mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-18 11:30:55 +01:00
oauthserver: get client ID/secret from HTTP auth
Summary: This adds the ability for Phabricator's OAuth server implementation to use HTTP basic auth for the client ID and secret and brings it in line with the OAuth 2.0 specification in this respect. Fixes T11794 Test Plan: Fixes my use case. Shouldn't impact other use-cases. Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: 0, Korvin Maniphest Tasks: T11794 Differential Revision: https://secure.phabricator.com/D16763
This commit is contained in:
parent
5e784c998b
commit
ee834c5958
1 changed files with 26 additions and 2 deletions
|
@ -18,11 +18,35 @@ final class PhabricatorOAuthServerTokenController
|
|||
$grant_type = $request->getStr('grant_type');
|
||||
$code = $request->getStr('code');
|
||||
$redirect_uri = $request->getStr('redirect_uri');
|
||||
$client_phid = $request->getStr('client_id');
|
||||
$client_secret = $request->getStr('client_secret');
|
||||
$response = new PhabricatorOAuthResponse();
|
||||
$server = new PhabricatorOAuthServer();
|
||||
|
||||
$client_id_parameter = $request->getStr('client_id');
|
||||
$client_id_header = idx($_SERVER, 'PHP_AUTH_USER');
|
||||
if (strlen($client_id_parameter) && strlen($client_id_header)) {
|
||||
if ($client_id_parameter !== $client_id_header) {
|
||||
throw new Exception(
|
||||
pht(
|
||||
'Request included a client_id parameter and an "Authorization" '.
|
||||
'header with a username, but the values "%s" and "%s") disagree. '.
|
||||
'The values must match.',
|
||||
$client_id_parameter,
|
||||
$client_id_header));
|
||||
}
|
||||
}
|
||||
|
||||
$client_secret_parameter = $request->getStr('client_secret');
|
||||
$client_secret_header = idx($_SERVER, 'PHP_AUTH_PW');
|
||||
if (strlen($client_secret_parameter)) {
|
||||
// If the `client_secret` parameter is present, prefer parameters.
|
||||
$client_phid = $client_id_parameter;
|
||||
$client_secret = $client_secret_parameter;
|
||||
} else {
|
||||
// Otherwise, read values from the "Authorization" header.
|
||||
$client_phid = $client_id_header;
|
||||
$client_secret = $client_secret_header;
|
||||
}
|
||||
|
||||
if ($grant_type != 'authorization_code') {
|
||||
$response->setError('unsupported_grant_type');
|
||||
$response->setErrorDescription(
|
||||
|
|
Loading…
Reference in a new issue