From 60bd45de824f03ab5f91dddc8e7b70f282deb3e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Thu, 5 Sep 2024 13:53:08 +0200 Subject: [PATCH 01/52] fix: method signatures after 1.0 release (#427) --- src/OpenIDConnectClient.php | 36 ++++++++++++++++++++----------- tests/OpenIDConnectClientTest.php | 35 +++++++++++++++++++++++++++--- 2 files changed, 55 insertions(+), 16 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 12692d8a..4fba7f96 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -3,7 +3,7 @@ * * Copyright MITRE 2020 * - * OpenIDConnectClient for PHP5 + * OpenIDConnectClient for PHP7+ * Author: Michael Jett * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -25,7 +25,6 @@ use Error; use Exception; -use phpseclib3\Crypt\PublicKeyLoader; use phpseclib3\Crypt\RSA; use phpseclib3\Math\BigInteger; use stdClass; @@ -380,7 +379,7 @@ public function authenticate(): bool $accessToken = $_REQUEST['access_token'] ?? null; // Do an OpenID Connect session check - if (!isset($_REQUEST['state']) || ($_REQUEST['state'] !== $this->getState())) { + if (!isset($_REQUEST['state']) || ($_REQUEST['state'] !== $this->getState())) { throw new OpenIDConnectClientException('Unable to determine state'); } @@ -691,7 +690,7 @@ public function getRedirectURL(): string if (isset($_SERVER['HTTP_X_FORWARDED_PORT'])) { $port = (int)$_SERVER['HTTP_X_FORWARDED_PORT']; } elseif (isset($_SERVER['SERVER_PORT'])) { - $port = (int)$_SERVER['SERVER_PORT']; + $port = $_SERVER['SERVER_PORT']; } elseif ($protocol === 'https') { $port = 443; } else { @@ -1221,10 +1220,9 @@ protected function urlEncode(string $str): string /** * @param string $jwt encoded JWT * @param int $section the section we would like to decode - * @return object + * @return object|null */ - protected function decodeJWT(string $jwt, int $section = 0): stdClass { - + protected function decodeJWT(string $jwt, int $section = 0) { $parts = explode('.', $jwt); return json_decode(base64url_decode($parts[$section]), false); } @@ -1688,7 +1686,10 @@ public function revokeToken(string $token, string $token_type_hint = '', string return json_decode($this->fetchURL($revocation_endpoint, $post_params, $headers), false); } - public function getClientName(): string + /** + * @return string|null + */ + public function getClientName() { return $this->clientName; } @@ -1698,14 +1699,14 @@ public function setClientName(string $clientName) { } /** - * @return string + * @return string|null */ public function getClientID() { return $this->clientID; } /** - * @return string + * @return string|null */ public function getClientSecret() { return $this->clientSecret; @@ -1720,17 +1721,26 @@ public function setAccessToken(string $accessToken) { $this->accessToken = $accessToken; } - public function getAccessToken(): string + /** + * @return string|null + */ + public function getAccessToken() { return $this->accessToken; } - public function getRefreshToken(): string + /** + * @return string|null + */ + public function getRefreshToken() { return $this->refreshToken; } - public function getIdToken(): string + /** + * @return string|null + */ + public function getIdToken() { return $this->idToken; } diff --git a/tests/OpenIDConnectClientTest.php b/tests/OpenIDConnectClientTest.php index f895879c..88d98989 100644 --- a/tests/OpenIDConnectClientTest.php +++ b/tests/OpenIDConnectClientTest.php @@ -7,9 +7,38 @@ class OpenIDConnectClientTest extends TestCase { - /** - * @return void - */ + public function testJWTDecode() + { + $client = new OpenIDConnectClient(); + $client->setAccessToken(''); + $header = $client->getAccessTokenHeader(); + self::assertEquals('', $header); + } + + public function testGetNull() + { + $client = new OpenIDConnectClient(); + self::assertNull($client->getAccessToken()); + self::assertNull($client->getRefreshToken()); + self::assertNull($client->getIdToken()); + self::assertNull($client->getClientName()); + self::assertNull($client->getClientID()); + self::assertNull($client->getClientSecret()); + self::assertNull($client->getCertPath()); + } + + public function testResponseTypes() + { + $client = new OpenIDConnectClient(); + self::assertEquals([], $client->getResponseTypes()); + + $client->setResponseTypes('foo'); + self::assertEquals(['foo'], $client->getResponseTypes()); + + $client->setResponseTypes(['bar', 'ipsum']); + self::assertEquals(['foo', 'bar', 'ipsum'], $client->getResponseTypes()); + } + public function testGetRedirectURL() { $client = new OpenIDConnectClient(); From 39d3d979d3787bdc46b8d2d8192848e837169965 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Thu, 5 Sep 2024 16:29:25 +0200 Subject: [PATCH 02/52] fix: handle JWT decode of non JWT tokens (#428) --- CHANGELOG.md | 2 ++ src/OpenIDConnectClient.php | 14 +++++++++----- tests/OpenIDConnectClientTest.php | 11 +++++++++++ 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4055711f..fa7fddf6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). [unreleased] +- Fix JWT decode of non JWT tokens #428 +- Fix method signatures #427 - Updated CI to also test on PHP 8.3 #407 - Updated readme PHP requirement to PHP 7.0+ #407 - Added dependabot for GitHub Actions #407 diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 4fba7f96..b387b1a9 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1220,11 +1220,11 @@ protected function urlEncode(string $str): string /** * @param string $jwt encoded JWT * @param int $section the section we would like to decode - * @return object|null + * @return object|string|null */ protected function decodeJWT(string $jwt, int $section = 0) { $parts = explode('.', $jwt); - return json_decode(base64url_decode($parts[$section]), false); + return json_decode(base64url_decode($parts[$section] ?? ''), false); } /** @@ -1737,6 +1737,10 @@ public function getRefreshToken() return $this->refreshToken; } + public function setIdToken(string $idToken) { + $this->idToken = $idToken; + } + /** * @return string|null */ @@ -1753,21 +1757,21 @@ public function getAccessTokenHeader() { } /** - * @return object + * @return object|string|null */ public function getAccessTokenPayload() { return $this->decodeJWT($this->accessToken, 1); } /** - * @return object + * @return object|string|null */ public function getIdTokenHeader() { return $this->decodeJWT($this->idToken); } /** - * @return object + * @return object|string|null */ public function getIdTokenPayload() { return $this->decodeJWT($this->idToken, 1); diff --git a/tests/OpenIDConnectClientTest.php b/tests/OpenIDConnectClientTest.php index 88d98989..3dc4709f 100644 --- a/tests/OpenIDConnectClientTest.php +++ b/tests/OpenIDConnectClientTest.php @@ -10,9 +10,20 @@ class OpenIDConnectClientTest extends TestCase public function testJWTDecode() { $client = new OpenIDConnectClient(); + # access token $client->setAccessToken(''); $header = $client->getAccessTokenHeader(); self::assertEquals('', $header); + $payload = $client->getAccessTokenPayload(); + self::assertEquals('', $payload); + + # id token + $client->setIdToken(''); + $header = $client->getIdTokenHeader(); + self::assertEquals('', $header); + $payload = $client->getIdTokenPayload(); + self::assertEquals('', $payload); + } public function testGetNull() From e00dfd0484518db60e90922d685005901c5d3d69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Thu, 5 Sep 2024 16:33:44 +0200 Subject: [PATCH 03/52] chore: enable dependabot for composer (#429) --- .github/dependabot.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0f11f4a3..a54473b4 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,3 +11,9 @@ updates: directory: "/" schedule: interval: "weekly" + + # Maintain dependencies for composer + - package-ecosystem: "composer" + directory: "/" + schedule: + interval: "weekly" From e88e5b0bb34b2273bb424a2dc9ebe3159dd6cc93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Thu, 5 Sep 2024 16:39:11 +0200 Subject: [PATCH 04/52] ci: run GitHub workflows on pull requests and pushes to master (#431) --- .github/workflows/build.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c27126e2..31d0ed11 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,7 +1,13 @@ --- name: build -on: [push, pull_request] +on: + push: + branches: + - master + pull_request: + branches: + - master env: DEFAULT_COMPOSER_FLAGS: "--prefer-dist --no-interaction --no-progress --optimize-autoloader --ansi" From b2addae409243244ec7a169d2916d8d966dd8deb Mon Sep 17 00:00:00 2001 From: Artem Boyko Date: Thu, 5 Sep 2024 17:43:09 +0300 Subject: [PATCH 05/52] chore(deps): update phpseclib/phpseclib requirement from ~3.0 to ^3.0.7 * Update phpseclib/phpseclib to minimum 2.0.31 or 3.0.7 * Update composer.json --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 3fa6d231..3cd6fc38 100644 --- a/composer.json +++ b/composer.json @@ -6,7 +6,7 @@ "php": ">=7.0", "ext-json": "*", "ext-curl": "*", - "phpseclib/phpseclib": "~3.0" + "phpseclib/phpseclib": "^3.0.7" }, "require-dev": { "roave/security-advisories": "dev-latest", From d24f0e920b8064e35e5dcaecc62ad77164b8845e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Sep 2024 16:55:24 +0200 Subject: [PATCH 06/52] chore(deps-dev): update yoast/phpunit-polyfills requirement from ^1.0 to ^2.0 (#430) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore(deps-dev): update yoast/phpunit-polyfills requirement Updates the requirements on [yoast/phpunit-polyfills](https://github.com/Yoast/PHPUnit-Polyfills) to permit the latest version. - [Release notes](https://github.com/Yoast/PHPUnit-Polyfills/releases) - [Changelog](https://github.com/Yoast/PHPUnit-Polyfills/blob/2.x/CHANGELOG.md) - [Commits](https://github.com/Yoast/PHPUnit-Polyfills/compare/1.0.0...2.0.1) --- updated-dependencies: - dependency-name: yoast/phpunit-polyfills dependency-type: direct:development ... Signed-off-by: dependabot[bot] * fix: remove --verbose from phpunit * fix: force usage of phpunit < 10 --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- composer.json | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 31d0ed11..38080af1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,4 +41,4 @@ jobs: - name: Install dependencies run: composer update $DEFAULT_COMPOSER_FLAGS - name: Run unit tests - run: vendor/bin/phpunit --verbose --colors=always tests + run: vendor/bin/phpunit --colors=always tests diff --git a/composer.json b/composer.json index 3cd6fc38..64825884 100644 --- a/composer.json +++ b/composer.json @@ -9,8 +9,9 @@ "phpseclib/phpseclib": "^3.0.7" }, "require-dev": { + "phpunit/phpunit": "<10", "roave/security-advisories": "dev-latest", - "yoast/phpunit-polyfills": "^1.0" + "yoast/phpunit-polyfills": "^2.0" }, "archive" : { "exclude" : [ From 7d0e8f14eba7acd8b9b92b36eeaf471fcb65d86b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Fri, 6 Sep 2024 08:16:24 +0200 Subject: [PATCH 07/52] fix: protected $responseCode to allow proper overloading of fetchURL() (#433) --- src/OpenIDConnectClient.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index b387b1a9..1a07155a 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -144,7 +144,7 @@ class OpenIDConnectClient /** * @var int|null Response code from the server */ - private $responseCode; + protected $responseCode; /** * @var string|null Content type from the server From 2379656426efc77be6a4252177009bfab4ee39e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Fri, 6 Sep 2024 08:22:32 +0200 Subject: [PATCH 08/52] release: v1.0.1 (#432) --- CHANGELOG.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fa7fddf6..1b39eead 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,12 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -[unreleased] +## [1.0.1] - 2024-09-05 + +### Fixed - Fix JWT decode of non JWT tokens #428 - Fix method signatures #427 -- Updated CI to also test on PHP 8.3 #407 -- Updated readme PHP requirement to PHP 7.0+ #407 -- Added dependabot for GitHub Actions #407 - Cast `$_SERVER['SERVER_PORT']` to integer to prevent adding 80 or 443 port to redirect URL. #403 - Check subject when verifying JWT #406 - Removed duplicate check on jwks_uri and only check if jwks_uri exists when needed #373 From fc6b62519a997463c47b8bc1669576ec73b273bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Fri, 13 Sep 2024 08:52:32 +0200 Subject: [PATCH 09/52] fix: bring back #404 (#437) --- src/OpenIDConnectClient.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 1a07155a..6bb7a42a 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -690,7 +690,8 @@ public function getRedirectURL(): string if (isset($_SERVER['HTTP_X_FORWARDED_PORT'])) { $port = (int)$_SERVER['HTTP_X_FORWARDED_PORT']; } elseif (isset($_SERVER['SERVER_PORT'])) { - $port = $_SERVER['SERVER_PORT']; + # keep this case - even if some tool claim it is unnecessary + $port = (int)$_SERVER['SERVER_PORT']; } elseif ($protocol === 'https') { $port = 443; } else { From 09f99a838564087ea56e7efff536230a5d1cd0d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Fri, 13 Sep 2024 09:07:45 +0200 Subject: [PATCH 10/52] test: add unit test for SERVER_PORT type cast (#438) --- tests/OpenIDConnectClientTest.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/OpenIDConnectClientTest.php b/tests/OpenIDConnectClientTest.php index 3dc4709f..45adc7b3 100644 --- a/tests/OpenIDConnectClientTest.php +++ b/tests/OpenIDConnectClientTest.php @@ -58,7 +58,11 @@ public function testGetRedirectURL() $_SERVER['SERVER_NAME'] = 'domain.test'; $_SERVER['REQUEST_URI'] = '/path/index.php?foo=bar&baz#fragment'; + $_SERVER['SERVER_PORT'] = '443'; self::assertSame('http://domain.test/path/index.php', $client->getRedirectURL()); + + $_SERVER['SERVER_PORT'] = '8888'; + self::assertSame('http://domain.test:8888/path/index.php', $client->getRedirectURL()); } public function testAuthenticateDoesNotThrowExceptionIfClaimsIsMissingNonce() From a7b4d3b6cdef1c31e1eea033ba4be7fac5c3f16d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Fri, 13 Sep 2024 09:09:33 +0200 Subject: [PATCH 11/52] release: v1.0.2 (#439) --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1b39eead..0e1c7105 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.0.1] - 2024-09-13 + +### Fixed +- Cast `$_SERVER['SERVER_PORT']` to integer to prevent adding 80 or 443 port to redirect URL. #437 + ## [1.0.1] - 2024-09-05 ### Fixed From 533e9901eea9378567b04e762d9d5eace1874a90 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 09:28:37 +0100 Subject: [PATCH 12/52] make everything public --- src/OpenIDConnectClient.php | 68 ++++++++++++++++++------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 6bb7a42a..786d93d3 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -79,12 +79,12 @@ class OpenIDConnectClient /** * @var string arbitrary id value */ - private $clientID; + public $clientID; /** * @var string arbitrary name value */ - private $clientName; + public $clientName; /** * @var string arbitrary secret value @@ -94,164 +94,164 @@ class OpenIDConnectClient /** * @var array holds the provider configuration */ - private $providerConfig = []; + public $providerConfig = []; /** * @var string http proxy if necessary */ - private $httpProxy; + public $httpProxy; /** * @var string full system path to the SSL certificate */ - private $certPath; + public $certPath; /** * @var bool Verify SSL peer on transactions */ - private $verifyPeer = true; + public $verifyPeer = true; /** * @var bool Verify peer hostname on transactions */ - private $verifyHost = true; + public $verifyHost = true; /** * @var string if we acquire an access token it will be stored here */ - protected $accessToken; + public $accessToken; /** * @var string if we acquire a refresh token it will be stored here */ - private $refreshToken; + public $refreshToken; /** * @var string if we acquire an id token it will be stored here */ - protected $idToken; + public $idToken; /** * @var object stores the token response */ - private $tokenResponse; + public $tokenResponse; /** * @var array holds scopes */ - private $scopes = []; + public $scopes = []; /** * @var int|null Response code from the server */ - protected $responseCode; + public $responseCode; /** * @var string|null Content type from the server */ - private $responseContentType; + public $responseContentType; /** * @var array holds response types */ - private $responseTypes = []; + public $responseTypes = []; /** * @var array holds authentication parameters */ - private $authParams = []; + public $authParams = []; /** * @var array holds additional registration parameters for example post_logout_redirect_uris */ - private $registrationParams = []; + public $registrationParams = []; /** * @var mixed holds well-known openid server properties */ - private $wellKnown = false; + public $wellKnown = false; /** * @var mixed holds well-known openid configuration parameters, like policy for MS Azure AD B2C User Flow * @see https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview */ - private $wellKnownConfigParameters = []; + public $wellKnownConfigParameters = []; /** * @var int timeout (seconds) */ - protected $timeOut = 60; + public $timeOut = 60; /** * @var int leeway (seconds) */ - private $leeway = 300; + public $leeway = 300; /** * @var array holds response types */ - private $additionalJwks = []; + public $additionalJwks = []; /** * @var object holds verified jwt claims */ - protected $verifiedClaims = []; + public $verifiedClaims = []; /** * @var callable|null validator function for issuer claim */ - private $issuerValidator; + public $issuerValidator; /** * @var callable|null generator function for private key jwt client authentication */ - private $privateKeyJwtGenerator; + public $privateKeyJwtGenerator; /** * @var bool Allow OAuth 2 implicit flow; see http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth */ - private $allowImplicitFlow = false; + public $allowImplicitFlow = false; /** * @var string */ - private $redirectURL; + public $redirectURL; /** * @var int defines which URL-encoding http_build_query() uses */ - protected $encType = PHP_QUERY_RFC1738; + public $encType = PHP_QUERY_RFC1738; /** * @var bool Enable or disable upgrading to HTTPS by paying attention to HTTP header HTTP_UPGRADE_INSECURE_REQUESTS */ - protected $httpUpgradeInsecureRequests = true; + public $httpUpgradeInsecureRequests = true; /** * @var string holds code challenge method for PKCE mode * @see https://tools.ietf.org/html/rfc7636 */ - private $codeChallengeMethod = false; + public $codeChallengeMethod = false; /** * @var array holds PKCE supported algorithms */ - private $pkceAlgs = ['S256' => 'sha256', 'plain' => false]; + public $pkceAlgs = ['S256' => 'sha256', 'plain' => false]; /** * @var string if we acquire a sid in back-channel logout it will be stored here */ - private $backChannelSid; + public $backChannelSid; /** * @var string if we acquire a sub in back-channel logout it will be stored here */ - private $backChannelSubject; + public $backChannelSubject; /** * @var array list of supported auth methods */ - private $token_endpoint_auth_methods_supported = ['client_secret_basic']; + public $token_endpoint_auth_methods_supported = ['client_secret_basic']; /** * @param string|null $provider_url optional From 440451dc961efb24c4dab49a837858fac357ca60 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 11:14:19 +0100 Subject: [PATCH 13/52] log more in resp from OA --- src/OpenIDConnectClient.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 786d93d3..121407a9 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1270,7 +1270,7 @@ public function requestUserInfo(string $attribute = null) { $response = $this->fetchURL($user_info_endpoint,null,$headers); if ($this->getResponseCode() !== 200) { - throw new OpenIDConnectClientException('The communication to retrieve user data has failed with status code '.$this->getResponseCode()); + throw new OpenIDConnectClientException('The communication to retrieve user data has failed with status code '.$this->getResponseCode() . 'and response ' . json_encode($response)); } // When we receive application/jwt, the UserInfo Response is signed and/or encrypted. From 642c3bdefd66d78a144e885cb7b010e6fbbbce2b Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 12:06:40 +0100 Subject: [PATCH 14/52] test debugging in auth --- src/OpenIDConnectClient.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 121407a9..872bebef 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -298,6 +298,7 @@ public function setResponseTypes($response_types) { */ public function authenticate(): bool { + dd('test dd in authenticate'); // Do a preemptive check to see if the provider has thrown an error from a previous redirect if (isset($_REQUEST['error'])) { $desc = isset($_REQUEST['error_description']) ? ' Description: ' . $_REQUEST['error_description'] : ''; From 20cbe2558ed510654d09376d26f481a3d4b23e6e Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 12:09:48 +0100 Subject: [PATCH 15/52] auth check if we get code and token --- src/OpenIDConnectClient.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 872bebef..96ac3f28 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -298,7 +298,6 @@ public function setResponseTypes($response_types) { */ public function authenticate(): bool { - dd('test dd in authenticate'); // Do a preemptive check to see if the provider has thrown an error from a previous redirect if (isset($_REQUEST['error'])) { $desc = isset($_REQUEST['error_description']) ? ' Description: ' . $_REQUEST['error_description'] : ''; @@ -311,6 +310,8 @@ public function authenticate(): bool $code = $_REQUEST['code']; $token_json = $this->requestTokens($code); + dd('code ' . $code . ' and token ' . json_encode($token_json) . PHP_EOL); + // Throw an error if the server returns one if (isset($token_json->error)) { if (isset($token_json->error_description)) { From ec8ad962e07b785a4111d7e3de8cc49421cb694e Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 12:12:02 +0100 Subject: [PATCH 16/52] what is in request --- src/OpenIDConnectClient.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 96ac3f28..3f43b8f1 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -304,6 +304,8 @@ public function authenticate(): bool throw new OpenIDConnectClientException('Error: ' . $_REQUEST['error'] .$desc); } + dd(json_encode($_REQUEST)); + // If we have an authorization code then proceed to request a token if (isset($_REQUEST['code'])) { From baf5fa048e90b694c0820738da5530c51e281ca2 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 14:07:04 +0100 Subject: [PATCH 17/52] rm dds --- src/OpenIDConnectClient.php | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 3f43b8f1..04c71652 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -304,16 +304,12 @@ public function authenticate(): bool throw new OpenIDConnectClientException('Error: ' . $_REQUEST['error'] .$desc); } - dd(json_encode($_REQUEST)); - // If we have an authorization code then proceed to request a token if (isset($_REQUEST['code'])) { $code = $_REQUEST['code']; $token_json = $this->requestTokens($code); - dd('code ' . $code . ' and token ' . json_encode($token_json) . PHP_EOL); - // Throw an error if the server returns one if (isset($token_json->error)) { if (isset($token_json->error_description)) { @@ -323,7 +319,7 @@ public function authenticate(): bool } // Do an OpenID Connect session check - if (!isset($_REQUEST['state']) || ($_REQUEST['state'] !== $this->getState())) { + if (!isset($_REQUEST['state']) || ($_REQUEST['state'] !== $this->getState())) { throw new OpenIDConnectClientException('Unable to determine state'); } From 464e8854178219cb69e280314521a280a3218e55 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 14:40:06 +0100 Subject: [PATCH 18/52] trace missing grant --- src/OpenIDConnectClient.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 04c71652..6a88f11c 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -310,6 +310,8 @@ public function authenticate(): bool $code = $_REQUEST['code']; $token_json = $this->requestTokens($code); + dd('token_json ' . $token_json); + // Throw an error if the server returns one if (isset($token_json->error)) { if (isset($token_json->error_description)) { @@ -927,7 +929,7 @@ protected function requestTokens(string $code, array $headers = []) { } $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers), false); - + dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse)); return $this->tokenResponse; } From 662a5362c2f206b86a2ab1f086d91b7c4362a1c4 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 14:55:50 +0100 Subject: [PATCH 19/52] force encoding in fetchURL --- src/OpenIDConnectClient.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 6a88f11c..e969ccef 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1371,9 +1371,9 @@ protected function fetchURL(string $url, string $post_body = null, array $header $content_type = 'application/x-www-form-urlencoded'; // Determine if this is a JSON payload and add the appropriate content type - if (is_object(json_decode($post_body, false))) { - $content_type = 'application/json'; - } + // if (is_object(json_decode($post_body, false))) { + // $content_type = 'application/json'; + // } // Add POST-specific headers $headers[] = "Content-Type: $content_type"; From d48effb150e21c0b87de59e49034b550154f756c Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 14:58:26 +0100 Subject: [PATCH 20/52] double check post params --- src/OpenIDConnectClient.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index e969ccef..6a9d56a4 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1360,6 +1360,8 @@ protected function fetchURL(string $url, string $post_body = null, array $header // OK cool - then let's create a new cURL resource handle $ch = curl_init(); + dd($post_body); + // Determine whether this is a GET or POST if ($post_body !== null) { // curl_setopt($ch, CURLOPT_POST, 1); From b23003a277b77c4465ec9b728610770f3fa6c63b Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 15:09:14 +0100 Subject: [PATCH 21/52] what is token params --- src/OpenIDConnectClient.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 6a9d56a4..476fbd88 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -927,6 +927,7 @@ protected function requestTokens(string $code, array $headers = []) { if (null !== $authorizationHeader) { $headers[] = $authorizationHeader; } + dd('token_params ' . $token_params); $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers), false); dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse)); From 748b25e7f339e184cacc3d8f0e08b4381ab836f3 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 15:10:27 +0100 Subject: [PATCH 22/52] rm from fetchURL --- src/OpenIDConnectClient.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 476fbd88..939c7e28 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1361,8 +1361,6 @@ protected function fetchURL(string $url, string $post_body = null, array $header // OK cool - then let's create a new cURL resource handle $ch = curl_init(); - dd($post_body); - // Determine whether this is a GET or POST if ($post_body !== null) { // curl_setopt($ch, CURLOPT_POST, 1); From 575e916d04d44af56d425ad7483b506954002918 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 15:40:04 +0100 Subject: [PATCH 23/52] try default to build fetchURL --- src/OpenIDConnectClient.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 939c7e28..991bc326 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -874,9 +874,9 @@ protected function requestTokens(string $code, array $headers = []) { $token_params = [ 'grant_type' => $grant_type, 'code' => $code, - 'redirect_uri' => $this->getRedirectURL(), 'client_id' => $this->clientID, - 'client_secret' => $this->clientSecret + 'client_secret' => $this->clientSecret, + 'redirect_uri' => $this->getRedirectURL() ]; $authorizationHeader = null; @@ -922,12 +922,12 @@ protected function requestTokens(string $code, array $headers = []) { } // Convert token params to string format - $token_params = http_build_query($token_params, '', '&', $this->encType); + // $token_params = http_build_query($token_params, '', '&', $this->encType); + $token_params = http_build_query($token_params, '', null, $this->encType); if (null !== $authorizationHeader) { $headers[] = $authorizationHeader; } - dd('token_params ' . $token_params); $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers), false); dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse)); From 71b94c8c409a7a30b319b5104cae8114459c3c99 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 15:44:02 +0100 Subject: [PATCH 24/52] is redirect uri the problem --- src/OpenIDConnectClient.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 991bc326..eacd97f5 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -876,7 +876,7 @@ protected function requestTokens(string $code, array $headers = []) { 'code' => $code, 'client_id' => $this->clientID, 'client_secret' => $this->clientSecret, - 'redirect_uri' => $this->getRedirectURL() + // 'redirect_uri' => $this->getRedirectURL() ]; $authorizationHeader = null; From fecbd6c21ff1abe8e800e0fd4e9a5441d0225acd Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 15:49:34 +0100 Subject: [PATCH 25/52] try forcing urlencoded header --- src/OpenIDConnectClient.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index eacd97f5..5515354d 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -876,7 +876,7 @@ protected function requestTokens(string $code, array $headers = []) { 'code' => $code, 'client_id' => $this->clientID, 'client_secret' => $this->clientSecret, - // 'redirect_uri' => $this->getRedirectURL() + 'redirect_uri' => $this->getRedirectURL() ]; $authorizationHeader = null; @@ -922,12 +922,13 @@ protected function requestTokens(string $code, array $headers = []) { } // Convert token params to string format - // $token_params = http_build_query($token_params, '', '&', $this->encType); - $token_params = http_build_query($token_params, '', null, $this->encType); + $token_params = http_build_query($token_params, '', '&', $this->encType); if (null !== $authorizationHeader) { $headers[] = $authorizationHeader; } + $content_type = 'application/x-www-form-urlencoded'; + $headers[] = "Content-Type: $content_type"; $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers), false); dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse)); From 7a6d6c3b8a2f0c9eb22ca7ffab021090cf3394b8 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 16:04:35 +0100 Subject: [PATCH 26/52] try a different separator --- src/OpenIDConnectClient.php | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 5515354d..890fa238 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -922,13 +922,11 @@ protected function requestTokens(string $code, array $headers = []) { } // Convert token params to string format - $token_params = http_build_query($token_params, '', '&', $this->encType); + $token_params = http_build_query($token_params, '', ';', $this->encType); if (null !== $authorizationHeader) { $headers[] = $authorizationHeader; } - $content_type = 'application/x-www-form-urlencoded'; - $headers[] = "Content-Type: $content_type"; $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers), false); dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse)); From 97e894cded9cc2abf326ff557b8aa582fa8fb78c Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 16:09:12 +0100 Subject: [PATCH 27/52] add debugging to output of fetchURL --- src/OpenIDConnectClient.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 890fa238..e6d8348a 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1371,9 +1371,9 @@ protected function fetchURL(string $url, string $post_body = null, array $header $content_type = 'application/x-www-form-urlencoded'; // Determine if this is a JSON payload and add the appropriate content type - // if (is_object(json_decode($post_body, false))) { - // $content_type = 'application/json'; - // } + if (is_object(json_decode($post_body, false))) { + $content_type = 'application/json'; + } // Add POST-specific headers $headers[] = "Content-Type: $content_type"; @@ -1440,7 +1440,8 @@ protected function fetchURL(string $url, string $post_body = null, array $header // Close the cURL resource, and free system resources curl_close($ch); - + $output['post_body'] = $post_body; + $output['headers'] = $headers; return $output; } From 4af96cc0ac7d03adc53a9ff4fc1b96d784d68ffe Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 16:12:22 +0100 Subject: [PATCH 28/52] try again --- src/OpenIDConnectClient.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index e6d8348a..8ebc106b 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1440,9 +1440,11 @@ protected function fetchURL(string $url, string $post_body = null, array $header // Close the cURL resource, and free system resources curl_close($ch); - $output['post_body'] = $post_body; - $output['headers'] = $headers; - return $output; + + $outputArr = json_decode($output, false); + $outputArr['post_body'] = $post_body; + $outputArr['headers'] = $headers; + return json_encode($output); } /** From 0499b244634a0b144bb122428815c60622ee09da Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 16:16:24 +0100 Subject: [PATCH 29/52] even hackier debugging --- src/OpenIDConnectClient.php | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 8ebc106b..ded45ebb 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -928,7 +928,7 @@ protected function requestTokens(string $code, array $headers = []) { $headers[] = $authorizationHeader; } - $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers), false); + $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers, true), false); dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse)); return $this->tokenResponse; } @@ -1355,7 +1355,7 @@ public function getVerifiedClaims(string $attribute = null) { * @return bool|string * @throws OpenIDConnectClientException */ - protected function fetchURL(string $url, string $post_body = null, array $headers = []) { + protected function fetchURL(string $url, string $post_body = null, array $headers = [], bool $my_flag = false) { // OK cool - then let's create a new cURL resource handle $ch = curl_init(); @@ -1441,10 +1441,14 @@ protected function fetchURL(string $url, string $post_body = null, array $header // Close the cURL resource, and free system resources curl_close($ch); - $outputArr = json_decode($output, false); - $outputArr['post_body'] = $post_body; - $outputArr['headers'] = $headers; - return json_encode($output); + if ($my_flag) { + $outputArr = json_decode($output, false); + $outputArr['post_body'] = $post_body; + $outputArr['headers'] = $headers; + return json_encode($output); + } else { + return $output; + } } /** From f08c10c133b67ead7b446d177041d174eaf00785 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 16:21:39 +0100 Subject: [PATCH 30/52] revert separator --- src/OpenIDConnectClient.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index ded45ebb..84b04d3d 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -922,7 +922,7 @@ protected function requestTokens(string $code, array $headers = []) { } // Convert token params to string format - $token_params = http_build_query($token_params, '', ';', $this->encType); + $token_params = http_build_query($token_params, '', '&', $this->encType); if (null !== $authorizationHeader) { $headers[] = $authorizationHeader; @@ -1445,7 +1445,7 @@ protected function fetchURL(string $url, string $post_body = null, array $header $outputArr = json_decode($output, false); $outputArr['post_body'] = $post_body; $outputArr['headers'] = $headers; - return json_encode($output); + return json_encode($outputArr); } else { return $output; } From 5be4e5d9e417ef3167d619c1ee7ed2f5783df878 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 16:30:41 +0100 Subject: [PATCH 31/52] rm debugging and add another header --- src/OpenIDConnectClient.php | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 84b04d3d..1f37af37 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -927,8 +927,9 @@ protected function requestTokens(string $code, array $headers = []) { if (null !== $authorizationHeader) { $headers[] = $authorizationHeader; } + $headers[] = 'Accept: */*'; - $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers, true), false); + $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers), false); dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse)); return $this->tokenResponse; } @@ -1355,7 +1356,7 @@ public function getVerifiedClaims(string $attribute = null) { * @return bool|string * @throws OpenIDConnectClientException */ - protected function fetchURL(string $url, string $post_body = null, array $headers = [], bool $my_flag = false) { + protected function fetchURL(string $url, string $post_body = null, array $headers = []) { // OK cool - then let's create a new cURL resource handle $ch = curl_init(); @@ -1441,14 +1442,7 @@ protected function fetchURL(string $url, string $post_body = null, array $header // Close the cURL resource, and free system resources curl_close($ch); - if ($my_flag) { - $outputArr = json_decode($output, false); - $outputArr['post_body'] = $post_body; - $outputArr['headers'] = $headers; - return json_encode($outputArr); - } else { - return $output; - } + return $output; } /** From baba1661df96a8c855a1eff6aace2f3a55c7c46d Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 16:40:17 +0100 Subject: [PATCH 32/52] uncomment post --- src/OpenIDConnectClient.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 1f37af37..453a987e 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1363,7 +1363,7 @@ protected function fetchURL(string $url, string $post_body = null, array $header // Determine whether this is a GET or POST if ($post_body !== null) { - // curl_setopt($ch, CURLOPT_POST, 1); + curl_setopt($ch, CURLOPT_POST, 1); // Allows to keep the POST method even after redirect curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST'); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_body); From 788b05355cef31844604fd03153715e3778bf409 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Wed, 18 Sep 2024 16:47:44 +0100 Subject: [PATCH 33/52] rm redirect uri --- src/OpenIDConnectClient.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 453a987e..99f09691 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -875,8 +875,7 @@ protected function requestTokens(string $code, array $headers = []) { 'grant_type' => $grant_type, 'code' => $code, 'client_id' => $this->clientID, - 'client_secret' => $this->clientSecret, - 'redirect_uri' => $this->getRedirectURL() + 'client_secret' => $this->clientSecret ]; $authorizationHeader = null; From 6e92a1b0fb9682da43c14478980c17d00d37818c Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 09:33:07 +0100 Subject: [PATCH 34/52] try one post curl --- src/OpenIDConnectClient.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 99f09691..3ed74446 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -875,7 +875,8 @@ protected function requestTokens(string $code, array $headers = []) { 'grant_type' => $grant_type, 'code' => $code, 'client_id' => $this->clientID, - 'client_secret' => $this->clientSecret + 'client_secret' => $this->clientSecret, + 'redirect_uri' => $this->getRedirectURL() ]; $authorizationHeader = null; @@ -1364,7 +1365,7 @@ protected function fetchURL(string $url, string $post_body = null, array $header if ($post_body !== null) { curl_setopt($ch, CURLOPT_POST, 1); // Allows to keep the POST method even after redirect - curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST'); + // curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST'); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_body); // Default content type is form encoded From 3479755fda1bc46b4479755e1cd38c3725ce4db9 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 09:36:31 +0100 Subject: [PATCH 35/52] that didn't work --- src/OpenIDConnectClient.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 3ed74446..1f37af37 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1363,9 +1363,9 @@ protected function fetchURL(string $url, string $post_body = null, array $header // Determine whether this is a GET or POST if ($post_body !== null) { - curl_setopt($ch, CURLOPT_POST, 1); + // curl_setopt($ch, CURLOPT_POST, 1); // Allows to keep the POST method even after redirect - // curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST'); + curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST'); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_body); // Default content type is form encoded From 36ffad04acbe1382a93b14ba425f2ed23805697d Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 09:54:52 +0100 Subject: [PATCH 36/52] try different encoding --- src/OpenIDConnectClient.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 1f37af37..3b7519ba 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -220,7 +220,7 @@ class OpenIDConnectClient /** * @var int defines which URL-encoding http_build_query() uses */ - public $encType = PHP_QUERY_RFC1738; + public $encType = PHP_QUERY_RFC3986; /** * @var bool Enable or disable upgrading to HTTPS by paying attention to HTTP header HTTP_UPGRADE_INSECURE_REQUESTS From 2bac5ea89f0e7a4dc6a3e448a048f7cd9b8ea135 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 09:58:38 +0100 Subject: [PATCH 37/52] try form data --- src/OpenIDConnectClient.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 3b7519ba..592a41d3 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -922,7 +922,7 @@ protected function requestTokens(string $code, array $headers = []) { } // Convert token params to string format - $token_params = http_build_query($token_params, '', '&', $this->encType); + // $token_params = http_build_query($token_params, '', '&', $this->encType); if (null !== $authorizationHeader) { $headers[] = $authorizationHeader; @@ -1351,12 +1351,12 @@ public function getVerifiedClaims(string $attribute = null) { /** * @param string $url - * @param string | null $post_body string If this is set the post type will be POST + * @param string | array | null $post_body string If this is set the post type will be POST * @param array $headers Extra headers to be sent with the request. Format as 'NameHeader: ValueHeader' * @return bool|string * @throws OpenIDConnectClientException */ - protected function fetchURL(string $url, string $post_body = null, array $headers = []) { + protected function fetchURL(string $url, string | array $post_body = null, array $headers = []) { // OK cool - then let's create a new cURL resource handle $ch = curl_init(); @@ -1369,7 +1369,8 @@ protected function fetchURL(string $url, string $post_body = null, array $header curl_setopt($ch, CURLOPT_POSTFIELDS, $post_body); // Default content type is form encoded - $content_type = 'application/x-www-form-urlencoded'; + // $content_type = 'application/x-www-form-urlencoded'; + $content_type = 'multipart/form-data'; // Determine if this is a JSON payload and add the appropriate content type if (is_object(json_decode($post_body, false))) { From aa06c8e76a2cb0fa64175cc470947130f0b40de8 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 10:00:57 +0100 Subject: [PATCH 38/52] do form data better --- src/OpenIDConnectClient.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 592a41d3..42d19187 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1369,8 +1369,11 @@ protected function fetchURL(string $url, string | array $post_body = null, array curl_setopt($ch, CURLOPT_POSTFIELDS, $post_body); // Default content type is form encoded - // $content_type = 'application/x-www-form-urlencoded'; - $content_type = 'multipart/form-data'; + if (is_array($post_body)) { + $content_type = 'multipart/form-data'; + } else { + $content_type = 'application/x-www-form-urlencoded'; + } // Determine if this is a JSON payload and add the appropriate content type if (is_object(json_decode($post_body, false))) { From 0cdc77211574527c380eb143048e9a9312c50804 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 10:26:06 +0100 Subject: [PATCH 39/52] revert i think --- src/OpenIDConnectClient.php | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 42d19187..1f37af37 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -220,7 +220,7 @@ class OpenIDConnectClient /** * @var int defines which URL-encoding http_build_query() uses */ - public $encType = PHP_QUERY_RFC3986; + public $encType = PHP_QUERY_RFC1738; /** * @var bool Enable or disable upgrading to HTTPS by paying attention to HTTP header HTTP_UPGRADE_INSECURE_REQUESTS @@ -922,7 +922,7 @@ protected function requestTokens(string $code, array $headers = []) { } // Convert token params to string format - // $token_params = http_build_query($token_params, '', '&', $this->encType); + $token_params = http_build_query($token_params, '', '&', $this->encType); if (null !== $authorizationHeader) { $headers[] = $authorizationHeader; @@ -1351,12 +1351,12 @@ public function getVerifiedClaims(string $attribute = null) { /** * @param string $url - * @param string | array | null $post_body string If this is set the post type will be POST + * @param string | null $post_body string If this is set the post type will be POST * @param array $headers Extra headers to be sent with the request. Format as 'NameHeader: ValueHeader' * @return bool|string * @throws OpenIDConnectClientException */ - protected function fetchURL(string $url, string | array $post_body = null, array $headers = []) { + protected function fetchURL(string $url, string $post_body = null, array $headers = []) { // OK cool - then let's create a new cURL resource handle $ch = curl_init(); @@ -1369,11 +1369,7 @@ protected function fetchURL(string $url, string | array $post_body = null, array curl_setopt($ch, CURLOPT_POSTFIELDS, $post_body); // Default content type is form encoded - if (is_array($post_body)) { - $content_type = 'multipart/form-data'; - } else { - $content_type = 'application/x-www-form-urlencoded'; - } + $content_type = 'application/x-www-form-urlencoded'; // Determine if this is a JSON payload and add the appropriate content type if (is_object(json_decode($post_body, false))) { From ae4754c4b020b809bce536f60bd979217edb1737 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 12:01:34 +0100 Subject: [PATCH 40/52] force the encoded header --- src/OpenIDConnectClient.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 1f37af37..7d8be256 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -928,9 +928,10 @@ protected function requestTokens(string $code, array $headers = []) { $headers[] = $authorizationHeader; } $headers[] = 'Accept: */*'; + $headers[] = 'Content-Type: application/x-www-form-urlencoded'; $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers), false); - dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse)); + dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse) . ' and headers ' . $headers); return $this->tokenResponse; } From e9153e7eed7d85ec0c3efd0708de7ae57a8dca8d Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 12:02:56 +0100 Subject: [PATCH 41/52] fix debug log --- src/OpenIDConnectClient.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 7d8be256..4cc54db5 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -931,7 +931,7 @@ protected function requestTokens(string $code, array $headers = []) { $headers[] = 'Content-Type: application/x-www-form-urlencoded'; $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers), false); - dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse) . ' and headers ' . $headers); + dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse) . ' and headers ' . json_encode($headers)); return $this->tokenResponse; } From 1fd5bc84f0d0a352ac52ae4296f6a07a48cfb305 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 12:07:09 +0100 Subject: [PATCH 42/52] try encoding the uri --- src/OpenIDConnectClient.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 4cc54db5..10ca74c3 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -876,7 +876,7 @@ protected function requestTokens(string $code, array $headers = []) { 'code' => $code, 'client_id' => $this->clientID, 'client_secret' => $this->clientSecret, - 'redirect_uri' => $this->getRedirectURL() + 'redirect_uri' => url_encode($this->getRedirectURL()) ]; $authorizationHeader = null; From db5c91105343b2ec8cd1277747e95cae7b83053c Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 12:08:30 +0100 Subject: [PATCH 43/52] fix sp --- src/OpenIDConnectClient.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 10ca74c3..b1608bd6 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -876,7 +876,7 @@ protected function requestTokens(string $code, array $headers = []) { 'code' => $code, 'client_id' => $this->clientID, 'client_secret' => $this->clientSecret, - 'redirect_uri' => url_encode($this->getRedirectURL()) + 'redirect_uri' => urlencode($this->getRedirectURL()) ]; $authorizationHeader = null; From 5cc7de2bdf8450290212d5a25ae3d09a9f765569 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 12:15:25 +0100 Subject: [PATCH 44/52] really force header --- src/OpenIDConnectClient.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index b1608bd6..f807de1f 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1373,9 +1373,9 @@ protected function fetchURL(string $url, string $post_body = null, array $header $content_type = 'application/x-www-form-urlencoded'; // Determine if this is a JSON payload and add the appropriate content type - if (is_object(json_decode($post_body, false))) { - $content_type = 'application/json'; - } + // if (is_object(json_decode($post_body, false))) { + // $content_type = 'application/json'; + // } // Add POST-specific headers $headers[] = "Content-Type: $content_type"; From bd427c62895b0824ceae58dbad92371c267f68d4 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 13:32:38 +0100 Subject: [PATCH 45/52] add content length header --- src/OpenIDConnectClient.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index f807de1f..c32ced4d 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -929,6 +929,7 @@ protected function requestTokens(string $code, array $headers = []) { } $headers[] = 'Accept: */*'; $headers[] = 'Content-Type: application/x-www-form-urlencoded'; + $headers[] = 'Content-Length: ' . strlen($token_params); $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers), false); dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse) . ' and headers ' . json_encode($headers)); @@ -1373,9 +1374,9 @@ protected function fetchURL(string $url, string $post_body = null, array $header $content_type = 'application/x-www-form-urlencoded'; // Determine if this is a JSON payload and add the appropriate content type - // if (is_object(json_decode($post_body, false))) { - // $content_type = 'application/json'; - // } + if (is_object(json_decode($post_body, false))) { + $content_type = 'application/json'; + } // Add POST-specific headers $headers[] = "Content-Type: $content_type"; From 4448ce404d76c7b0c70ceaf8fd1e73119fa32a93 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 13:43:27 +0100 Subject: [PATCH 46/52] curl http version --- src/OpenIDConnectClient.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index c32ced4d..ff089c9e 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -1363,6 +1363,8 @@ protected function fetchURL(string $url, string $post_body = null, array $header // OK cool - then let's create a new cURL resource handle $ch = curl_init(); + curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1); + // Determine whether this is a GET or POST if ($post_body !== null) { // curl_setopt($ch, CURLOPT_POST, 1); From 2a488008c023a0e275d829c2f1f4deb14e5e13d4 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 13:48:31 +0100 Subject: [PATCH 47/52] rm content length and http 1 params --- src/OpenIDConnectClient.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index ff089c9e..c2398847 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -929,7 +929,7 @@ protected function requestTokens(string $code, array $headers = []) { } $headers[] = 'Accept: */*'; $headers[] = 'Content-Type: application/x-www-form-urlencoded'; - $headers[] = 'Content-Length: ' . strlen($token_params); + // $headers[] = 'Content-Length: ' . strlen($token_params); $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers), false); dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse) . ' and headers ' . json_encode($headers)); @@ -1363,7 +1363,7 @@ protected function fetchURL(string $url, string $post_body = null, array $header // OK cool - then let's create a new cURL resource handle $ch = curl_init(); - curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1); + // curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1); // Determine whether this is a GET or POST if ($post_body !== null) { From b8e3cb74d009936aff82b2bade871cd9b2fc9674 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 13:59:55 +0100 Subject: [PATCH 48/52] calculate content length later --- src/OpenIDConnectClient.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index c2398847..f3f73dac 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -929,7 +929,6 @@ protected function requestTokens(string $code, array $headers = []) { } $headers[] = 'Accept: */*'; $headers[] = 'Content-Type: application/x-www-form-urlencoded'; - // $headers[] = 'Content-Length: ' . strlen($token_params); $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers), false); dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse) . ' and headers ' . json_encode($headers)); @@ -1382,6 +1381,7 @@ protected function fetchURL(string $url, string $post_body = null, array $header // Add POST-specific headers $headers[] = "Content-Type: $content_type"; + $headers[] = 'Content-Length: ' . strlen($post_body); } // Set the User-Agent From e851773d50de6c7a39be320ce475dcac75e60b30 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 14:17:06 +0100 Subject: [PATCH 49/52] rm dds --- src/OpenIDConnectClient.php | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index f3f73dac..10f0ff83 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -310,8 +310,6 @@ public function authenticate(): bool $code = $_REQUEST['code']; $token_json = $this->requestTokens($code); - dd('token_json ' . $token_json); - // Throw an error if the server returns one if (isset($token_json->error)) { if (isset($token_json->error_description)) { @@ -931,7 +929,6 @@ protected function requestTokens(string $code, array $headers = []) { $headers[] = 'Content-Type: application/x-www-form-urlencoded'; $this->tokenResponse = json_decode($this->fetchURL($token_endpoint, $token_params, $headers), false); - dd('token_params ' . $token_params . ' and token response ' . json_encode($this->tokenResponse) . ' and headers ' . json_encode($headers)); return $this->tokenResponse; } From c5468ae96279b7c673f7436273fae013b819936d Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 14:34:54 +0100 Subject: [PATCH 50/52] check state --- src/OpenIDConnectClient.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 10f0ff83..25d95840 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -310,6 +310,8 @@ public function authenticate(): bool $code = $_REQUEST['code']; $token_json = $this->requestTokens($code); + dd('in here with token json ' . $token_json . ' and state ' . $_REQUEST['state'] . ' and oidc client state ' . $this->getState()); + // Throw an error if the server returns one if (isset($token_json->error)) { if (isset($token_json->error_description)) { From 2cd21a2b395080be80525e490872f04759a51683 Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 14:36:24 +0100 Subject: [PATCH 51/52] check state again --- src/OpenIDConnectClient.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index 25d95840..ce3db848 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -310,7 +310,7 @@ public function authenticate(): bool $code = $_REQUEST['code']; $token_json = $this->requestTokens($code); - dd('in here with token json ' . $token_json . ' and state ' . $_REQUEST['state'] . ' and oidc client state ' . $this->getState()); + dd('in here with token json ' . json_encode($token_json) . ' and state ' . json_encode($_REQUEST['state']) . ' and oidc client state ' . json_encode($this->getState())); // Throw an error if the server returns one if (isset($token_json->error)) { From 5995f706990bcdf38bbe8f73736d398d036ed8eb Mon Sep 17 00:00:00 2001 From: Branwen Snelling Date: Thu, 19 Sep 2024 14:51:04 +0100 Subject: [PATCH 52/52] rm dds --- src/OpenIDConnectClient.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index ce3db848..10f0ff83 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -310,8 +310,6 @@ public function authenticate(): bool $code = $_REQUEST['code']; $token_json = $this->requestTokens($code); - dd('in here with token json ' . json_encode($token_json) . ' and state ' . json_encode($_REQUEST['state']) . ' and oidc client state ' . json_encode($this->getState())); - // Throw an error if the server returns one if (isset($token_json->error)) { if (isset($token_json->error_description)) {