Skip to content

Commit 483d954

Browse files
cicnavicicnavi
authored
Add support for HTTP POST method on authorization endpoint (#242)
* Add support for HTTP POST method on authorization endpoint * Update request rules so to check request params based on HTTP methods * Change namespace for request rules * Get rid of GetClientFromRequestTrait --------- Co-authored-by: Marko Ivančić <[email protected]>
1 parent 00ef6b9 commit 483d954

File tree

87 files changed

+857
-734
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

87 files changed

+857
-734
lines changed

UPGRADE.md

+3
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
- `consent` and `preprodwarning` are two authprocs that redirect for user interaction and are now supported
2727
- Uses SSP's ProcessingChain class for closer alignment with SAML IdP configuration.
2828
- Allows additional configuration of authprocs in the main `config.php` under key `authproc.oidc`
29+
- Authorization endpoint now also supports sending parameters using HTTP POST method, in addition to GET.
2930

3031
## New configuration options
3132

@@ -73,6 +74,8 @@ has been refactored:
7374
- upgraded to v5 of lcobucci/jwt https://github.com/lcobucci/jwt
7475
- upgraded to v3 of laminas/laminas-diactoros https://github.com/laminas/laminas-diactoros
7576
- SimpleSAMLphp version used during development was bumped to v2.2
77+
- In Authorization Code Flow, a new validation was added which checks for 'openid' value in 'scope' parameter. Up to
78+
now, 'openid' value was dynamically added if not present. In Implicit Code Flow this validation was already present.
7679

7780
# Version 4 to 5
7881

routing/routes/routes.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@
66

77
declare(strict_types=1);
88

9-
use SimpleSAML\Module\oidc\Codebooks\HttpMethodsEnum;
109
use SimpleSAML\Module\oidc\Codebooks\RoutesEnum;
1110
use SimpleSAML\Module\oidc\Controller\AccessTokenController;
1211
use SimpleSAML\Module\oidc\Controller\AuthorizationController;
@@ -15,6 +14,7 @@
1514
use SimpleSAML\Module\oidc\Controller\Federation\EntityStatementController;
1615
use SimpleSAML\Module\oidc\Controller\JwksController;
1716
use SimpleSAML\Module\oidc\Controller\UserInfoController;
17+
use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum;
1818
use Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator;
1919

2020
/** @psalm-suppress InvalidArgument */

routing/services/services.yml

+2-1
Original file line numberDiff line numberDiff line change
@@ -36,8 +36,9 @@ services:
3636
resource: '../../src/Bridges/*'
3737

3838
SimpleSAML\Module\oidc\ModuleConfig: ~
39+
SimpleSAML\Module\oidc\Helpers: ~
3940
SimpleSAML\Module\oidc\Forms\Controls\CsrfProtection: ~
40-
SimpleSAML\Module\oidc\Utils\Checker\RequestRulesManager:
41+
SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager:
4142
factory: ['@SimpleSAML\Module\oidc\Factories\RequestRulesManagerFactory', 'build']
4243
# Grants
4344
SimpleSAML\Module\oidc\Server\Grants\AuthCodeGrant:

src/Codebooks/ClaimNamesEnum.php

-33
This file was deleted.

src/Codebooks/ClaimValues/ClientRegistrationTypesEnum.php

-11
This file was deleted.

src/Codebooks/ClaimValues/PublicKeyUseEnum.php

-11
This file was deleted.

src/Codebooks/ClaimValues/TypeEnum.php

-10
This file was deleted.

src/Codebooks/EntityTypeEnum.php

-12
This file was deleted.

src/Codebooks/ErrorsEnum.php

-16
This file was deleted.

src/Codebooks/HttpHeaderValues/ContentTypeEnum.php

-10
This file was deleted.

src/Codebooks/HttpHeadersEnum.php

-10
This file was deleted.

src/Codebooks/HttpMethodsEnum.php

-10
This file was deleted.

src/Codebooks/ScopesEnum.php

-15
This file was deleted.

src/Controller/Federation/EntityStatementController.php

+42-33
Original file line numberDiff line numberDiff line change
@@ -4,20 +4,21 @@
44

55
namespace SimpleSAML\Module\oidc\Controller\Federation;
66

7-
use SimpleSAML\Module\oidc\Codebooks\ClaimNamesEnum;
8-
use SimpleSAML\Module\oidc\Codebooks\ClaimValues\ClientRegistrationTypesEnum;
9-
use SimpleSAML\Module\oidc\Codebooks\ClaimValues\TypeEnum;
10-
use SimpleSAML\Module\oidc\Codebooks\EntityTypeEnum;
11-
use SimpleSAML\Module\oidc\Codebooks\ErrorsEnum;
12-
use SimpleSAML\Module\oidc\Codebooks\HttpHeadersEnum;
13-
use SimpleSAML\Module\oidc\Codebooks\HttpHeaderValues\ContentTypeEnum;
147
use SimpleSAML\Module\oidc\Codebooks\RoutesEnum;
158
use SimpleSAML\Module\oidc\ModuleConfig;
169
use SimpleSAML\Module\oidc\Repositories\ClientRepository;
1710
use SimpleSAML\Module\oidc\Services\JsonWebKeySetService;
1811
use SimpleSAML\Module\oidc\Services\JsonWebTokenBuilderService;
1912
use SimpleSAML\Module\oidc\Services\OpMetadataService;
2013
use SimpleSAML\Module\oidc\Utils\TimestampGenerator;
14+
use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
15+
use SimpleSAML\OpenID\Codebooks\ClientRegistrationTypesEnum;
16+
use SimpleSAML\OpenID\Codebooks\ContentTypeEnum;
17+
use SimpleSAML\OpenID\Codebooks\EntityTypeEnum;
18+
use SimpleSAML\OpenID\Codebooks\ErrorsEnum;
19+
use SimpleSAML\OpenID\Codebooks\HttpHeadersEnum;
20+
use SimpleSAML\OpenID\Codebooks\JwtTypeEnum;
21+
use SimpleSAML\OpenID\Codebooks\RequestAuthenticationMethodsEnum;
2122
use Symfony\Component\HttpFoundation\JsonResponse;
2223
use Symfony\Component\HttpFoundation\Request;
2324
use Symfony\Component\HttpFoundation\Response;
@@ -41,29 +42,29 @@ public function __construct(
4142
public function configuration(): Response
4243
{
4344
$builder = $this->jsonWebTokenBuilderService->getFederationJwtBuilder()
44-
->withHeader(ClaimNamesEnum::Type->value, TypeEnum::EntityStatementJwt->value)
45+
->withHeader(ClaimsEnum::Typ->value, JwtTypeEnum::EntityStatementJwt->value)
4546
->relatedTo($this->moduleConfig->getIssuer()) // This is entity configuration (statement about itself).
4647
->expiresAt(
4748
(TimestampGenerator::utcImmutable())->add($this->moduleConfig->getFederationEntityStatementDuration()),
4849
)->withClaim(
49-
ClaimNamesEnum::JsonWebKeySet->value,
50+
ClaimsEnum::Jwks->value,
5051
['keys' => array_values($this->jsonWebKeySetService->federationKeys()),],
5152
)
5253
->withClaim(
53-
ClaimNamesEnum::Metadata->value,
54+
ClaimsEnum::Metadata->value,
5455
[
5556
EntityTypeEnum::FederationEntity->value => [
5657
// Common https://openid.net/specs/openid-federation-1_0.html#name-common-metadata-parameters
5758
...(array_filter(
5859
[
59-
ClaimNamesEnum::OrganizationName->value => $this->moduleConfig->getOrganizationName(),
60-
ClaimNamesEnum::Contacts->value => $this->moduleConfig->getContacts(),
61-
ClaimNamesEnum::LogoUri->value => $this->moduleConfig->getLogoUri(),
62-
ClaimNamesEnum::PolicyUri->value => $this->moduleConfig->getPolicyUri(),
63-
ClaimNamesEnum::HomepageUri->value => $this->moduleConfig->getHomepageUri(),
60+
ClaimsEnum::OrganizationName->value => $this->moduleConfig->getOrganizationName(),
61+
ClaimsEnum::Contacts->value => $this->moduleConfig->getContacts(),
62+
ClaimsEnum::LogoUri->value => $this->moduleConfig->getLogoUri(),
63+
ClaimsEnum::PolicyUri->value => $this->moduleConfig->getPolicyUri(),
64+
ClaimsEnum::HomepageUri->value => $this->moduleConfig->getHomepageUri(),
6465
],
6566
)),
66-
ClaimNamesEnum::FederationFetchEndpoint->value =>
67+
ClaimsEnum::FederationFetchEndpoint->value =>
6768
$this->moduleConfig->getModuleUrl(RoutesEnum::OpenIdFederationFetch->value),
6869
// TODO mivanci Add when ready. Use ClaimsEnum for keys.
6970
// https://openid.net/specs/openid-federation-1_0.html#name-federation-entity
@@ -78,12 +79,20 @@ public function configuration(): Response
7879
//'jwks_uri',
7980
//'jwks',
8081
],
81-
// OP metadata with federation related claims.
82+
// OP metadata with additional federation related claims.
8283
EntityTypeEnum::OpenIdProvider->value => [
8384
...$this->opMetadataService->getMetadata(),
84-
ClaimNamesEnum::ClientRegistrationTypesSupported->value => [
85+
ClaimsEnum::ClientRegistrationTypesSupported->value => [
8586
ClientRegistrationTypesEnum::Automatic->value,
8687
],
88+
ClaimsEnum::RequestAuthenticationMethodsSupported->value => [
89+
ClaimsEnum::AuthorizationEndpoint->value => [
90+
RequestAuthenticationMethodsEnum::RequestObject->value,
91+
],
92+
],
93+
ClaimsEnum::RequestAuthenticationSigningAlgValuesSupported->value => [
94+
$this->moduleConfig->getProtocolSigner()->algorithmId(),
95+
],
8796
],
8897
],
8998
);
@@ -92,7 +101,7 @@ public function configuration(): Response
92101
is_array($authorityHints = $this->moduleConfig->getFederationAuthorityHints()) &&
93102
(!empty($authorityHints))
94103
) {
95-
$builder = $builder->withClaim(ClaimNamesEnum::AuthorityHints->value, $authorityHints);
104+
$builder = $builder->withClaim(ClaimsEnum::AuthorityHints->value, $authorityHints);
96105
}
97106

98107
// Remaining claims, add if / when ready.
@@ -114,12 +123,12 @@ public function configuration(): Response
114123

115124
public function fetch(Request $request): Response
116125
{
117-
$issuer = $request->query->get(ClaimNamesEnum::Issuer->value);
126+
$issuer = $request->query->get(ClaimsEnum::Iss->value);
118127

119128
if (empty($issuer)) {
120129
return $this->prepareJsonErrorResponse(
121130
ErrorsEnum::InvalidRequest->value,
122-
sprintf('Missing parameter %s', ClaimNamesEnum::Issuer->value),
131+
sprintf('Missing parameter %s', ClaimsEnum::Iss->value),
123132
400,
124133
);
125134
}
@@ -134,12 +143,12 @@ public function fetch(Request $request): Response
134143
);
135144
}
136145

137-
$subject = $request->query->get(ClaimNamesEnum::Subject->value);
146+
$subject = $request->query->get(ClaimsEnum::Sub->value);
138147

139148
if (empty($subject)) {
140149
return $this->prepareJsonErrorResponse(
141150
ErrorsEnum::InvalidRequest->value,
142-
sprintf('Missing parameter %s', ClaimNamesEnum::Subject->value),
151+
sprintf('Missing parameter %s', ClaimsEnum::Sub->value),
143152
400,
144153
);
145154
}
@@ -165,28 +174,28 @@ public function fetch(Request $request): Response
165174
}
166175

167176
$builder = $this->jsonWebTokenBuilderService->getFederationJwtBuilder()
168-
->withHeader(ClaimNamesEnum::Type->value, TypeEnum::EntityStatementJwt->value)
177+
->withHeader(ClaimsEnum::Typ->value, JwtTypeEnum::EntityStatementJwt->value)
169178
->relatedTo($subject)
170179
->expiresAt(
171180
(TimestampGenerator::utcImmutable())->add($this->moduleConfig->getFederationEntityStatementDuration()),
172181
)->withClaim(
173-
ClaimNamesEnum::JsonWebKeySet->value,
182+
ClaimsEnum::Jwks->value,
174183
$jwks,
175184
)
176185
->withClaim(
177-
ClaimNamesEnum::Metadata->value,
186+
ClaimsEnum::Metadata->value,
178187
[
179188
EntityTypeEnum::OpenIdRelyingParty->value => [
180-
ClaimNamesEnum::ClientName->value => $client->getName(),
181-
ClaimNamesEnum::ClientId->value => $client->getIdentifier(),
182-
ClaimNamesEnum::RedirectUris->value => $client->getRedirectUris(),
183-
ClaimNamesEnum::Scope->value => implode(' ', $client->getScopes()),
184-
ClaimNamesEnum::ClientRegistrationTypes->value => $client->getClientRegistrationTypes(),
189+
ClaimsEnum::ClientName->value => $client->getName(),
190+
ClaimsEnum::ClientId->value => $client->getIdentifier(),
191+
ClaimsEnum::RedirectUris->value => $client->getRedirectUris(),
192+
ClaimsEnum::Scope->value => implode(' ', $client->getScopes()),
193+
ClaimsEnum::ClientRegistrationTypes->value => $client->getClientRegistrationTypes(),
185194
// Optional claims...
186195
...(array_filter(
187196
[
188-
ClaimNamesEnum::BackChannelLogoutUri->value => $client->getBackChannelLogoutUri(),
189-
ClaimNamesEnum::PostLogoutRedirectUris->value => $client->getPostLogoutRedirectUri(),
197+
ClaimsEnum::BackChannelLogoutUri->value => $client->getBackChannelLogoutUri(),
198+
ClaimsEnum::PostLogoutRedirectUris->value => $client->getPostLogoutRedirectUri(),
190199
],
191200
)),
192201
// TODO mivanci Continue

0 commit comments

Comments
 (0)