Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate confidential clients and determine if the client handles the grant type #1420

Open
wants to merge 8 commits into
base: master
Choose a base branch
from

Conversation

hafezdivandari
Copy link
Contributor

@hafezdivandari hafezdivandari commented Jun 30, 2024

Fixes #1174
Fixes #1369
Fixes #1073
Closes #1036

This PR can be considered as a security enhancement and does 2 main changes:

  1. Validate confidential clients:
  2. New ClientEntityInterface::hasGrantType() function:
    • RFC6749 section 5.2
    • Fixes Add Unauthorized_Client support #1174
    • This function is implemented on ClientTrait that returns true by default to avoid BC breaking changes.
    • Currently there is no way to check if the client handles the grant type before proceeding the request, e.g. We don't want to make auth code on "auth code grant" or make device code on "device code auth" grant or response with the access token on "implicit token" grant if the specified client doesn't handle the grant type. This PR makes this possible to avoid handling the requested grant type if the specified client doesn't supports that.
    • It also makes it possible for us to disable issuing refresh token if the client doesn't handle this grant.

@hafezdivandari hafezdivandari changed the title Always validate client Always validate the client and determine if it handles the grant type Oct 1, 2024
@hafezdivandari hafezdivandari mentioned this pull request Oct 10, 2024
8 tasks
@hafezdivandari hafezdivandari changed the title Always validate the client and determine if it handles the grant type Validate confidential clients and determine if the client handles the grant type Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
1 participant