provides OAuth 2.0 authorization/resource server capabilities.
https://www.trikoder.net/
MIT License
249 stars 114 forks source link

Allow empty redirect_url in authorization_code flow #188

Open pszalko opened 4 years ago

pszalko commented 4 years ago

I'm using Authorization Code flow to authorize OAuth2 client. The redirect_uri will be dynamic, different each time for the same client.

The issue is that AuthCodeGrant does not allow to authorize when client has empty redirect_url set in configuration.

The same issue is true for any Grant extending from AbstractGrant class, because validation method does not allow empty redirect_uri in ClientEntity.

Here is how I create the client:

./bin/console trikoder:oauth:create-client --grant-type=authorization_code --grant-type=refresh_token --public my_client_id

 [OK] New oAuth2 client created successfully.                                                                           

 -------------- -------- 
  Identifier     Secret  
 -------------- -------- 
  my_client_id           
 -------------- --------

and the database entry is as follow:

# identifier, secret, redirect_uris, grants, scopes, active, allow_plain_text_pkce
'my_client_id', NULL, NULL, 'authorization_code refresh_token', NULL, '1', '0'

The code that should allow empty redirect_uri is in AbstractGrant. Please note that this method does not check if $client->getRedirectUri() is an empty array:

    protected function validateRedirectUri(
        string $redirectUri,
        ClientEntityInterface $client,
        ServerRequestInterface $request
    ) {
        if (\is_string($client->getRedirectUri())
            && (strcmp($client->getRedirectUri(), $redirectUri) !== 0)
        ) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
            throw OAuthServerException::invalidClient($request);
        } elseif (\is_array($client->getRedirectUri())
            && \in_array($redirectUri, $client->getRedirectUri(), true) === false
        ) {
            $this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
            throw OAuthServerException::invalidClient($request);
        }
    }
solivier commented 3 years ago

I had the same issue, it's due to the fact they changed the AbstractGrant class 2 months ago (https://github.com/thephpleague/oauth2-server/commit/cb35b9a02ba69a4205b636544368ccb56762ecc5) and we use a not fixed version of phpleague/oauth2-server

A possible solution would be to set this requirement to 8.1.1