laminas-api-tools / api-tools-oauth2 Goto Github PK

how do i configure doctrine in oauth.local.php

Originally posted by @hwaqar44 at zfcampus/zf-oauth2#159

This repository has issues almost a year old which have not been addressed. I just added a new PR I'd like to see included. @ezimuel would you like help with this?

Originally posted by @TomHAnderson at zfcampus/zf-oauth2#165

BC Break Report

Summary

In api-tools-oauth2/src/Adapter/BcryptTrait.php, using checkPassword() is demanding that the input parameters "must be of type string, array given" , but the function clearly expects $user to be an array. See function below. $user['password'] is what is used in the function. This is causing a break in authentication using the password grant_type in oauth 2.0.

        protected function checkPassword(string $user, string $password): bool    
        {    
            return $this->verifyHash($password, $user['password']);
        }

Previous behavior

The previous function would a have accepted an array

Current behavior

The current function no longer accepts and array, and is insisting on a string

How to reproduce

Carry out a password grant_type authentication using the previous library version it should work.
Carry out a password grant_type authentication using the current library version it should now fail.

Alternatively,
In BcryptTrait.php, the password grant_type will fail with checkPassword until 'string $user' is changed to '$user' in: protected function checkPassword(string $user, string $password): bool

Perhaps change the typing to the string|array $user

I've finally managed securing my controller (extending the AuthController class) as mentioned in the documentation ( https://github.com/zfcampus/zf-oauth2#how-to-protect-your-api-using-oauth2 ) :

class MyTestController extends AuthController {

    ...

    public function __construct($serverFactory, UserIdProviderInterface $userIdProvider) {

        parent::__construct($serverFactory, $userIdProvider);
    }

    public function onDispatch(\Zend\Mvc\MvcEvent $e) {

        $server = call_user_func($this->serverFactory, "oauth");

        if (!$server->verifyResourceRequest($this->getOAuth2Request())) {

            $response = $server->getResponse();
            return $this->getApiProblemResponse($response);
        }

        return parent::onDispatch($e);
    }

    ...

As my API is RESTful, I would like to use the AbstractRestfulController as base for my controller. Could you please give me a hint/code example, how to secure a controller which extends the AbstractRestfulController? I have not found any useful information so far regarding this topic (and as I'm still quite new to ZF2, there's a lot to learn).

Any help would be greatly appreciated!

Originally posted by @humphrey09 at zfcampus/zf-oauth2#130

BC Break Report

Summary

After upgrading to last version my laminas api tools projectos its breaking with the title error.

Previous behavior

With 1.6.0 its work fine!

Current behavior

Class 'Webmozart\Assert\Assert' not found on AuthController

How to reproduce

Update to 1.7.0 and you get the error.

"This module uses any PDO-suported database to manage the OAuth2"

What if someone wishes to use oauth2 with MongoDB and any other database type? Where can we find examples of creating and testing mongodb connection with oauth2? I could not find in Apiagility some info on this.

Originally posted by @juniormayhe at zfcampus/zf-oauth2#161

When using composer and --prefer-dist option, composer will download zip file.

$ composer show -i zfcampus/zf-oauth2
name     : zfcampus/zf-oauth2
descrip. : ZF2 module for implementing an OAuth2 server
keywords : api, framework, oauth2, zf2
versions : * 1.1.2
type     : library
license  : BSD 3-clause "New" or "Revised" License (BSD-3-Clause) (OSI approved) http://spdx.org/licenses/BSD-3-Clause#licenseText
source   : [git] https://github.com/zfcampus/zf-oauth2.git d2545896b0c94f31db8111790763ef27cbdef1ad
dist     : [zip] https://packages.zendframework.com/composer/zfcampus-zf-oauth2-d2545896b0c94f31db8111790763ef27cbdef1ad-zip-bb2d0d.zip 1.1.2
names    : zfcampus/zf-oauth2

support
source : https://github.com/zfcampus/zf-oauth2/tree/1.1.2
issues : https://github.com/zfcampus/zf-oauth2/issues

...

Exactly this one: https://packages.zendframework.com/composer/zfcampus-zf-oauth2-d2545896b0c94f31db8111790763ef27cbdef1ad-zip-bb2d0d.zip It has two src dirs inside:

[.../vendor/zfcampus/zf-oauth2] $ ls src/
Adapter/  Controller/  ExceptionInterface.php  Factory/  Provider/  src/
[.../vendor/zfcampus/zf-oauth2] $ ls src/src/
Adapter/  Controller/  ExceptionInterface.php  Factory/  Provider/

because of it, composer's optimizer shows some warnings:

Warning: Ambiguous class resolution, "ZF\OAuth2\Provider\UserId\AuthenticationServiceFactory" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Provider/UserId/AuthenticationServiceFactory.php" and ".../vendor/zfcampus/zf-oauth2/src/Provider/UserId/AuthenticationServiceFactory.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Provider\UserId\UserIdProviderInterface" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Provider/UserId/UserIdProviderInterface.php" and ".../vendor/zfcampus/zf-oauth2/src/Provider/UserId/UserIdProviderInterface.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Provider\UserId\Request" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Provider/UserId/Request.php" and ".../vendor/zfcampus/zf-oauth2/src/Provider/UserId/Request.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Provider\UserId\AuthenticationService" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Provider/UserId/AuthenticationService.php" and ".../vendor/zfcampus/zf-oauth2/src/Provider/UserId/AuthenticationService.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Factory\MongoAdapterFactory" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Factory/MongoAdapterFactory.php" and ".../vendor/zfcampus/zf-oauth2/src/Factory/MongoAdapterFactory.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Factory\OAuth2ServerFactory" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Factory/OAuth2ServerFactory.php" and ".../vendor/zfcampus/zf-oauth2/src/Factory/OAuth2ServerFactory.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Factory\PdoAdapterFactory" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Factory/PdoAdapterFactory.php" and ".../vendor/zfcampus/zf-oauth2/src/Factory/PdoAdapterFactory.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Factory\OAuth2ServerInstanceFactory" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Factory/OAuth2ServerInstanceFactory.php" and ".../vendor/zfcampus/zf-oauth2/src/Factory/OAuth2ServerInstanceFactory.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Factory\IbmDb2AdapterFactory" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Factory/IbmDb2AdapterFactory.php" and ".../vendor/zfcampus/zf-oauth2/src/Factory/IbmDb2AdapterFactory.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Factory\AuthControllerFactory" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Factory/AuthControllerFactory.php" and ".../vendor/zfcampus/zf-oauth2/src/Factory/AuthControllerFactory.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Controller\AuthController" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Controller/AuthController.php" and ".../vendor/zfcampus/zf-oauth2/src/Controller/AuthController.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Controller\Exception\RuntimeException" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Controller/Exception/RuntimeException.php" and ".../vendor/zfcampus/zf-oauth2/src/Controller/Exception/RuntimeException.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Controller\Exception\ExceptionInterface" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Controller/Exception/ExceptionInterface.php" and ".../vendor/zfcampus/zf-oauth2/src/Controller/Exception/ExceptionInterface.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\ExceptionInterface" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/ExceptionInterface.php" and ".../vendor/zfcampus/zf-oauth2/src/ExceptionInterface.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Adapter\IbmDb2Adapter" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Adapter/IbmDb2Adapter.php" and ".../vendor/zfcampus/zf-oauth2/src/Adapter/IbmDb2Adapter.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Adapter\BcryptTrait" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Adapter/BcryptTrait.php" and ".../vendor/zfcampus/zf-oauth2/src/Adapter/BcryptTrait.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Adapter\PdoAdapter" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Adapter/PdoAdapter.php" and ".../vendor/zfcampus/zf-oauth2/src/Adapter/PdoAdapter.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Adapter\MongoAdapter" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Adapter/MongoAdapter.php" and ".../vendor/zfcampus/zf-oauth2/src/Adapter/MongoAdapter.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Adapter\Exception\RuntimeException" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Adapter/Exception/RuntimeException.php" and ".../vendor/zfcampus/zf-oauth2/src/Adapter/Exception/RuntimeException.php", the first will be used.

Nothing critical in fact, but looks bad, could you fix it?

Originally posted by @kusmierz at zfcampus/zf-oauth2#99

Feature Request

Summary

OAuth2 client libraries expect error messages to be under the hashtag in the URI. This is a valid response from the OAuth2 server when a user denies access to a client:

http://docker.lcdb:4200/login#error=access_denied&error_description=The%20user%20denied%20access%20to%20your%20application&state=VWd4TGxPSVJZeUFZVWdSQmlnUXg4THl2bWFsWFE1QXFadjY5Ml9nZGJaUmdJ;%252F

However the OAuth2 library formats errors as Request parameters such as

http://docker.lcdb:4200/login?error=access_denied&error_description=The%20user%20denied%20access%20to%20your%20application&state=VWd4TGxPSVJZeUFZVWdSQmlnUXg4THl2bWFsWFE1QXFadjY5Ml9nZGJaUmdJ;%252F

Detail

This is an issue in the OAuth2\Response class in the setRedirect function which assigns the error messages to the request parameters. The proper way to resolve this would be to extend the OAuth2\Response class and override the setRedirect function. However, api-tools-oauth2 uses static namespaces for Response and Request classes for the OAuth2 namespace.

Therefore there is no method available to set a custom Request or Response class for OAuth2. Overriding these classes is built into OAuth2 by design. But to restate, this repository does not allow for custom classes for Request and Response.

The Request class takes parameters https://github.com/laminas-api-tools/api-tools-oauth2/blob/1.7.x/src/Controller/AuthController.php#L314 and the Response class does not. But to fix this I think the same method needs to be applied to each.

Proposed Solution

I propose the api-tools-oauth2 configuration be extended to include two required keys which default to the following:

$config = [
    'api-tools-oauth2' => [
        'oauth2-request-class' => 'OAuth2\Request',
        'oauth2-response-class' => 'OAuth2\Response',
    ],
];

The Auth controller will be modified to use these values instead of the static namespaces used now. These values will be added to https://github.com/laminas-api-tools/api-tools-oauth2/blob/1.7.x/config/module.config.php

When creating a new auth adapter with a name seperated by a "." then the generated config array gets one additional level.

Expected

'adapters' => [
                'test.test2' => [

Actual

'adapters' => [
                'test' => [
                             'test2' => [

Originally posted by @ThaDafinser at zfcampus/zf-oauth2#121

Hey Guys,

Wondering if it would be possible to throw the correct zend-mvc-auth events during a token generation request?

This would be really helpful for logging API login requests.

Thanks,
Westin

Originally posted by @wshafer at zfcampus/zf-oauth2#153

• I was not able to find an open or closed issue matching what I'm seeing.
• This is not a question. (Questions should be asked on chat (Signup here) or our forums.)

Provide a narrative description of what you are trying to accomplish.

Code to reproduce the issue

Expected results

Actual results

Originally posted by @Mitt199 at zfcampus/zf-oauth2#171

This storage is not defined in the dependent library so it is not possible to use this adapter. As it is dead code it should be removed.

• Is this related to quality assurance?

Originally posted by @michalbundyra at zfcampus/zf-oauth2#168

Feature Request

Summary

As decided during the Technical-Steering-Committee Meeting on August 3rd, 2020, Laminas wants to implement vimeo/psalm in all packages.

Implementing psalm is quite easy.

Required

• Create a psalm.xml in the project root
• Copy and paste the contents from this psalm.xml.dist
• Run $ composer require --dev vimeo/psalm
• Run $ vendor/bin/psalm --set-baseline=psalm-baseline.xml
• Add a composer script static-analysis with the command psalm --shepherd --stats
• Add a new line to script: in .travis.yml: - if [[ $TEST_COVERAGE == 'true' ]]; then composer static-analysis ; fi
• Remove phpstan from the project (phpstan.neon.dist, .travis.yml entry, composer.json require-dev and scripts)

Optional

• Fix as many psalm errors as possible.

Switch from Travis-CI to GHA CI workflow, as documented at https://gist.github.com/weierophinney/b003e50c3c2667d08076caf31ebd36a4

Feature Request

Summary

To be prepared for the december release of PHP 8.0, this repository has some additional TODOs to be tested against the new major version.

In order to make this repository compatible, one has to follow these steps:

• Modify composer.json to provide support for PHP 8.0 by adding the constraint ~8.0.0
• Modify composer.json to drop support for PHP less than 7.3
• Modify composer.json to implement phpunit 9.3 which supports PHP 7.3+
• Modify .travis.yml to ignore platform requirements when installing composer dependencies (simply add --ignore-platform-reqs to COMPOSER_ARGS env variable)
• Modify .travis.yml to add PHP 8.0 to the matrix (NOTE: Do not allow failures as PHP 8.0 has a feature freeze since 2020-08-04!)
• Modify source code in case there are incompatibilities with PHP 8.0

The ZF\OAuth2\Factory\OAuth2ServerFactory is no longer returning a OAuth2\Server instance?

https://github.com/zfcampus/zf-oauth2/blob/master/src/Factory/OAuth2ServerFactory.php

The file has been changed in the latest version and it returns a closure (Factory!?) now. My code is broken since I simply used $serviceLocator->get('ZF\OAuth2\Service\OAuth2Server'); elsewhere to get the OAuth2\Server instance from the server manager.

The documentation has also not been updated accordingly and is no longer up to date since it still states it will give me an OAuth\Server.

Is returning another factory from a factory really the way to go? How should I now get my oauth server instance? Is it maybe possible to separate the keys so getting the server is still possible?

Originally posted by @Wilt at zfcampus/zf-oauth2#114

Hello i installed as documented

1. update application.config
   'modules' => array(
   'Application',
   'ZF\ApiProblem',
   'ZF\ContentNegotiation',
   'ZF\OAuth2',
   ),

2. update module.config.php in /vendor/zf-campus/zf-oauth2/config/oauth2.local.php
   return array(
   'zf-oauth2' => array(
   'db' => array(
   'dsn' => 'mysql:dbname=test2;host=localhost', // for example "mysql:dbname=oauth2_db;host=localhost"
   'username' => 'root',
   'password' => 'abc123',
   ),
   'allow_implicit' => true, // default (set to true when you need to support browser-based or mobile apps)
   'access_lifetime' => 3600, // default (set a value in seconds for access tokens lifetime)
   'enforce_state' => true, // default
   'storage' => 'ZF\OAuth2\Adapter\PdoAdapter', // service name for the OAuth2 storage adapter
   ),
   );

3. update module.config.php in /vendor/zf-campus/zf-oauth2/config/module.config.php
   'service_manager' => [
   'aliases' => [
   // Provider\UserId::class => Provider\UserId\AuthenticationService::class,
   'ZF\OAuth2\Provider\UserId' => 'ZF\OAuth2\Provider\UserId\AuthenticationService',
   ],

4. i create the database and entries

5. http --auth testclient:testpass -f POST http://127.0.0.1/test6/public/oauth grant_type=client_credentials

But when i run the http it's give me error
An error occurred during execution; please try again later.
Could you tell me what i miss??

Thanks for help.

Originally posted by @mahabub398 at zfcampus/zf-oauth2#158

In
oauth_clients -> client_secret character varying(80) NOT NULL,

And then in PDO:
public function isPublicClient($client_id) { $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table'])); $stmt->execute(compact('client_id')); if (!$result = $stmt->fetch(\PDO::FETCH_ASSOC)) { return false; } return empty($result['client_secret']); }

How can $result['client_secret'] be empty?
IMHO the "NOT NULL" is wrong as it is needed I.E. for 'allow_implicit' => true example.

Originally posted by @goalain at zfcampus/zf-oauth2#156

Hi,

OAuth2 specification describe in point 5.2. response format for invalid request.
But in AuthController::tokenAction if status code is beetwen 400 and 500, we return reposne in problem+json format, not in format from specification. Why?

I know that client can recognize content-type of response, but many OAuth2 clients recognize format from specification.

Originally posted by @michalkopacz at zfcampus/zf-oauth2#71

Switch from Travis-CI to GHA CI workflow, as documented at https://gist.github.com/weierophinney/b003e50c3c2667d08076caf31ebd36a4

Is there a common possibility to prevent user access to /oauth/authorize page if user is not authenticated? Some kind of a redirect to login page or similar?
Unfortunately I haven't found any configurations or tutorials for this use case.

Originally posted by @lampi87 at zfcampus/zf-oauth2#157

https://github.com/zfcampus/zf-oauth2/blob/master/data/db_oauth2.sql
https://github.com/zfcampus/zf-oauth2/blob/master/data/db_oauth2_postgresql.sql

Both of scripts contain extra columns client_id & type in table oauth_scopes. And primary key is missing.

Original DLL looks like this: https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/Storage/Pdo.php#L519

Originally posted by @autowp at zfcampus/zf-oauth2#142

Hello

I think there is a problem with Username and password access.

I make tthis to get a token:

POST /oauth HTTP/1.1
Accept: application/json
Authorization: Basic dGVzdGNsaWVudDp0ZXN0cGFzcw==
Content-Type: application/json
{
"grant_type": "password",
"username": "testuser",
"password": "testpass"
}

It work both and return token with or without password !
Maybe I miss something ?

Best regards

Jérôme

Originally posted by @huggy06 at zfcampus/zf-oauth2#65

The phtml does not render error after clicking NO.

oauth/receivecode?error=access_denied&error_description=The+user+denied+access+to+your+application&state=xyz

Originally posted by @basz at zfcampus/zf-oauth2#97

Add missing start paragraph tag to the example link in the receive-code view template file so that the resulting HTML is well-structured again

Originally posted by @DamienHarwin at zfcampus/zf-oauth2#170