Remove the encrypted payload from AuthCode and RefreshToken

CHANGELOG.md

@@ -5,6 +5,12 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Added a new function to the provided ClientTrait, `supportsGrantType` to allow the auth server to issue the response `unauthorized_client` when applicable (PR #1420)
+
+### Fixed
+- Clients only validated for Refresh, Device Code, and Password grants if the client is confidential (PR #1420)
+
 ### Changed
 - Key permission checks ignored on Windows regardless of userland choice as cannot be run successfully on this OS (PR #1447)
 

examples/README.md

@@ -1,12 +1,11 @@
-# Example implementations
+# Example implementations (via [`Slim 3`](https://github.com/slimphp/Slim/tree/3.x))
 
 ## Installation
 
 0. Run `composer install` in this directory to install dependencies
 0. Create a private key `openssl genrsa -out private.key 2048`
-0. Create a public key `openssl rsa -in private.key -pubout > public.key`
-0. `cd` into the public directory
-0. Start a PHP server `php -S localhost:4444`
+0. Export the public key `openssl rsa -in private.key -pubout > public.key`
+0. Start local PHP server `php -S 127.0.0.1:4444 -t public/`
 
 ## Testing the client credentials grant example
 

examples/src/Repositories/AccessTokenRepository.php

@@ -14,6 +14,7 @@
 
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\UserEntityInterface;
 use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
 use OAuth2ServerExamples\Entities\AccessTokenEntity;
 
@@ -46,20 +47,17 @@ public function isAccessTokenRevoked($tokenId): bool
     /**
      * {@inheritdoc}
      */
-    public function getNewToken(ClientEntityInterface $clientEntity, array $scopes, $userIdentifier = null): AccessTokenEntityInterface
+    public function getNewToken(ClientEntityInterface $clientEntity, array $scopes, ?UserEntityInterface $user = null): AccessTokenEntityInterface
     {
         $accessToken = new AccessTokenEntity();
 
         $accessToken->setClient($clientEntity);
+        $accessToken->setUser($user);
 
         foreach ($scopes as $scope) {
             $accessToken->addScope($scope);
         }
 
-        if ($userIdentifier !== null) {
-            $accessToken->setUserIdentifier((string) $userIdentifier);
-        }
-
         return $accessToken;
     }
 }

examples/src/Repositories/AuthCodeRepository.php

@@ -21,31 +21,31 @@ class AuthCodeRepository implements AuthCodeRepositoryInterface
     /**
      * {@inheritdoc}
      */
-    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity)
+    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity): void
     {
         // Some logic to persist the auth code to a database
     }
 
     /**
      * {@inheritdoc}
      */
-    public function revokeAuthCode($codeId)
+    public function revokeAuthCode($codeId): void
     {
         // Some logic to revoke the auth code in a database
     }
 
     /**
      * {@inheritdoc}
      */
-    public function isAuthCodeRevoked($codeId)
+    public function isAuthCodeRevoked($codeId): bool
     {
         return false; // The auth code has not been revoked
     }
 
     /**
      * {@inheritdoc}
      */
-    public function getNewAuthCode()
+    public function getNewAuthCode(): AuthCodeEntityInterface
     {
         return new AuthCodeEntity();
     }

src/AuthorizationServer.php

@@ -14,6 +14,7 @@
 
 use DateInterval;
 use Defuse\Crypto\Key;
+use League\OAuth2\Server\Entities\UserEntityInterface;
 use League\OAuth2\Server\EventEmitting\EmitterAwareInterface;
 use League\OAuth2\Server\EventEmitting\EmitterAwarePolyfill;
 use League\OAuth2\Server\Exception\OAuthServerException;
@@ -42,14 +43,8 @@ class AuthorizationServer implements EmitterAwareInterface
      */
     protected array $grantTypeAccessTokenTTL = [];
 
-    protected CryptKeyInterface $privateKey;
-
-    protected CryptKeyInterface $publicKey;
-
     protected ResponseTypeInterface $responseType;
 
-    private string|Key $encryptionKey;
-
     private string $defaultScope = '';
 
     private bool $revokeRefreshTokens = true;
@@ -61,17 +56,8 @@ public function __construct(
         private ClientRepositoryInterface $clientRepository,
         private AccessTokenRepositoryInterface $accessTokenRepository,
         private ScopeRepositoryInterface $scopeRepository,
-        CryptKeyInterface|string $privateKey,
-        Key|string $encryptionKey,
         ResponseTypeInterface|null $responseType = null
     ) {
-        if ($privateKey instanceof CryptKeyInterface === false) {
-            $privateKey = new CryptKey($privateKey);
-        }
-
-        $this->privateKey = $privateKey;
-        $this->encryptionKey = $encryptionKey;
-
         if ($responseType === null) {
             $responseType = new BearerTokenResponse();
         } else {
@@ -94,9 +80,7 @@ public function enableGrantType(GrantTypeInterface $grantType, DateInterval|null
         $grantType->setClientRepository($this->clientRepository);
         $grantType->setScopeRepository($this->scopeRepository);
         $grantType->setDefaultScope($this->defaultScope);
-        $grantType->setPrivateKey($this->privateKey);
         $grantType->setEmitter($this->getEmitter());
-        $grantType->setEncryptionKey($this->encryptionKey);
         $grantType->revokeRefreshTokens($this->revokeRefreshTokens);
 
         $this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;
@@ -152,10 +136,10 @@ public function respondToDeviceAuthorizationRequest(ServerRequestInterface $requ
     /**
      * Complete a device authorization request
      */
-    public function completeDeviceAuthorizationRequest(string $deviceCode, string $userId, bool $userApproved): void
+    public function completeDeviceAuthorizationRequest(string $deviceCode, UserEntityInterface $user, bool $userApproved): void
     {
         $this->enabledGrantTypes['urn:ietf:params:oauth:grant-type:device_code']
-          ->completeDeviceAuthorizationRequest($deviceCode, $userId, $userApproved);
+          ->completeDeviceAuthorizationRequest($deviceCode, $user, $userApproved);
     }
 
     /**
@@ -187,15 +171,7 @@ public function respondToAccessTokenRequest(ServerRequestInterface $request, Res
      */
     protected function getResponseType(): ResponseTypeInterface
     {
-        $responseType = clone $this->responseType;
-
-        if ($responseType instanceof AbstractResponseType) {
-            $responseType->setPrivateKey($this->privateKey);
-        }
-
-        $responseType->setEncryptionKey($this->encryptionKey);
-
-        return $responseType;
+        return clone $this->responseType;
     }
 
     /**

src/AuthorizationValidators/BearerTokenValidator.php

@@ -36,8 +36,6 @@
 
 class BearerTokenValidator implements AuthorizationValidatorInterface
 {
-    use CryptTrait;
-
     protected CryptKeyInterface $publicKey;
 
     private Configuration $jwtConfiguration;

src/Entities/AccessTokenEntityInterface.php

@@ -17,12 +17,17 @@
 interface AccessTokenEntityInterface extends TokenInterface
 {
     /**
-     * Set a private key used to encrypt the access token.
+     * Generate a string representation of the access token.
      */
-    public function setPrivateKey(CryptKeyInterface $privateKey): void;
+    public function toString(): string;
 
     /**
-     * Generate a string representation of the access token.
+     * Set the algorithm for signing the access token with the given private key
+     * 
+     * @see https://lcobucci-jwt.readthedocs.io/en/latest/supported-algorithms/
+     * 
+     * Symmetric - HS256, HS384, HS512, BLAKE2B
+     * Asymmetric - ES256, ES384, ES512, RS256, RS384, RS512, EdDSA
      */
-    public function toString(): string;
+    public function setSigner(string $signerAlgorithm, CryptKeyInterface $privateKey): void;
 }

src/Entities/AuthCodeEntityInterface.php

@@ -14,7 +14,15 @@
 
 interface AuthCodeEntityInterface extends TokenInterface
 {
-    public function getRedirectUri(): string|null;
+    public function getRedirectUri(): ?string;
 
-    public function setRedirectUri(string $uri): void;
+    public function setRedirectUri(?string $uri): void;
+
+    public function setCodeChallenge(?string $codeChallenge): void;
+
+    public function getCodeChallenge(): ?string;
+
+    public function setCodeChallengeMethod(?string $codeChallengeMethod): void;
+
+    public function getCodeChallengeMethod(): ?string;
 }

src/Entities/ClientEntityInterface.php

@@ -38,4 +38,11 @@ public function getRedirectUri(): string|array;
      * Returns true if the client is confidential.
      */
     public function isConfidential(): bool;
+
+    /*
+     * Returns true if the client supports the given grant type.
+     *
+     * To be added in a future major release.
+     */
+    // public function supportsGrantType(string $grantType): bool;
 }

src/Entities/RefreshTokenEntityInterface.php

@@ -12,34 +12,8 @@
 
 namespace League\OAuth2\Server\Entities;
 
-use DateTimeImmutable;
-
-interface RefreshTokenEntityInterface
+interface RefreshTokenEntityInterface extends TokenInterface
 {
-    /**
-     * Get the token's identifier.
-     *
-     * @return non-empty-string
-     */
-    public function getIdentifier(): string;
-
-    /**
-     * Set the token's identifier.
-     *
-     * @param non-empty-string $identifier
-     */
-    public function setIdentifier(string $identifier): void;
-
-    /**
-     * Get the token's expiry date time.
-     */
-    public function getExpiryDateTime(): DateTimeImmutable;
-
-    /**
-     * Set the date time when the token expires.
-     */
-    public function setExpiryDateTime(DateTimeImmutable $dateTime): void;
-
     /**
      * Set the access token that the refresh token was associated with.
      */