laminas-api-tools / api-tools-oauth2 Goto Github PK
View Code? Open in Web Editor NEWLaminas module for implementing an OAuth2 server
Home Page: https://api-tools.getlaminas.org/documentation
License: BSD 3-Clause "New" or "Revised" License
Laminas module for implementing an OAuth2 server
Home Page: https://api-tools.getlaminas.org/documentation
License: BSD 3-Clause "New" or "Revised" License
how do i configure doctrine in oauth.local.php
Originally posted by @hwaqar44 at zfcampus/zf-oauth2#159
This repository has issues almost a year old which have not been addressed. I just added a new PR I'd like to see included. @ezimuel would you like help with this?
Originally posted by @TomHAnderson at zfcampus/zf-oauth2#165
Q | A |
---|---|
Version | 1.8.x |
In api-tools-oauth2/src/Adapter/BcryptTrait.php, using checkPassword() is demanding that the input parameters "must be of type string, array given" , but the function clearly expects $user to be an array. See function below. $user['password'] is what is used in the function. This is causing a break in authentication using the password grant_type in oauth 2.0.
** protected function checkPassword(string $user, string $password): bool
{
return $this->verifyHash($password, $user['password']);
}
The previous function would a have accepted an array
The current function no longer accepts and array, and is insisting on a string
Carry out a password grant_type authentication using the previous library version it should work.
Carry out a password grant_type authentication using the current library version it should now fail.
Alternatively,
In BcryptTrait.php, the password grant_type will fail with checkPassword until 'string $user' is changed to '$user' in: protected function checkPassword(string $user, string $password): bool
Perhaps change the typing to the string|array $user
I've finally managed securing my controller (extending the AuthController class) as mentioned in the documentation ( https://github.com/zfcampus/zf-oauth2#how-to-protect-your-api-using-oauth2 ) :
class MyTestController extends AuthController {
...
public function __construct($serverFactory, UserIdProviderInterface $userIdProvider) {
parent::__construct($serverFactory, $userIdProvider);
}
public function onDispatch(\Zend\Mvc\MvcEvent $e) {
$server = call_user_func($this->serverFactory, "oauth");
if (!$server->verifyResourceRequest($this->getOAuth2Request())) {
$response = $server->getResponse();
return $this->getApiProblemResponse($response);
}
return parent::onDispatch($e);
}
...
As my API is RESTful, I would like to use the AbstractRestfulController as base for my controller. Could you please give me a hint/code example, how to secure a controller which extends the AbstractRestfulController? I have not found any useful information so far regarding this topic (and as I'm still quite new to ZF2, there's a lot to learn).
Any help would be greatly appreciated!
Originally posted by @humphrey09 at zfcampus/zf-oauth2#130
Q | A |
---|---|
Version | 1.7.0 |
After upgrading to last version my laminas api tools projectos its breaking with the title error.
With 1.6.0 its work fine!
Class 'Webmozart\Assert\Assert' not found on AuthController
Update to 1.7.0 and you get the error.
"This module uses any PDO-suported database to manage the OAuth2"
What if someone wishes to use oauth2 with MongoDB and any other database type? Where can we find examples of creating and testing mongodb connection with oauth2? I could not find in Apiagility some info on this.
Originally posted by @juniormayhe at zfcampus/zf-oauth2#161
When using composer and --prefer-dist
option, composer will download zip file.
$ composer show -i zfcampus/zf-oauth2
name : zfcampus/zf-oauth2
descrip. : ZF2 module for implementing an OAuth2 server
keywords : api, framework, oauth2, zf2
versions : * 1.1.2
type : library
license : BSD 3-clause "New" or "Revised" License (BSD-3-Clause) (OSI approved) http://spdx.org/licenses/BSD-3-Clause#licenseText
source : [git] https://github.com/zfcampus/zf-oauth2.git d2545896b0c94f31db8111790763ef27cbdef1ad
dist : [zip] https://packages.zendframework.com/composer/zfcampus-zf-oauth2-d2545896b0c94f31db8111790763ef27cbdef1ad-zip-bb2d0d.zip 1.1.2
names : zfcampus/zf-oauth2
support
source : https://github.com/zfcampus/zf-oauth2/tree/1.1.2
issues : https://github.com/zfcampus/zf-oauth2/issues
...
Exactly this one: https://packages.zendframework.com/composer/zfcampus-zf-oauth2-d2545896b0c94f31db8111790763ef27cbdef1ad-zip-bb2d0d.zip It has two src dirs inside:
[.../vendor/zfcampus/zf-oauth2] $ ls src/
Adapter/ Controller/ ExceptionInterface.php Factory/ Provider/ src/
[.../vendor/zfcampus/zf-oauth2] $ ls src/src/
Adapter/ Controller/ ExceptionInterface.php Factory/ Provider/
because of it, composer's optimizer shows some warnings:
Warning: Ambiguous class resolution, "ZF\OAuth2\Provider\UserId\AuthenticationServiceFactory" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Provider/UserId/AuthenticationServiceFactory.php" and ".../vendor/zfcampus/zf-oauth2/src/Provider/UserId/AuthenticationServiceFactory.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Provider\UserId\UserIdProviderInterface" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Provider/UserId/UserIdProviderInterface.php" and ".../vendor/zfcampus/zf-oauth2/src/Provider/UserId/UserIdProviderInterface.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Provider\UserId\Request" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Provider/UserId/Request.php" and ".../vendor/zfcampus/zf-oauth2/src/Provider/UserId/Request.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Provider\UserId\AuthenticationService" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Provider/UserId/AuthenticationService.php" and ".../vendor/zfcampus/zf-oauth2/src/Provider/UserId/AuthenticationService.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Factory\MongoAdapterFactory" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Factory/MongoAdapterFactory.php" and ".../vendor/zfcampus/zf-oauth2/src/Factory/MongoAdapterFactory.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Factory\OAuth2ServerFactory" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Factory/OAuth2ServerFactory.php" and ".../vendor/zfcampus/zf-oauth2/src/Factory/OAuth2ServerFactory.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Factory\PdoAdapterFactory" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Factory/PdoAdapterFactory.php" and ".../vendor/zfcampus/zf-oauth2/src/Factory/PdoAdapterFactory.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Factory\OAuth2ServerInstanceFactory" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Factory/OAuth2ServerInstanceFactory.php" and ".../vendor/zfcampus/zf-oauth2/src/Factory/OAuth2ServerInstanceFactory.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Factory\IbmDb2AdapterFactory" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Factory/IbmDb2AdapterFactory.php" and ".../vendor/zfcampus/zf-oauth2/src/Factory/IbmDb2AdapterFactory.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Factory\AuthControllerFactory" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Factory/AuthControllerFactory.php" and ".../vendor/zfcampus/zf-oauth2/src/Factory/AuthControllerFactory.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Controller\AuthController" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Controller/AuthController.php" and ".../vendor/zfcampus/zf-oauth2/src/Controller/AuthController.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Controller\Exception\RuntimeException" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Controller/Exception/RuntimeException.php" and ".../vendor/zfcampus/zf-oauth2/src/Controller/Exception/RuntimeException.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Controller\Exception\ExceptionInterface" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Controller/Exception/ExceptionInterface.php" and ".../vendor/zfcampus/zf-oauth2/src/Controller/Exception/ExceptionInterface.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\ExceptionInterface" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/ExceptionInterface.php" and ".../vendor/zfcampus/zf-oauth2/src/ExceptionInterface.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Adapter\IbmDb2Adapter" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Adapter/IbmDb2Adapter.php" and ".../vendor/zfcampus/zf-oauth2/src/Adapter/IbmDb2Adapter.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Adapter\BcryptTrait" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Adapter/BcryptTrait.php" and ".../vendor/zfcampus/zf-oauth2/src/Adapter/BcryptTrait.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Adapter\PdoAdapter" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Adapter/PdoAdapter.php" and ".../vendor/zfcampus/zf-oauth2/src/Adapter/PdoAdapter.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Adapter\MongoAdapter" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Adapter/MongoAdapter.php" and ".../vendor/zfcampus/zf-oauth2/src/Adapter/MongoAdapter.php", the first will be used.
Warning: Ambiguous class resolution, "ZF\OAuth2\Adapter\Exception\RuntimeException" was found in both ".../vendor/zfcampus/zf-oauth2/src/src/Adapter/Exception/RuntimeException.php" and ".../vendor/zfcampus/zf-oauth2/src/Adapter/Exception/RuntimeException.php", the first will be used.
Nothing critical in fact, but looks bad, could you fix it?
Originally posted by @kusmierz at zfcampus/zf-oauth2#99
Q | A |
---|---|
New Feature | yes |
RFC | yes |
BC Break | no |
OAuth2 client libraries expect error messages to be under the hashtag in the URI. This is a valid response from the OAuth2 server when a user denies access to a client:
http://docker.lcdb:4200/login#error=access_denied&error_description=The%20user%20denied%20access%20to%20your%20application&state=VWd4TGxPSVJZeUFZVWdSQmlnUXg4THl2bWFsWFE1QXFadjY5Ml9nZGJaUmdJ;%252F
However the OAuth2 library formats errors as Request parameters such as
http://docker.lcdb:4200/login?error=access_denied&error_description=The%20user%20denied%20access%20to%20your%20application&state=VWd4TGxPSVJZeUFZVWdSQmlnUXg4THl2bWFsWFE1QXFadjY5Ml9nZGJaUmdJ;%252F
This is an issue in the OAuth2\Response
class in the setRedirect
function which assigns the error messages to the request parameters. The proper way to resolve this would be to extend the OAuth2\Response
class and override the setRedirect
function. However, api-tools-oauth2
uses static namespaces for Response and Request classes for the OAuth2 namespace.
Therefore there is no method available to set a custom Request or Response class for OAuth2. Overriding these classes is built into OAuth2 by design. But to restate, this repository does not allow for custom classes for Request and Response.
The Request class takes parameters https://github.com/laminas-api-tools/api-tools-oauth2/blob/1.7.x/src/Controller/AuthController.php#L314 and the Response class does not. But to fix this I think the same method needs to be applied to each.
I propose the api-tools-oauth2
configuration be extended to include two required keys which default to the following:
$config = [
'api-tools-oauth2' => [
'oauth2-request-class' => 'OAuth2\Request',
'oauth2-response-class' => 'OAuth2\Response',
],
];
The Auth controller will be modified to use these values instead of the static namespaces used now. These values will be added to https://github.com/laminas-api-tools/api-tools-oauth2/blob/1.7.x/config/module.config.php
When creating a new auth adapter with a name seperated by a "." then the generated config array gets one additional level.
Expected
'adapters' => [
'test.test2' => [
Actual
'adapters' => [
'test' => [
'test2' => [
Originally posted by @ThaDafinser at zfcampus/zf-oauth2#121
Hey Guys,
Wondering if it would be possible to throw the correct zend-mvc-auth events during a token generation request?
This would be really helpful for logging API login requests.
Thanks,
Westin
Originally posted by @wshafer at zfcampus/zf-oauth2#153
Provide a narrative description of what you are trying to accomplish.
Originally posted by @Mitt199 at zfcampus/zf-oauth2#171
This storage is not defined in the dependent library so it is not possible to use this adapter. As it is dead code it should be removed.
Originally posted by @michalbundyra at zfcampus/zf-oauth2#168
Q | A |
---|---|
QA | yes |
As decided during the Technical-Steering-Committee Meeting on August 3rd, 2020, Laminas wants to implement vimeo/psalm in all packages.
Implementing psalm is quite easy.
psalm.xml
in the project root$ composer require --dev vimeo/psalm
$ vendor/bin/psalm --set-baseline=psalm-baseline.xml
static-analysis
with the command psalm --shepherd --stats
script:
in .travis.yml
: - if [[ $TEST_COVERAGE == 'true' ]]; then composer static-analysis ; fi
phpstan.neon.dist
, .travis.yml
entry, composer.json
require-dev
and scripts
)Switch from Travis-CI to GHA CI workflow, as documented at https://gist.github.com/weierophinney/b003e50c3c2667d08076caf31ebd36a4
Q | A |
---|---|
New Feature | yes |
To be prepared for the december release of PHP 8.0, this repository has some additional TODOs to be tested against the new major version.
In order to make this repository compatible, one has to follow these steps:
composer.json
to provide support for PHP 8.0 by adding the constraint ~8.0.0
composer.json
to drop support for PHP less than 7.3composer.json
to implement phpunit 9.3 which supports PHP 7.3+.travis.yml
to ignore platform requirements when installing composer dependencies (simply add --ignore-platform-reqs
to COMPOSER_ARGS
env variable).travis.yml
to add PHP 8.0 to the matrix (NOTE: Do not allow failures as PHP 8.0 has a feature freeze since 2020-08-04!)The ZF\OAuth2\Factory\OAuth2ServerFactory
is no longer returning a OAuth2\Server
instance?
https://github.com/zfcampus/zf-oauth2/blob/master/src/Factory/OAuth2ServerFactory.php
The file has been changed in the latest version and it returns a closure (Factory!?) now. My code is broken since I simply used $serviceLocator->get('ZF\OAuth2\Service\OAuth2Server');
elsewhere to get the OAuth2\Server
instance from the server manager.
The documentation has also not been updated accordingly and is no longer up to date since it still states it will give me an OAuth\Server
.
Is returning another factory from a factory really the way to go? How should I now get my oauth server instance? Is it maybe possible to separate the keys so getting the server is still possible?
Originally posted by @Wilt at zfcampus/zf-oauth2#114
Hello i installed as documented
update application.config
'modules' => array(
'Application',
'ZF\ApiProblem',
'ZF\ContentNegotiation',
'ZF\OAuth2',
),
update module.config.php in /vendor/zf-campus/zf-oauth2/config/oauth2.local.php
return array(
'zf-oauth2' => array(
'db' => array(
'dsn' => 'mysql:dbname=test2;host=localhost', // for example "mysql:dbname=oauth2_db;host=localhost"
'username' => 'root',
'password' => 'abc123',
),
'allow_implicit' => true, // default (set to true when you need to support browser-based or mobile apps)
'access_lifetime' => 3600, // default (set a value in seconds for access tokens lifetime)
'enforce_state' => true, // default
'storage' => 'ZF\OAuth2\Adapter\PdoAdapter', // service name for the OAuth2 storage adapter
),
);
update module.config.php in /vendor/zf-campus/zf-oauth2/config/module.config.php
'service_manager' => [
'aliases' => [
// Provider\UserId::class => Provider\UserId\AuthenticationService::class,
'ZF\OAuth2\Provider\UserId' => 'ZF\OAuth2\Provider\UserId\AuthenticationService',
],
i create the database and entries
http --auth testclient:testpass -f POST http://127.0.0.1/test6/public/oauth grant_type=client_credentials
But when i run the http it's give me error
An error occurred during execution; please try again later.
Could you tell me what i miss??
Thanks for help.
Originally posted by @mahabub398 at zfcampus/zf-oauth2#158
In
oauth_clients -> client_secret character varying(80) NOT NULL,
And then in PDO:
public function isPublicClient($client_id) { $stmt = $this->db->prepare(sprintf('SELECT * from %s where client_id = :client_id', $this->config['client_table'])); $stmt->execute(compact('client_id')); if (!$result = $stmt->fetch(\PDO::FETCH_ASSOC)) { return false; } return empty($result['client_secret']); }
How can $result['client_secret'] be empty?
IMHO the "NOT NULL" is wrong as it is needed I.E. for 'allow_implicit' => true example.
Originally posted by @goalain at zfcampus/zf-oauth2#156
Hi,
OAuth2 specification describe in point 5.2. response format for invalid request.
But in AuthController::tokenAction if status code is beetwen 400 and 500, we return reposne in problem+json format, not in format from specification. Why?
I know that client can recognize content-type of response, but many OAuth2 clients recognize format from specification.
Originally posted by @michalkopacz at zfcampus/zf-oauth2#71
Switch from Travis-CI to GHA CI workflow, as documented at https://gist.github.com/weierophinney/b003e50c3c2667d08076caf31ebd36a4
Is there a common possibility to prevent user access to /oauth/authorize page if user is not authenticated? Some kind of a redirect to login page or similar?
Unfortunately I haven't found any configurations or tutorials for this use case.
Originally posted by @lampi87 at zfcampus/zf-oauth2#157
https://github.com/zfcampus/zf-oauth2/blob/master/data/db_oauth2.sql
https://github.com/zfcampus/zf-oauth2/blob/master/data/db_oauth2_postgresql.sql
Both of scripts contain extra columns client_id
& type
in table oauth_scopes
. And primary key is missing.
Original DLL looks like this: https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/Storage/Pdo.php#L519
Originally posted by @autowp at zfcampus/zf-oauth2#142
Hello
I think there is a problem with Username and password access.
I make tthis to get a token:
POST /oauth HTTP/1.1
Accept: application/json
Authorization: Basic dGVzdGNsaWVudDp0ZXN0cGFzcw==
Content-Type: application/json
{
"grant_type": "password",
"username": "testuser",
"password": "testpass"
}
It work both and return token with or without password !
Maybe I miss something ?
Best regards
Jérôme
Originally posted by @huggy06 at zfcampus/zf-oauth2#65
The phtml does not render error after clicking NO.
oauth/receivecode?error=access_denied&error_description=The+user+denied+access+to+your+application&state=xyz
Originally posted by @basz at zfcampus/zf-oauth2#97
Add missing start paragraph tag to the example link in the receive-code view template file so that the resulting HTML is well-structured again
Originally posted by @DamienHarwin at zfcampus/zf-oauth2#170
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.