Comments (11)
After more investigation, what if we just pass some data about the request to getSupportedScopes
? In this case, getSupportedScopes
would just return a list of valid scopes depending on the grant_type
, the client_id
or some other info?
from oauth2-server-php.
Hmm. But the problem with the "simple" approach is that we will not be able to get the client_id
and other request info in the case of the JWT grant type. In this case, we will only be able to get the grant_type
and assertion
as the JWT is only decoded in the JWTBearer
grant type.
So perhaps we do need a validateScope()
, but we pass $request
and the result of getTokenDataFromRequest
to it.
from oauth2-server-php.
I like your thinking. My original thought was to use getSupportedScopes
as a way to find the valid ones on a client/user basis.
getClientDataFromRequest
in the JWT grant type returns client_id
. Shouldn't we be able to use this?
from oauth2-server-php.
Yes! That's what we need! I must have missed getClientDataFromRequest()
when I was looking at the code yesterday :p
How about passing $request
to getSupportedScopes()
as well? Or do you think we should do a bit of refactoring to include the grant_type
to the array returned by getClientDataFromRequest()
?
from oauth2-server-php.
$request
is bulky. Let's avoid passing it unless it makes sense. I would prefer to stick to $user_id
, $client_id
, and $scope
if possible.
from oauth2-server-php.
in fact, we can get rid of getScopeFromRequest
... that was mainly just a convenience method I wrote, but I see no reason why that needs to be in there, as that should never require custom logic.
from oauth2-server-php.
Another thought: While we are at it, do you think we should also pass those things to getDefaultScope()
? We can increase the flexibility by allowing different default scopes for different client_ids
and user_ids
etc.
Reason I considered passing $request
is that it would be quite useful if we want to return different scopes depending on the grant_type
. Is there any other way to get the grant_type
without having to use $request
?
from oauth2-server-php.
If you want that level of complexity, you could inject the request into the scope
object before passing it to the server.
from oauth2-server-php.
That's a good idea! Since custom Scopes can be implemented by using the ScopeInterface
, things are quite customizable. :)
from oauth2-server-php.
Closed with the merging of PR #66
from oauth2-server-php.
Since we added $client_id to getSupportedScopes(), it would have made sense to pass it to getDefaultScope() too.
If all scopes depend on the client, then so does the default scope.
(I solved this in my implementation by injecting the value into the constructor).
from oauth2-server-php.
Related Issues (20)
- User Credentials grant doesn't verify user_id vs Client Credentials user_id
- Example project is not compatable for php version >= 8.1 HOT 1
- Revoking token
- unable to generate access token
- PKCE Support, please HOT 1
- Integration with Psr\Http\Message\ RequestInterface and ResponseInterface HOT 1
- [QUESTION] OpenID Connect Back-Channel Logout
- Firebase/JWT <6 is considered security risk HOT 6
- Different user database depending on client_id
- Add getToken() to ResourceControllerInterface
- cors issue with authorize.php
- Help with error using JWT?
- Ci4 OAuth2 ACCESS_TOKEN invalid
- No way to distinguish between "invalid" and expired JWT token HOT 8
- Step-by-step Walkthrough not up-to-date HOT 2
- Not possible to inject custom implementation of EncryptionInterface without overriding whole createDefaultIdTokenResponseType() or whole response type
- how do i use cookie
- http://192.168.1.205/authorize.php?response_type=code&client_id=testclient&state=xyz HOT 2
- Device Authorization Grant support
- refresh token
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-server-php.