From 9af305aa87081a3bb22e034ad7824521c9db9b11 Mon Sep 17 00:00:00 2001 From: Daniel K Date: Mon, 14 Jun 2021 13:43:57 +0200 Subject: [PATCH] Support for Pushed Authorization Requests (PAR) OAuth 2.0 Pushed Authorization Requests is defined in (draft-ietf-oauth-par-08) PAR lets the client push the authorization request to the IP ahead of end-user involvement --- CHANGELOG.md | 5 +++++ src/OpenIDConnectClient.php | 41 +++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3185924c..bcdbcac2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## master + +### Added +* Support for Pushed Authorization Requests (draft-ietf-oauth-par-08) + ## [0.9.2] ### Added diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index ee81b02c..d4abd07e 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -675,12 +675,53 @@ private function requestAuthorization() { )); } + $par_data = $this->pushAuthorizationRequest($auth_params); + if ($par_data) { + $auth_params = array( + 'client_id' => $this->clientID, + 'request_uri' => $par_data->request_uri + ); + } + $auth_endpoint .= (strpos($auth_endpoint, '?') === false ? '?' : '&') . http_build_query($auth_params, null, '&', $this->enc_type); $this->commitSession(); $this->redirect($auth_endpoint); } + /** + * Push authorization request + * + * @param array $auth_params + * @return mixed + */ + private function pushAuthorizationRequest($auth_params) { + $par_endpoint = $this->getProviderConfigValue('pushed_authorization_request_endpoint'); + if (!$par_endpoint) { + return NULL; + } + $endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic']); + + $headers = []; + + # Consider Basic authentication if provider config is set this way + if (in_array('client_secret_basic', $endpoint_auth_methods_supported, true)) { + $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret)), + 'Accept: application/json']; + + unset($auth_params['client_secret']); + } + + $par_params = http_build_query($auth_params, NULL, '&'); + $response = json_decode($this->fetchURL($par_endpoint, $par_params, $headers)); + + if (!isset($response->request_uri)) { + return NULL; + } + + return $response; + } + /** * Requests a client credentials token *