Merge pull request #12 from flownative/bugfix-authorization-reuse

Authorization ID must not be deterministic for authorization code flow

Author: robertlemke

Classes/Authorization.php

@@ -14,9 +14,12 @@
  */
 
 use Doctrine\ORM\Mapping as ORM;
+use Exception;
+use JsonException;
 use League\OAuth2\Client\Token\AccessToken;
 use League\OAuth2\Client\Token\AccessTokenInterface;
 use Neos\Flow\Annotations as Flow;
+use Ramsey\Uuid\Uuid;
 
 /**
  * An OAuth2 Authorization
@@ -45,12 +48,6 @@ class Authorization
      */
     protected $clientId;
 
-    /**
-     * @var string
-     * @ORM\Column(nullable = true, length=5000)
-     */
-    protected $clientSecret;
-
     /**
      * @var string
      */
@@ -62,38 +59,59 @@ class Authorization
     protected $scope;
 
     /**
-     * @var array
-     * @ORM\Column(type="json_array", nullable = true)
+     * @var string
+     * @ORM\Column(nullable = true, type = "text")
      */
     protected $serializedAccessToken;
 
     /**
+     * @param string $authorizationId
      * @param string $serviceName
      * @param string $clientId
      * @param string $grantType
      * @param string $scope
      */
-    public function __construct(string $serviceName, string $clientId, string $grantType, string $scope)
+    public function __construct(string $authorizationId, string $serviceName, string $clientId, string $grantType, string $scope)
     {
-        $this->authorizationId = self::calculateAuthorizationId($serviceName, $clientId, $scope, $grantType);
+        $this->authorizationId = $authorizationId;
         $this->serviceName = $serviceName;
         $this->clientId = $clientId;
         $this->grantType = $grantType;
         $this->scope = $scope;
     }
 
+    /**
+     * Calculate an authorization identifier (for this model) from the given parameters.
+     *
+     * @param string $serviceType
+     * @param string $serviceName
+     * @param string $clientId
+     * @return string
+     * @throws OAuthClientException
+     */
+    public static function generateAuthorizationIdForAuthorizationCodeGrant(string $serviceType, string $serviceName, string $clientId): string
+    {
+        try {
+            return $serviceType . '-' . $serviceName . '-' . Uuid::uuid4()->toString();
+        // @codeCoverageIgnoreStart
+        } catch (Exception $e) {
+            throw new OAuthClientException(sprintf('Failed generating authorization id for %s %s', $serviceName, $clientId), 1597311416, $e);
+        }
+        // @codeCoverageIgnoreEnd
+    }
+
     /**
      * Calculate an authorization identifier (for this model) from the given parameters.
      *
      * @param string $serviceName
      * @param string $clientId
+     * @param string $clientSecret
      * @param string $scope
-     * @param string $grantType
      * @return string
      */
-    public static function calculateAuthorizationId(string $serviceName, string $clientId, string $scope, string $grantType): string
+    public static function generateAuthorizationIdForClientCredentialsGrant(string $serviceName, string $clientId, string $clientSecret, string $scope): string
     {
-        return sha1($serviceName . $clientId . $scope. $grantType);
+        return hash('sha512', $serviceName . $clientId . $clientSecret . $scope . self::GRANT_CLIENT_CREDENTIALS);
     }
 
     /**
@@ -120,22 +138,6 @@ public function getClientId(): string
         return $this->clientId;
     }
 
-    /**
-     * @param string $clientSecret
-     */
-    public function setClientSecret(string $clientSecret): void
-    {
-        $this->clientSecret = $clientSecret;
-    }
-
-    /**
-     * @return string
-     */
-    public function getClientSecret(): string
-    {
-        return $this->clientSecret;
-    }
-
     /**
      * @return string
      */
@@ -162,35 +164,49 @@ public function setScope(string $scope): void
     }
 
     /**
-     * @return array
+     * @return string
      */
-    public function getSerializedAccessToken(): array
+    public function getSerializedAccessToken(): string
     {
-        return $this->serializedAccessToken ?? [];
+        return $this->serializedAccessToken ?? '';
     }
 
     /**
-     * @param array $serializedAccessToken
+     * @param string $serializedAccessToken
      */
-    public function setSerializedAccessToken(array $serializedAccessToken): void
+    public function setSerializedAccessToken(string $serializedAccessToken): void
     {
         $this->serializedAccessToken = $serializedAccessToken;
     }
 
     /**
      * @param AccessTokenInterface $accessToken
      * @return void
+     * @throws \InvalidArgumentException
      */
     public function setAccessToken(AccessTokenInterface $accessToken): void
     {
-        $this->serializedAccessToken = $accessToken->jsonSerialize();
+        try {
+            $this->serializedAccessToken = json_encode($accessToken, JSON_THROW_ON_ERROR, 512);
+            // @codeCoverageIgnoreStart
+        } catch (JsonException $e) {
+            throw new \InvalidArgumentException('Failed serializing the given access token', 1602515717);
+            // @codeCoverageIgnoreEnd
+        }
     }
 
     /**
      * @return AccessToken
      */
     public function getAccessToken(): ?AccessToken
     {
-        return !empty($this->serializedAccessToken) ? new AccessToken($this->serializedAccessToken) : null;
+        try {
+            if (!empty($this->serializedAccessToken)) {
+                $unserializedAccessToken = json_decode($this->serializedAccessToken, true, 512, JSON_THROW_ON_ERROR);
+                return new AccessToken($unserializedAccessToken);
+            }
+        } catch (JsonException $e) {
+        }
+        return null;
     }
 }

Classes/Controller/OAuthController.php

@@ -3,8 +3,8 @@
 
 use Flownative\OAuth2\Client\OAuthClient;
 use Flownative\OAuth2\Client\OAuthClientException;
+use GuzzleHttp\Psr7\Uri;
 use Neos\Flow\Annotations\CompileStatic;
-use Neos\Flow\Http\Uri;
 use Neos\Flow\Mvc\Controller\ActionController;
 use Neos\Flow\Mvc\Exception\StopActionException;
 use Neos\Flow\Mvc\Exception\UnsupportedRequestTypeException;

Classes/OAuthClient.php

@@ -6,12 +6,10 @@
 use Doctrine\ORM\ORMException;
 use GuzzleHttp\Client;
 use GuzzleHttp\Exception\GuzzleException;
-use GuzzleHttp\Psr7\Request;
 use GuzzleHttp\Psr7\Response;
 use GuzzleHttp\Psr7\Uri;
 use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
 use League\OAuth2\Client\Provider\GenericProvider;
-use League\OAuth2\Client\Token\AccessTokenInterface;
 use League\OAuth2\Client\Tool\RequestFactory;
 use Neos\Cache\Exception;
 use Neos\Cache\Frontend\VariableFrontend;
@@ -39,7 +37,7 @@ abstract class OAuthClient
      *
      * @const string
      */
-    public const AUTHORIZATION_ID_QUERY_PARAMETER_NAME = 'flownative_oauth2_authorization_id';
+    public const AUTHORIZATION_ID_QUERY_PARAMETER_NAME_PREFIX = 'flownative_oauth2_authorization_id';
 
     /**
      * @var string
@@ -124,14 +122,14 @@ public function injectEntityManager(EntityManagerInterface $entityManager): void
     /**
      * Returns the service type, i.e. a specific implementation of this client to use
      *
-     * @return string For example, "FlownativeBeach", "oidc", ...
+     * @return string For example, "Github", "oidc", ...
      */
     abstract public function getServiceType(): string;
 
     /**
      * Returns the service name, i.e. something like an instance name of the concrete implementation of this client
      *
-     * @return string For example, "Github", "MySpecialService", ...
+     * @return string For example, "SpecificGithubConnection", "MySpecialService", ...
      */
     public function getServiceName(): string
     {
@@ -199,25 +197,36 @@ public function getRequestFactory(): RequestFactory
     }
 
     /**
-     * Requests an access token using a specified grant type.
+     * Generates the URL query parameter name which is used for passing the authorization id of a
+     * finishing authorization to Flow (via the "Return URL").
      *
-     * This method is usually used using the OAuth Client Credentials Flow for machine-to-machine applications.
-     * Therefore the grant type is usually Authorization::GRANT_CLIENT_CREDENTIALS. You need to specify the
+     * @param string $serviceType "Class" of the of the service, for example, "Github", "oidc", ...
+     * @return string
+     */
+    public static function generateAuthorizationIdQueryParameterName(string $serviceType): string
+    {
+        return self::AUTHORIZATION_ID_QUERY_PARAMETER_NAME_PREFIX . '_' . $serviceType;
+    }
+
+    /**
+     * Requests an access token.
+     *
+     * This method is used using the OAuth Client Credentials Flow for machine-to-machine applications.
+     * Therefore the grant type must be Authorization::GRANT_CLIENT_CREDENTIALS. You need to specify the
      * client identifier and client secret and may optionally specify a scope.
      *
      * @param string $serviceName
      * @param string $clientId Client ID
      * @param string $clientSecret Client Secret
      * @param string $scope Scope which may consist of multiple identifiers, separated by comma
-     * @param string $grantType One of the Authorization::GRAND_* constants
      * @param array $additionalParameters Additional parameters to provide in the request body while requesting the token. For example ['audience' => 'https://www.example.com/api/v1']
      * @return void
      * @throws IdentityProviderException
      */
-    public function requestAccessToken(string $serviceName, string $clientId, string $clientSecret, string $scope, string $grantType, array $additionalParameters = []): void
+    public function requestAccessToken(string $serviceName, string $clientId, string $clientSecret, string $scope,  array $additionalParameters = []): void
     {
-        $authorizationId = Authorization::calculateAuthorizationId($serviceName, $clientId, $scope, $grantType);
-        $this->logger->info(sprintf('OAuth (%s): Retrieving access token using %s grant for client "%s" using a %s bytes long secret. (authorization id: %s)', $this->getServiceType(), $grantType, $clientId, strlen($clientSecret), $authorizationId));
+        $authorizationId = Authorization::generateAuthorizationIdForClientCredentialsGrant($serviceName, $clientId, $clientSecret, $scope);
+        $this->logger->info(sprintf('OAuth (%s): Retrieving access token using client credentials grant for client "%s" using a %s bytes long secret. (authorization id: %s)', $this->getServiceType(), $clientId, strlen($clientSecret), $authorizationId));
 
         $existingAuthorization = $this->getAuthorization($authorizationId);
         if ($existingAuthorization !== null) {
@@ -227,8 +236,9 @@ public function requestAccessToken(string $serviceName, string $clientId, string
             $this->logger->info(sprintf('OAuth (%s): Removed old OAuth token for client "%s". (authorization id: %s)', $this->getServiceType(), $clientId, $authorizationId));
         }
 
-        $accessToken = $this->createOAuthProvider($clientId, $clientSecret)->getAccessToken($grantType, $additionalParameters);
-        $authorization = $this->createNewAuthorization($serviceName, $clientId, $scope, $grantType, $accessToken);
+        $accessToken = $this->createOAuthProvider($clientId, $clientSecret)->getAccessToken(Authorization::GRANT_CLIENT_CREDENTIALS, $additionalParameters);
+        $authorization = new Authorization($authorizationId, $serviceName, $clientId, Authorization::GRANT_CLIENT_CREDENTIALS, $scope);
+        $authorization->setAccessToken($accessToken);
 
         $this->logger->info(sprintf('OAuth (%s): Persisted new OAuth authorization %s for client "%s" with expiry time %s. (authorization id: %s)', $this->getServiceType(), $authorizationId, $clientId, $accessToken->getExpires(), $authorizationId));
 
@@ -248,15 +258,15 @@ public function requestAccessToken(string $serviceName, string $clientId, string
      */
     public function startAuthorization(string $clientId, string $clientSecret, UriInterface $returnToUri, string $scope): UriInterface
     {
-        $authorization = new Authorization($this->getServiceType(), $clientId, Authorization::GRANT_AUTHORIZATION_CODE, $scope);
+        $authorizationId = Authorization::generateAuthorizationIdForAuthorizationCodeGrant($this->getServiceType(), $this->getServiceName(), $clientId);
+        $authorization = new Authorization($authorizationId, $this->getServiceType(), $clientId, Authorization::GRANT_AUTHORIZATION_CODE, $scope);
         $this->logger->info(sprintf('OAuth (%s): Starting authorization %s using client id "%s", a %s bytes long secret and scope "%s".', $this->getServiceType(), $authorization->getAuthorizationId(), $clientId, strlen($clientSecret), $scope));
 
         try {
             $oldAuthorization = $this->entityManager->find(Authorization::class, $authorization->getAuthorizationId());
             if ($oldAuthorization !== null) {
                 $authorization = $oldAuthorization;
             }
-            $authorization->setClientSecret($clientSecret);
             $this->entityManager->persist($authorization);
             $this->entityManager->flush();
         } catch (ORMException $exception) {
@@ -315,6 +325,10 @@ public function finishAuthorization(string $stateIdentifier, string $code, strin
                 throw new OAuthClientException(sprintf('OAuth2 (%s): Finishing authorization failed because authorization %s could not be retrieved from the database.', $this->getServiceType(), $authorizationId), 1568710771);
             }
 
+            if ($authorization->getGrantType() !== Authorization::GRANT_AUTHORIZATION_CODE) {
+                throw new OAuthClientException(sprintf('OAuth2 (%s): Finishing authorization failed because authorization %s does not have the authorization code flow type!', $this->getServiceType(), $authorizationId), 1597312780);
+            }
+
             $this->logger->debug(sprintf('OAuth (%s): Retrieving an OAuth access token for authorization "%s" in exchange for the code %s', $this->getServiceType(), $authorizationId, str_repeat('*', strlen($code) - 3) . substr($code, -3, 3)));
             $accessToken = $oAuthProvider->getAccessToken(Authorization::GRANT_AUTHORIZATION_CODE, ['code' => $code]);
             $this->logger->info(sprintf('OAuth (%s): Persisting OAuth token for authorization "%s" with expiry time %s.', $this->getServiceType(), $authorizationId, $accessToken->getExpires()));
@@ -333,7 +347,7 @@ public function finishAuthorization(string $stateIdentifier, string $code, strin
         }
 
         $returnToUri = new Uri($stateFromCache['returnToUri']);
-        $returnToUri = $returnToUri->withQuery(trim($returnToUri->getQuery() . '&' . self::AUTHORIZATION_ID_QUERY_PARAMETER_NAME . '=' . $authorizationId, '&'));
+        $returnToUri = $returnToUri->withQuery(trim($returnToUri->getQuery() . '&' . self::generateAuthorizationIdQueryParameterName($this->getServiceType()) . '=' . $authorizationId, '&'));
 
         $this->logger->debug(sprintf('OAuth (%s): Finished authorization "%s", $returnToUri is %s.', $this->getServiceType(), $authorizationId, $returnToUri));
         return $returnToUri;
@@ -350,11 +364,13 @@ public function finishAuthorization(string $stateIdentifier, string $code, strin
      */
     public function refreshAuthorization(string $authorizationId, string $clientId, string $returnToUri): string
     {
+        throw new OAuthClientException('refreshAuthorization is currently not implemented', 1602519541);
+
         $authorization = $this->entityManager->find(Authorization::class, ['authorizationId' => $authorizationId]);
         if (!$authorization instanceof Authorization) {
             throw new OAuthClientException(sprintf('OAuth2: Could not refresh OAuth token because authorization %s was not found in our database.', $authorization), 1505317044316);
         }
-        $oAuthProvider = $this->createOAuthProvider($clientId, $authorization->getClientSecret());
+        $oAuthProvider = $this->createOAuthProvider($clientId, $authorization->getClientSecret()); // FIXME
 
         $this->logger->info(sprintf('OAuth (%s): Refreshing authorization %s for client "%s" using a %s bytes long secret and refresh token "%s".', $this->getServiceType(), $authorizationId, $clientId, strlen($authorization->getClientSecret()), $authorization->refreshToken));
 
@@ -375,6 +391,8 @@ public function refreshAuthorization(string $authorizationId, string $clientId,
     }
 
     /**
+     * Returns the specified Authorization record, if it exists
+     *
      * @param string $authorizationId
      * @return Authorization|null
      */
@@ -463,23 +481,6 @@ public function renderFinishAuthorizationUri(): string
         }
     }
 
-    /**
-     * Create a new OAuthToken instance
-     *
-     * @param string $serviceName
-     * @param string $clientId
-     * @param string $scope
-     * @param string $grantType
-     * @param AccessTokenInterface $accessToken
-     * @return Authorization
-     */
-    protected function createNewAuthorization(string $serviceName, string $clientId, string $scope, string $grantType, AccessTokenInterface $accessToken): Authorization
-    {
-        $authorization = new Authorization($serviceName, $clientId, $grantType, $scope);
-        $authorization->setAccessToken($accessToken);
-        return $authorization;
-    }
-
     /**
      * @param string $clientId
      * @param string $clientSecret