oauth2-server
oauth2-server copied to clipboard
A spec compliant, secure by default PHP OAuth 2.0 Server
Hi, I am currently developing mobile app and API, using the OAuth2 server with Password grant. I must also implement user login via Facebook and LinkedIn. As far as I...
`AbstractGrant` throws `400 Bad Request` in case it's not able to retrieve `client_id` from the request while validating client. Wouldn't it be better to return `401 Unauthorized` in case no...
Bin2hex is too lengthy. Is it strictly mandated by standard, or is anything other proven insecure ? [BearerTokenResponse.php#L35](https://github.com/thephpleague/oauth2-server/blob/317f46b7ae5cde8a27cedbdf0dad743ed4e5bcda/src/ResponseTypes/BearerTokenResponse.php#L35) is asking for something like this: ```php interface Codec { public function...
WWW-Authenticate header is only included by OAuthServerException for `invalid_client` errors. I think it should be included for other errors, at least for access denied errors from the resource server. RFC...
Hi, if we implement own AuthorizationValidator using `AuthorizationValidatorInterface` and not implement setPublicKey we receive "Call to undefined method `setPublicKey`" error, because this method is called in `ResourceServer::getAuthorizationValidator()`
For resource servers, the only method that's actually needed from the AccessTokenRepositoryInterface is isAccessTokenRevoked(). By contrast, isAccessTokenRevoked() isn't actually required for the authorization server side of the house. Splitting the...
In AuthorizationServer class, grants are keyed by identifier, which also serves for another purpose
Hello, I have a minor problem, when you look at this code: ``` php public function enableGrantType(GrantTypeInterface $grantType, DateInterval $accessTokenTTL = null) { /* REMOVED CODE */ $this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;...
Fixed this elsewhere in #604. More a note to self to come back and clean this up as well.
- Fixes a couple of cases where null was passed instead of string to `AbstractAuthorizeGrant::makeRedirectUri()` by ensuring that the redirect uri is always a string. - Adds `#[\ReturnTypeWillChange]` attributes to...
Currently, the algo is hard-coded here https://github.com/thephpleague/oauth2-server/blob/master/src/Entities/Traits/AccessTokenTrait.php#L47 Switching it does not work in any case, but you get at least a key. Verifiying seems also hard-coded somewhere