Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enabled client_secret_basic authentication on requestClientCredentialsToken() #348

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Cast `$_SERVER['SERVER_PORT']` to integer to prevent adding 80 or 443 port to redirect URL. #403
- Check subject when verifying JWT #406
- Removed duplicate check on jwks_uri and only check if jwks_uri exists when needed #373
* Enabled `client_secret_basic` authentication on `requestClientCredentialsToken()` #347

## [1.0.0] - 2023-12-13

Expand Down
5 changes: 4 additions & 1 deletion composer.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "jumbojett/openid-connect-php",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please revert this change.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reverted

"description": "Bare-bones OpenID Connect client",
"description": "Bare-bones OpenID Connect client (forked to allow client secret basic authentication on obtaining access token)",
"license": "Apache-2.0",
"require": {
"php": ">=7.0",
Expand All @@ -13,6 +13,9 @@
"roave/security-advisories": "dev-latest",
"yoast/phpunit-polyfills": "^2.0"
},
"replace": {
"jumbojett/openid-connect-php": "<=0.9.10"
},
"archive" : {
"exclude" : [
".*"
Expand Down
33 changes: 22 additions & 11 deletions src/OpenIDConnectClient.php
Original file line number Diff line number Diff line change
Expand Up @@ -803,12 +803,12 @@ public function requestClientCredentialsToken() {
$grant_type = 'client_credentials';

$post_data = [
'grant_type' => $grant_type,
'client_id' => $this->clientID,
'client_secret' => $this->clientSecret,
'scope' => implode(' ', $this->scopes)
'grant_type' => $grant_type,
'scope' => implode(' ', $this->scopes)
];

$this->setOptionalBasicAuthentication($headers, $post_data);

// Convert token params to string format
$post_params = http_build_query($post_data, '', '&', $this->encType);

Expand Down Expand Up @@ -839,13 +839,7 @@ public function requestResourceOwnerToken(bool $bClientAuth = false) {

//For client authentication include the client values
if($bClientAuth) {
$token_endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic']);
if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
$headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
} else {
$post_data['client_id'] = $this->clientID;
$post_data['client_secret'] = $this->clientSecret;
}
$this->setOptionalBasicAuthentication($headers, $post_data);
}

// Convert token params to string format
Expand All @@ -854,6 +848,23 @@ public function requestResourceOwnerToken(bool $bClientAuth = false) {
return json_decode($this->fetchURL($token_endpoint, $post_params, $headers), false);
}

/**
* Use client basic authentication if supported.
*
* @param array $headers
* @param array $post_data
* @throws OpenIDConnectClientException
*/
protected function setOptionalBasicAuthentication(&$headers, &$post_data) {
$token_endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic']);

if ($this->supportsAuthMethod('client_secret_basic', $token_endpoint_auth_methods_supported)) {
$headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret))];
} else {
$post_data['client_id'] = $this->clientID;
$post_data['client_secret'] = $this->clientSecret;
}
}

/**
* Requests ID and Access tokens
Expand Down