1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-18 11:30:55 +01:00

oauthserver: get client ID/secret from HTTP auth

Summary:
This adds the ability for Phabricator's OAuth server implementation to use HTTP basic auth for the client ID and secret and brings it in line with the OAuth 2.0 specification in this respect.

Fixes T11794

Test Plan: Fixes my use case. Shouldn't impact other use-cases.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: 0, Korvin

Maniphest Tasks: T11794

Differential Revision: https://secure.phabricator.com/D16763
This commit is contained in:
William Light 2016-10-31 08:22:01 -07:00 committed by epriestley
parent 5e784c998b
commit ee834c5958

View file

@ -18,11 +18,35 @@ final class PhabricatorOAuthServerTokenController
$grant_type = $request->getStr('grant_type');
$code = $request->getStr('code');
$redirect_uri = $request->getStr('redirect_uri');
$client_phid = $request->getStr('client_id');
$client_secret = $request->getStr('client_secret');
$response = new PhabricatorOAuthResponse();
$server = new PhabricatorOAuthServer();
$client_id_parameter = $request->getStr('client_id');
$client_id_header = idx($_SERVER, 'PHP_AUTH_USER');
if (strlen($client_id_parameter) && strlen($client_id_header)) {
if ($client_id_parameter !== $client_id_header) {
throw new Exception(
pht(
'Request included a client_id parameter and an "Authorization" '.
'header with a username, but the values "%s" and "%s") disagree. '.
'The values must match.',
$client_id_parameter,
$client_id_header));
}
}
$client_secret_parameter = $request->getStr('client_secret');
$client_secret_header = idx($_SERVER, 'PHP_AUTH_PW');
if (strlen($client_secret_parameter)) {
// If the `client_secret` parameter is present, prefer parameters.
$client_phid = $client_id_parameter;
$client_secret = $client_secret_parameter;
} else {
// Otherwise, read values from the "Authorization" header.
$client_phid = $client_id_header;
$client_secret = $client_secret_header;
}
if ($grant_type != 'authorization_code') {
$response->setError('unsupported_grant_type');
$response->setErrorDescription(