oauthserver: get client ID/secret from HTTP auth

Summary: This adds the ability for Phabricator's OAuth server implementation to use HTTP basic auth for the client ID and secret and brings it in line with the OAuth 2.0 specification in this respect. Fixes T11794 Test Plan: Fixes my use case. Shouldn't impact other use-cases. Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: 0, Korvin Maniphest Tasks: T11794 Differential Revision: https://secure.phabricator.com/D16763
2024-11-18 12:52:42 +01:00 · 2016-10-31 08:22:01 -07:00 · 2016-10-31 08:22:01 -07:00 · ee834c5958
commit ee834c5958
parent 5e784c998b
1 changed files with 26 additions and 2 deletions
--- a/src/applications/oauthserver/controller/PhabricatorOAuthServerTokenController.php
+++ b/src/applications/oauthserver/controller/PhabricatorOAuthServerTokenController.php
@ -18,11 +18,35 @@ final class PhabricatorOAuthServerTokenController
    $grant_type = $request->getStr('grant_type');
    $code = $request->getStr('code');
    $redirect_uri = $request->getStr('redirect_uri');
-    $client_phid = $request->getStr('client_id');
-    $client_secret = $request->getStr('client_secret');
    $response = new PhabricatorOAuthResponse();
    $server = new PhabricatorOAuthServer();

+    $client_id_parameter = $request->getStr('client_id');
+    $client_id_header = idx($_SERVER, 'PHP_AUTH_USER');
+    if (strlen($client_id_parameter) && strlen($client_id_header)) {
+      if ($client_id_parameter !== $client_id_header) {
+        throw new Exception(
+          pht(
+            'Request included a client_id parameter and an "Authorization" '.
+            'header with a username, but the values "%s" and "%s") disagree. '.
+            'The values must match.',
+            $client_id_parameter,
+            $client_id_header));
+      }
+    }
+
+    $client_secret_parameter = $request->getStr('client_secret');
+    $client_secret_header = idx($_SERVER, 'PHP_AUTH_PW');
+    if (strlen($client_secret_parameter)) {
+      // If the `client_secret` parameter is present, prefer parameters.
+      $client_phid = $client_id_parameter;
+      $client_secret = $client_secret_parameter;
+    } else {
+      // Otherwise, read values from the "Authorization" header.
+      $client_phid = $client_id_header;
+      $client_secret = $client_secret_header;
+    }
+
    if ($grant_type != 'authorization_code') {
      $response->setError('unsupported_grant_type');
      $response->setErrorDescription(