Git Product home page Git Product logo

quickbooks-openid-connect's People

Contributors

adambartholomew avatar asmarius avatar baru avatar benyitzhaki avatar billsimon avatar c2theg avatar corentingi avatar deepdiver1975 avatar dpesch avatar guss77 avatar hallgeirlien avatar jdreed avatar jricher avatar jtubex avatar jumbojett avatar keith-chargeover avatar kenguest avatar krisrandall avatar lordelph avatar morcs avatar mpospisil avatar n0nag0n avatar nemoneph avatar nyndo avatar philcarbone avatar radenui avatar rasodu avatar rghose avatar stevenschmutz avatar zmon avatar

Watchers

avatar avatar

quickbooks-openid-connect's Issues

The client_secret_basic auth method does not unset the client_id parameter, and instead passes client_id as a body param

Here in the code you can see the client_secret getting unset:
https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L706

$token_params = array(
            'grant_type' => $grant_type,
            'code' => $code,
            'redirect_uri' => $this->getRedirectURL(),
            'client_id' => $this->clientID,
            'client_secret' => $this->clientSecret
        );
        # Consider Basic authentication if provider config is set this way
        if (in_array('client_secret_basic', $token_endpoint_auth_methods_supported)) {
            $headers = ['Authorization: Basic ' . base64_encode($this->clientID . ':' . $this->clientSecret)];
            unset($token_params['client_secret']);
        }

However, the client_id still ends up in $token_params and so gets passed in the POST body.

Some providers (e.g. Intuit) will return invalid_client if you include the client_id as a POST body param. You can see Intuit doesn't document client_id here as a param:
https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/openid-connect#step-5-exchange-authorization-code-to-obtain-id-token-and-access-token

If you change it to unset the client_id as well it works:

# Consider Basic authentication if provider config is set this way
        if (in_array('client_secret_basic', $token_endpoint_auth_methods_supported)) {
            $headers = ['Authorization: Basic ' . base64_encode($this->clientID . ':' . $this->clientSecret)];
            unset($token_params['client_secret']);
            unset($token_params['client_id']);
        }

JWT nonce claim is required, even though the spec says it's optional and some OpenID Connect providers do not provide it

The implementation here assumes that nonce is always present in the claim:
https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L922

return (($claims->iss == $this->getIssuer() || $claims->iss == $this->getWellKnownIssuer() || $claims->iss == $this->getWellKnownIssuer(true))
            && (($claims->aud == $this->clientID) || in_array($this->clientID, $claims->aud))
            && ($claims->nonce == $this->getNonce())
            && ( !isset($claims->exp) || $claims->exp >= time() - $this->leeway)
            && ( !isset($claims->nbf) || $claims->nbf <= time() + $this->leeway)
            && ( !isset($claims->at_hash) || $claims->at_hash == $expecte_at_hash )
        );

However, some providers do not return a nonce here. For example, Intuit's implementation does not: https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/openid-connect

According to the spec, it seems optional (note the "if a nonce value was sent..."):

If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.

From: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.