mirror of
https://we.phorge.it/source/phorge.git
synced 2025-01-04 11:51:02 +01:00
OAuthServer - harden things up a bit
Summary: This is the hardening work mentioned in T887#86529. Also take a documentation pass for accuracy about these changes and formatting. Ref T4593. Test Plan: unit tests...! generated diviner docs and oauthserver doc looked good Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Maniphest Tasks: T4593 Differential Revision: https://secure.phabricator.com/D11298
This commit is contained in:
parent
7a6f4ab75a
commit
152072fc97
3 changed files with 45 additions and 35 deletions
|
@ -215,8 +215,8 @@ final class PhabricatorOAuthServer {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* If there's a URI specified in an OAuth request, it must be validated in
|
* If there's a URI specified in an OAuth request, it must be validated in
|
||||||
* its own right. Further, it must have the same domain and (at least) the
|
* its own right. Further, it must have the same domain, the same path, the
|
||||||
* same query parameters as the primary URI.
|
* same port, and (at least) the same query parameters as the primary URI.
|
||||||
*/
|
*/
|
||||||
public function validateSecondaryRedirectURI(
|
public function validateSecondaryRedirectURI(
|
||||||
PhutilURI $secondary_uri,
|
PhutilURI $secondary_uri,
|
||||||
|
@ -232,6 +232,16 @@ final class PhabricatorOAuthServer {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Both URIs must have the same path
|
||||||
|
if ($secondary_uri->getPath() != $primary_uri->getPath()) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Both URIs must have the same port
|
||||||
|
if ($secondary_uri->getPort() != $primary_uri->getPort()) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
// Any query parameters present in the first URI must be exactly present
|
// Any query parameters present in the first URI must be exactly present
|
||||||
// in the second URI.
|
// in the second URI.
|
||||||
$need_params = $primary_uri->getQueryParams();
|
$need_params = $primary_uri->getQueryParams();
|
||||||
|
|
|
@ -24,11 +24,11 @@ final class PhabricatorOAuthServerTestCase
|
||||||
|
|
||||||
public function testValidateSecondaryRedirectURI() {
|
public function testValidateSecondaryRedirectURI() {
|
||||||
$server = new PhabricatorOAuthServer();
|
$server = new PhabricatorOAuthServer();
|
||||||
$primary_uri = new PhutilURI('http://www.google.com');
|
$primary_uri = new PhutilURI('http://www.google.com/');
|
||||||
static $test_domain_map = array(
|
static $test_domain_map = array(
|
||||||
'http://www.google.com' => true,
|
'http://www.google.com' => false,
|
||||||
'http://www.google.com/' => true,
|
'http://www.google.com/' => true,
|
||||||
'http://www.google.com/auth' => true,
|
'http://www.google.com/auth' => false,
|
||||||
'http://www.google.com/?auth' => true,
|
'http://www.google.com/?auth' => true,
|
||||||
'www.google.com' => false,
|
'www.google.com' => false,
|
||||||
'http://www.google.com/auth#invalid' => false,
|
'http://www.google.com/auth#invalid' => false,
|
||||||
|
@ -76,12 +76,12 @@ final class PhabricatorOAuthServerTestCase
|
||||||
|
|
||||||
$primary_uri = new PhutilURI('http://example.com/?z=2&y=3');
|
$primary_uri = new PhutilURI('http://example.com/?z=2&y=3');
|
||||||
$tests = array(
|
$tests = array(
|
||||||
'http://example.com?z=2&y=3' => true,
|
'http://example.com/?z=2&y=3' => true,
|
||||||
'http://example.com?y=3&z=2' => true,
|
'http://example.com/?y=3&z=2' => true,
|
||||||
'http://example.com?y=3&z=2&x=1' => true,
|
'http://example.com/?y=3&z=2&x=1' => true,
|
||||||
'http://example.com?y=2&z=3' => false,
|
'http://example.com/?y=2&z=3' => false,
|
||||||
'http://example.com?y&x' => false,
|
'http://example.com/?y&x' => false,
|
||||||
'http://example.com?z=2&x=3' => false,
|
'http://example.com/?z=2&x=3' => false,
|
||||||
);
|
);
|
||||||
foreach ($tests as $input => $expected) {
|
foreach ($tests as $input => $expected) {
|
||||||
$uri = new PhutilURI($input);
|
$uri = new PhutilURI($input);
|
||||||
|
|
|
@ -18,20 +18,20 @@ clients that implement OAuth 2.0.
|
||||||
|
|
||||||
= Vocabulary =
|
= Vocabulary =
|
||||||
|
|
||||||
- **Access token** - a token which allows a client to ask for data on
|
- **Access token** - a token which allows a client to ask for data on behalf
|
||||||
behalf of a resource owner. A given client will only be able to access
|
of a resource owner. A given client will only be able to access data included
|
||||||
data included in the scope(s) the resource owner authorized that client for.
|
in the scope(s) the resource owner authorized that client for.
|
||||||
- **Authorization code** - a short-lived code which allows an authenticated
|
- **Authorization code** - a short-lived code which allows an authenticated
|
||||||
client to ask for an access token on behalf of some resource owner.
|
client to ask for an access token on behalf of some resource owner.
|
||||||
- **Client** - this is the application or system asking for data from the
|
- **Client** - this is the application or system asking for data from the
|
||||||
OAuth Server on behalf of the resource owner.
|
OAuth Server on behalf of the resource owner.
|
||||||
- **Resource owner** - this is the user the client and OAuth Server are
|
- **Resource owner** - this is the user the client and OAuth Server are
|
||||||
concerned with on a given request.
|
concerned with on a given request.
|
||||||
- **Scope** - this defines a specific piece of granular data a client can
|
- **Scope** - this defines a specific piece of granular data a client can
|
||||||
or can not access on behalf of a user. For example, if authorized for the
|
or can not access on behalf of a user. For example, if authorized for the
|
||||||
"whoami" scope on behalf of a given resource owner, the client can get the
|
"whoami" scope on behalf of a given resource owner, the client can get the
|
||||||
results of Conduit.whoami for that resource owner when authenticated with
|
results of Conduit.whoami for that resource owner when authenticated with
|
||||||
a valid access token.
|
a valid access token.
|
||||||
|
|
||||||
= Setup - Creating a Client =
|
= Setup - Creating a Client =
|
||||||
|
|
||||||
|
@ -46,16 +46,16 @@ following parameters:
|
||||||
|
|
||||||
- Required - **client_id** - the id of the newly registered client.
|
- Required - **client_id** - the id of the newly registered client.
|
||||||
- Required - **response_type** - the desired type of authorization code
|
- Required - **response_type** - the desired type of authorization code
|
||||||
response. Only code is supported at this time.
|
response. Only code is supported at this time.
|
||||||
- Optional - **redirect_uri** - override the redirect_uri the client
|
- Optional - **redirect_uri** - override the redirect_uri the client
|
||||||
registered. This redirect_uri must have the same fully-qualified domain
|
registered. This redirect_uri must have the same fully-qualified domain,
|
||||||
and have at least the same query parameters as the redirect_uri the client
|
path, port and have at least the same query parameters as the redirect_uri
|
||||||
registered, as well as have no fragments.
|
the client registered, as well as have no fragments.
|
||||||
- Optional - **scope** - specify what scope(s) the client needs access to
|
- Optional - **scope** - specify what scope(s) the client needs access to
|
||||||
in a space-delimited list.
|
in a space-delimited list.
|
||||||
- Optional - **state** - an opaque value the client can send to the server
|
- Optional - **state** - an opaque value the client can send to the server
|
||||||
for programmatic excellence. Some clients use this value to implement XSRF
|
for programmatic excellence. Some clients use this value to implement XSRF
|
||||||
protection or for debugging purposes.
|
protection or for debugging purposes.
|
||||||
|
|
||||||
If done correctly and the resource owner has not yet authorized the client
|
If done correctly and the resource owner has not yet authorized the client
|
||||||
for the desired scope, then the resource owner will be presented with an
|
for the desired scope, then the resource owner will be presented with an
|
||||||
|
@ -81,14 +81,14 @@ with the following parameters:
|
||||||
|
|
||||||
- Required - **client_id** - the id of the client
|
- Required - **client_id** - the id of the client
|
||||||
- Required - **client_secret** - the secret of the client.
|
- Required - **client_secret** - the secret of the client.
|
||||||
This is used to authenticate the client.
|
This is used to authenticate the client.
|
||||||
- Required - **code** - the authorization code obtained earlier.
|
- Required - **code** - the authorization code obtained earlier.
|
||||||
- Required - **grant_type** - the desired type of access grant.
|
- Required - **grant_type** - the desired type of access grant.
|
||||||
Only token is supported at this time.
|
Only token is supported at this time.
|
||||||
- Optional - **redirect_uri** - should be the exact same redirect_uri as
|
- Optional - **redirect_uri** - should be the exact same redirect_uri as
|
||||||
the redirect_uri specified to obtain the authorization code. If no
|
the redirect_uri specified to obtain the authorization code. If no
|
||||||
redirect_uri was specified to obtain the authorization code then this
|
redirect_uri was specified to obtain the authorization code then this
|
||||||
should not be specified.
|
should not be specified.
|
||||||
|
|
||||||
If done correctly, the OAuth Server will redirect to the pertinent
|
If done correctly, the OAuth Server will redirect to the pertinent
|
||||||
redirect_uri with an access token.
|
redirect_uri with an access token.
|
||||||
|
@ -115,6 +115,6 @@ currently exposed through the OAuth Server.
|
||||||
There are only two scopes supported at this time.
|
There are only two scopes supported at this time.
|
||||||
|
|
||||||
- **offline_access** - allows an access token to work indefinitely without
|
- **offline_access** - allows an access token to work indefinitely without
|
||||||
expiring.
|
expiring.
|
||||||
- **whoami** - allows the client to access the results of Conduit.whoami on
|
- **whoami** - allows the client to access the results of Conduit.whoami on
|
||||||
behalf of the resource owner.
|
behalf of the resource owner.
|
||||||
|
|
Loading…
Reference in a new issue