oauth2-server icon indicating copy to clipboard operation
oauth2-server copied to clipboard

Published 20 hours ago verified publisher icon thephpleague

Metadata

A spec compliant, secure by default PHP OAuth 2.0 Server

Results 109 oauth2-server issues
Sort by recently updated
recently updated
newest added

Missing documentation: Custom grants

3 comment

Hi, I am currently developing mobile app and API, using the OAuth2 server with Password grant. I must also implement user login via Facebook and LinkedIn. As far as I...

pdrosos avatar pdrosos

Documentation

Response code when `Authorization` header or `client_id` is missing

`AbstractGrant` throws `400 Bad Request` in case it's not able to retrieve `client_id` from the request while validating client. Wouldn't it be better to return `401 Unauthorized` in case no...

chervand avatar chervand

Add custom encoders for token ID and refresh token, not just bin2hex

2 comment

Bin2hex is too lengthy. Is it strictly mandated by standard, or is anything other proven insecure ? [BearerTokenResponse.php#L35](https://github.com/thephpleague/oauth2-server/blob/317f46b7ae5cde8a27cedbdf0dad743ed4e5bcda/src/ResponseTypes/BearerTokenResponse.php#L35) is asking for something like this: ```php interface Codec { public function...

mcd-php avatar mcd-php

Improvement Idea

WWW-Authenticate header is not included for access denied errors

WWW-Authenticate header is only included by OAuthServerException for `invalid_client` errors. I think it should be included for other errors, at least for access denied errors from the resource server. RFC...

rjmackay avatar rjmackay

AuthorizationValidatorInterface should have setPublicKey method or ResourceServer should not call AuthorizationValidatorInterface::setPublicKey

Hi, if we implement own AuthorizationValidator using `AuthorizationValidatorInterface` and not implement setPublicKey we receive "Call to undefined method `setPublicKey`" error, because this method is called in `ResourceServer::getAuthorizationValidator()`

kaszkielowicz avatar kaszkielowicz

Split AccessTokenRepositoryInterface

3 comment

For resource servers, the only method that's actually needed from the AccessTokenRepositoryInterface is isAccessTokenRevoked(). By contrast, isAccessTokenRevoked() isn't actually required for the authorization server side of the house. Splitting the...

iansltx avatar iansltx

Future Version
Improvement Idea

In AuthorizationServer class, grants are keyed by identifier, which also serves for another purpose

3 comment

Hello, I have a minor problem, when you look at this code: ``` php public function enableGrantType(GrantTypeInterface $grantType, DateInterval $accessTokenTTL = null) { /* REMOVED CODE */ $this->enabledGrantTypes[$grantType->getIdentifier()] = $grantType;...

pounard avatar pounard

Bug

Auth Code check falls back to server var rather than raw header

2 comment

Fixed this elsewhere in #604. More a note to self to come back and clean this up as well.

iansltx avatar iansltx

Fix PHP 8.1 deprecations.

5 comment

- Fixes a couple of cases where null was passed instead of string to `AbstractAuthorizeGrant::makeRedirectUri()` by ensuring that the redirect uri is always a string. - Adds `#[\ReturnTypeWillChange]` attributes to...

EreMaijala avatar EreMaijala

Allow Ecdsa keys as oauth2 server

2 comment

Currently, the algo is hard-coded here https://github.com/thephpleague/oauth2-server/blob/master/src/Entities/Traits/AccessTokenTrait.php#L47 Switching it does not work in any case, but you get at least a key. Verifiying seems also hard-coded somewhere

shyim avatar shyim

Future Version
Improvement Idea

Metadata

6.5k
Stars
1.1k
Forks
Watchers

Owner

verified publisher icon thephpleague

Metadata

A spec compliant, secure by default PHP OAuth 2.0 Server

Back