Bug Report

Summary

Default configuration provided is different than documented:

Configuration:

Documentation:
https://github.com/mezzio/mezzio-authentication-oauth2/blob/master/docs/book/v1/intro.md#configuration

Generating keys:

Current behavior

In the current configuration we have path set to /data/public.key and /data/private.key while documentation says default path is /data/oauth/public.key and /data/oauth/private.key and also generator put keys in that location.

I believe we have to update the configuration to set whatever is said in the documentation.

It can breaks some applications if someone relies on that "invalid" configuration.

In (ClientEntity, ClientRepository, ClientTrait, entityTrait) The code treats clientIdentifier === clientName,

OR , in "League\OAuth2\Server\Entities\ClientEntityInterface" , clientIdentifier and clientName are two different fields.

why not to seperate them as ligue-oauth2 do ?

what is the interest? can you answer me please?,
Maybe you have things to be planned.

Originally posted by @samiboukadida at zendframework/zend-expressive-authentication-oauth2#7

I used the script at /data/oauth2.sql to create the database model. Here I find the following table definition:

CREATE TABLE `oauth_clients` (
  ...
  `redirect` varchar(255) DEFAULT NULL,
  ...
);

But the constructor in Mezzio\Authentication\OAuth2\Entity\ClientEntity looks like this:

public function __construct(string $identifier, string $name, string $redirectUri, bool $isConfidential = false)

Either the column in the database must not allow NULL values or the parameter $ redirectUri must be an optional. But that's not how it works.

RefreshTokenGrant::respondToAccessTokenRequest requires a client_secret, otherwise it will throw an exception (OAuthServerException::invalidClient). This does not make sense for not confidential clients, as they are not able to send the client_secret.

Bug Report

I think this issue is still present in mezzio/mezzio-authentication-oauth2 in 2.8.0

Aditional info:
| league/event | 2.2.0
| league/oauth2-server | 8.4.0

Summary

By defining a Event Listener Provider without a priority level, the error "ArgumentCountError array_merge() does not accept unknown named parameters" is thrown for PHP >= 8.0

Current behavior

According to Intro mezzio Oauth2 in order to define a Event Listener one should use:

return [
    'event_listeners' => [
        // using a container service
        [
            \League\OAuth2\Server\RequestEvent::CLIENT_AUTHENTICATION_FAILED,
            \My\Event\Listener\Service::class,
        ],

which are then handled in the "AuthorizationServerFactory" as:

private function addListeners(
        AuthorizationServer $authServer,
        ContainerInterface $container
    ): void {
        $listeners = $this->getListenersConfig($container);

        foreach ($listeners as $idx => $listenerConfig) {
            $event    = $listenerConfig[0];
            $listener = $listenerConfig[1];
            $priority = $listenerConfig[2] ?? null;

where if no priority is defined (as in the example displayed in help page), priority defaults to: $priority = null

Then Emitter.php file from “league/event” (wich can be found here: Emitter.php) adds the listeners as

public function addListener($event, $listener, $priority = self::P_NORMAL)
    {
        $listener = $this->ensureListener($listener);
        $this->listeners[$event][$priority][] = $listener;
        $this->clearSortedListeners($event);

        return $this;
    }

where $priority would stay as null.

The problem is that in PHP >= 8.0, when a listener is triggered with “Emitter.php” file uses the function:

protected function getSortedListeners($event)
    {
        if (! $this->hasListeners($event)) {
            return [];
        }

        $listeners = $this->listeners[$event];
        krsort($listeners);

        return call_user_func_array('array_merge', $listeners);
    }

wich in turn throws an error:
"ArgumentCountError array_merge() does not accept unknown named parameters"

due to PHP 8.0 named parameters feature.

How to reproduce

Define a event listener,

return [
    'event_listeners' => [
        // using a container service
        [
            \League\OAuth2\Server\RequestEvent::CLIENT_AUTHENTICATION_FAILED,
            \My\Event\Listener\UserAuthenticationFailedListener,
        ],

Create a simple event listener

namespace My\Event\Listener;

use League\Event\AbstractListener;
use League\Event\EventInterface;
use League\OAuth2\Server\Exception\OAuthServerException;

class UserAuthenticationFailedListener extends AbstractListener
{
    public function handle(EventInterface $event)
    {
        echo "do something right there"; exit;
    }

}

If client authentication fails and the event "\League\OAuth2\Server\RequestEvent::CLIENT_AUTHENTICATION_FAILED" is detected the error "ArgumentCountError array_merge() does not accept unknown named parameters" will be thrown

Expected behavior

Not throw the error and implement the code in the listener.

It is possible to disable the error just by defining a priority for each listener, as:

'event_listeners' => [                                            
            [
                \League\OAuth2\Server\RequestEvent::USER_AUTHENTICATION_FAILED,
                \My\Event\Listener\UserAuthenticationFailedListener,
                \League\Event\EmitterInterface::P_HIGH
            ]
        ],       

Another possible solution would be something like:

if ( $priority ) {
$authServer->getEmitter()->addListener($event, $listener, $priority);
} else {
$authServer->getEmitter()->addListener($event, $listener );
}

Bug Report

Summary

I experienced failing tests in #34, these are related to the league/oauth2-server v8.3.0+.

Current behavior

Tests are failing as they're using just an absolute path (/redirect) as redirect_uri which raises errors in downstream package.

thephpleague/oauth2-server#1239

How to reproduce

Just execute tests while having redirect_uri set as /redirect.

Expected behavior

Tests do not raise notice error in downstream package.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Repository problems

These problems occurred while renovating this repository. View logs.

• WARN: Use matchDepNames instead of matchPackageNames

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update dependency psalm/plugin-phpunit to ^0.19.0
• Update Laminas packages (major) (laminas/laminas-diactoros, laminas/laminas-servicemanager)
• Update dependency league/oauth2-server to v9
• Update dependency phpunit/phpunit to v11
• Update dependency psr/http-message to v2
• Lock file maintenance
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Hi, I tried to follow the installation steps in this link https://docs.mezzio.dev/mezzio-authentication-oauth2/v1/intro/ and tried running ./vendor/bin/generate-oauth2-keys. Afterward, I got the following logs:

This script is provided as a convenient way to generate keys for
the OAuth2 server provider. You may choose instead to use an
alternative method. For more information, see the install docs:
https://oauth2.thephpleague.com/installation/

Found a good location for keys:
<project path>\data

We'll put them in a subdirectory:
<project path>\data/oauth

Using 2048 bits to generate key of type RSA

Failed to create private key.
Check your openssl extension settings.

Am I missing something?

I already enabled the openssl extension in php.ini.

• I was not able to find an open or closed issue matching what I'm seeing.
• This is not a question. (Questions should be asked on slack (Signup for Slack here) or our forums.)

Provide a narrative description of what you are trying to accomplish.

For trusted apps or front-end only apps, client_secret and redirect_url is pretty silly. We should find a way to make these optional.

Originally posted by @wshafer at zendframework/zend-expressive-authentication-oauth2#24

• I was not able to find an open or closed issue matching what I'm seeing.
• This is not a question. (Questions should be asked on slack (Signup for Slack here) or our forums.)

As scopes are not really attached to anything, this table doesn't make much sense. It doesn't look like I can attach scopes to users or clients, so all we have is a table of valid scope names which doesn't do a whole lot for us.

I suggest we either do away with scopes, or allow scopes to be added to clients/users

Originally posted by @wshafer at zendframework/zend-expressive-authentication-oauth2#27

Bug Report

Summary

league/oauth2-server 8.1.0 has been released and we are getting one failure in our tests:

There was 1 failure:

1) MezzioTest\Authentication\OAuth2\Pdo\OAuth2PdoMiddlewareTest::testProcessClientCredentialGrant
Failed asserting that 401 matches expected 200.

/home/travis/build/mezzio/mezzio-authentication-oauth2/test/Pdo/OAuth2PdoMiddlewareTest.php:192

We need to investigate why this test is failing and fix it accordingly.
If the issue is with new release of oauth2-server we need create issue there and link it here.

Bug Report

Summary

Fatal error while running generate-oauth2-keys command without 'data' folder

Current behavior

PHP Fatal error: Uncaught TypeError: file_exists() expects parameter 1 to be a valid path, bool given in .../vendor/mezzio/mezzio-authentication-oauth2/bin/generate-oauth2-keys:33
Stack trace:
#0 .../vendor/mezzio/mezzio-authentication-oauth2/bin/generate-oauth2-keys(33): file_exists(false)

How to reproduce

1. Remove 'data' folder from the root of the project
2. Run ./vendor/bin/generate-oauth2-keys command

Expected behavior

Best available location for keys:
.../vendor/mezzio/mezzio-authentication-oauth2/data

You'll likely want to move them to a better location

• I was not able to find an open or closed issue matching what I'm seeing.
• This is not a question. (Questions should be asked on slack (Signup for Slack here) or our forums.)

Would be nice to be able to provide our own auth method for the password grant, while I could certainly pass in a new userRepository, it would be nice to be able to add an additional password verifier to the existing repo. Perhaps we could make this an aggrogate service, much like zend-auth uses?

Originally posted by @wshafer at zendframework/zend-expressive-authentication-oauth2#25

• AccessTokenRepository : Lines 71 and 72
  ':revoked' => (int)false,
  ':expires_at' => date("Y-m-d H:i:s", $accessTokenEntity->getExpiryDateTime()->getTimestamp())
• RefreshTokenRepository : lines 32 and 33
  $sth->bindValue(':revoked', (int)false);
  $sth->bindValue(':expires_at', date("Y-m-d H:i:s", $refreshTokenEntity->getExpiryDateTime()->getTimestamp()));

i have to make that, to persist the record without error.

Thanks.

Originally posted by @samiboukadida at zendframework/zend-expressive-authentication-oauth2#8

Feature Request

Summary

To be prepared for the december release of PHP 8.0, this repository has some additional TODOs to be tested against the new major version.

In order to make this repository compatible, one has to follow these steps:

• Modify composer.json to provide support for PHP 8.0 by adding the constraint ~8.0.0
• Modify composer.json to drop support for PHP less than 7.3
• Modify composer.json to implement phpunit 9.3 which supports PHP 7.3+
• Modify .travis.yml to ignore platform requirements when installing composer dependencies (simply add --ignore-platform-reqs to COMPOSER_ARGS env variable)
• Modify .travis.yml to add PHP 8.0 to the matrix (NOTE: Do not allow failures as PHP 8.0 has a feature freeze since 2020-08-04!)
• Modify source code in case there are incompatibilities with PHP 8.0

Feature Request

Summary

As decided during the Technical-Steering-Committee Meeting on August 3rd, 2020, Laminas wants to implement vimeo/psalm in all packages.

Implementing psalm is quite easy.

Required

• Create a psalm.xml in the project root
• Copy and paste the contents from this psalm.xml.dist
• Run $ composer require --dev vimeo/psalm
• Run $ vendor/bin/psalm --set-baseline=psalm-baseline.xml
• Add a composer script static-analysis with the command psalm --shepherd --stats
• Add a new line to script: in .travis.yml: - if [[ $TEST_COVERAGE == 'true' ]]; then composer static-analysis ; fi
• Remove phpstan from the project (phpstan.neon.dist, .travis.yml entry, composer.json require-dev and scripts)

Optional

• Fix as many psalm errors as possible.

• I was not able to find an open or closed issue matching what I'm seeing.
• This is not a question. (Questions should be asked on slack (Signup for Slack here) or our forums.)

Would be nice for every table to have numeric primary keys and correctly mapped foreign keys.

Originally posted by @wshafer at zendframework/zend-expressive-authentication-oauth2#28

• I was not able to find an open or closed issue matching what I'm seeing.
• This is not a question. (Questions should be asked on slack (Signup for Slack here) or our forums.)

Provide a narrative description of what you are trying to accomplish.

Code to reproduce the issue

Run composer test on windows

Expected results

Tests pass.

Actual results

1. ZendTest\Expressive\Authentication\OAuth2\AuthorizationServerFactoryTest::testInvokeWithValidData
   Key file "file://~\Projects\zendframwork\zend-expressive-authentication-oauth2\test/TestAsset/private.key" permissions are not correct, should be 600 or 660 instead of 666

Originally posted by @geerteltink at zendframework/zend-expressive-authentication-oauth2#10

Code to reproduce the issue

this method blocks errors from being shown

    public function authenticate(ServerRequestInterface $request) : ?UserInterface
    {
        try {
            $result = $this->resourceServer->validateAuthenticatedRequest($request);
            $userId = $result->getAttribute('oauth_user_id', false);
            if (false !== $userId) {
                return $this->generateUser($userId, []);
            }
        } catch (OAuthServerException $exception) {
            return null;
        }
        return null;
    }

and then if I fix it and add

`throw $exception;`

into the catch, it runs...

    public static function accessDenied($hint = null, $redirectUri = null)
    {
        return new static(
            'The resource owner or authorization server denied the request.',

which still hides the actual error message.

I don't see any way to access that $hint value. So currently I have no way to troubleshoot why I am getting totally blank results on API call tests.

I changed the static() return to pass $hint and the error causing this scenario was

The JWT string must have two dots

but it will be the same issue with any error

Originally posted by @pursehouse at zendframework/zend-expressive-authentication-oauth2#39

• I was not able to find an open or closed issue matching what I'm seeing.
• This is not a question. (Questions should be asked on slack (Signup for Slack here) or our forums.)

Since the password and secrets are all hashed with password_hash(), it would be nice to have a script to either create full users and/or clients, OR a password_generator script like the one for Apigility.

Originally posted by @wshafer at zendframework/zend-expressive-authentication-oauth2#26

Sorry for opening this new issue but I really think it's a bug in the oauth2 module or an incomplete documentation.
I followed the instructions and figured out my problem: The app crashes with a ServiceNotCreatedException and the message "AuthenticationInterface service is missing". But if I make a print_r($container) in routes.php, the interface is correctly listed under aliases.

config/autoload/dependencies.global.php

<?php

declare(strict_types=1);

use Zend\Expressive\Authentication;

return [
    'dependencies' => [
        'aliases' => [
            Authentication\AuthenticationInterface::class => Authentication\OAuth2\OAuth2Adapter::class,
        ],
        'invokables' => [
        ],
        'factories'  => [
        ],
    ],
];

config/autoload/oauth2.global.php

<?php

declare(strict_types=1);

use League\OAuth2\Server\Grant;

return [
    'authentication' => [
        'private_key' => dirname(__DIR__) . '/../data/oauth/private.key',
        'public_key' => dirname(__DIR__) . '/../data/oauth/public.key',
        'encryption_key' => require dirname(__DIR__) . '/../data/oauth/encryption.key',

        'access_token_expire' => 'P1D',
        'refresh_token_expire' => 'P1M',
        'auth_code_expire' => 'PT10M',

        'pdo' => [
            'dsn' => sprintf(
                'mysql:dbname=%s;host=%s',
                false !== getenv('MYSQL_DB_NAME') ? getenv('MYSQL_DB_NAME') : '',
                false !== getenv('MYSQL_DB_HOST') ? getenv('MYSQL_DB_HOST') : ''
            ),
            'username' => false !== getenv('MYSQL_DB_USER') ? getenv('MYSQL_DB_USER') : '',
            'password' => false !== getenv('MYSQL_DB_PASS') ? getenv('MYSQL_DB_PASS') : '',
        ],

        'grants' => [
            Grant\ClientCredentialsGrant::class => Grant\ClientCredentialsGrant::class,
            Grant\PasswordGrant::class => Grant\PasswordGrant::class,
            Grant\AuthCodeGrant::class => Grant\AuthCodeGrant::class,
            Grant\ImplicitGrant::class => Grant\ImplicitGrant::class,
            Grant\RefreshTokenGrant::class => Grant\RefreshTokenGrant::class,
        ],
    ],
];

config/routes.php

<?php

declare(strict_types=1);

use MyProject\Api\Handler\HomePageHandler;
use MyProject\Api\Handler\PingHandler;
use Psr\Container\ContainerInterface;
use Zend\Expressive\Application;
use Zend\Expressive\Authentication\AuthenticationMiddleware;
use Zend\Expressive\Authentication\OAuth2\TokenEndpointHandler;
use Zend\Expressive\MiddlewareFactory;

return function (Application $app, MiddlewareFactory $factory, ContainerInterface $container) : void {
    $app->post('/oauth2/token', TokenEndpointHandler::class);

    $app->get('/', HomePageHandler::class, 'home');
    $app->get('/api/ping', [
        AuthenticationMiddleware::class,
        PingHandler::class,
    ], 'api.ping');
};

• I was not able to find an open or closed issue matching what I'm seeing.
• This is not a question. (Questions should be asked on slack (Signup for Slack here) or our forums.)

Provide a narrative description of what you are trying to accomplish.

Code to reproduce the issue

Expected results

Actual results

Originally posted by @kschroeer at zendframework/zend-expressive-authentication-oauth2#61

BC Break Report

Return type declaration for \Mezzio\Authentication\OAuth2\ConfigTrait::getPrivateKey():string is not allowing array configurations anymore. This removes the possibility of configuring a private key with passphrase.

Code reference: https://github.com/mezzio/mezzio-authentication-oauth2/blob/2.4.0/src/ConfigTrait.php#L14

Summary

Return type declaration for \Mezzio\Authentication\OAuth2\ConfigTrait::getPrivateKey() is not allowing array configurations anymore.
Code reference: https://github.com/mezzio/mezzio-authentication-oauth2/blob/2.4.0/src/ConfigTrait.php#L14

This trait is used in \Mezzio\Authentication\OAuth2\AuthorizationServerFactory:34
$privateKey = $this->getCryptKey($this->getPrivateKey($container), 'authentication.private_key');

So, even though \Mezzio\Authentication\OAuth2\CryptKeyTrait::getCryptKey() can accept as argument string|array $keyConfig, because of the type hinting protected function getPrivateKey(ContainerInterface $container): string, array cannot be loaded anymore from container config.

Previous behavior

\Mezzio\Authentication\OAuth2\ConfigTrait::getPrivateKey() did NOT force string as return type.
Was allowing also array to be used in container config.

Note: The array could contain the following keys key_or_path (mandatory), pass_phrase (optional) , key_permissions_check (optional)
https://github.com/mezzio/mezzio-authentication-oauth2/blob/2.4.0/src/CryptKeyTrait.php#L23

Current behavior

\Mezzio\Authentication\OAuth2\ConfigTrait::getPrivateKey(): string`

How to reproduce

\Mezzio\Authentication\OAuth2\CryptKeyTrait::getCryptKey - has explicit string and array in PHPDoc

Commit reference that introduced restriction:
e34d9e8

Hi, I has having an issue with getting this oauth2 library up and running where I would constantly get 'Unsupported Grant Type' while making Json requests for an access token. The Content-Type was set to application/json in the header.

Example:
Request:
{ "grant_type": "authorization_code", "client_id" : "test_client", "client_secret" : "test_secret", "redirect_uri " : "localhost", "code" : "545604564056" }

Response:
{ "error": "unsupported_grant_type", "error_description": "The authorization grant type is not supported by the authorization server.", "hint": "Check that all required parameters have been provided", "message": "The authorization grant type is not supported by the authorization server." }

The same error would occur regardless of what grant_type was set to.

The cause of the error was due to how https://oauth2.thephpleague.com/ parses the body of the request.

The League\OAuth2\Server\Grant\AbstractGrant class has methods such as canRespondToAccessTokenRequest and getRequestParameter which uses $request->getParsedBody(). $request->getParsedBody() returns NULL when parsing JSON unless the Body Parsing Middleware is included in the application.

Can I suggest that the documentation for this library is updated to include a reference to the Body Parsing Middleware requirement?

Bug Report

Summary

Impossible to get token with client_credentials & password grant

Current behavior

1/ On a Mezzio micro API, I try to get a new token with password grant. Got a PostgreSQL error :

ERROR:  invalid input syntax for integer: "user_test"
STATEMENT:  INSERT INTO oauth_access_tokens (id, user_id, client_id, scopes, revoked, created_at, updated_at, expires_at) VALUES ($1, $2, $3, $4, $5, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, $6)

Should user_id be a VARCHAR ? In the oauth2.sql file, it's an integer

2/ I tried client_credentials grant too but got an error too :

{
    "error": "invalid_client",
    "error_description": "Client authentication failed",
    "message": "Client authentication failed"
}

ClientEntity::$isConfidential is always false and in this case, the error above is emitted.

How to reproduce

Just try these two grants with Postman

Expected behavior

Get a token :)

I used the script at /data/oauth2.sql to create the database model. Here I find the following table definition:

CREATE TABLE `oauth_access_tokens` (
  ...
  `user_id` int(10) DEFAULT NULL,
  `client_id` int(10) NOT NULL,
  ...
);

The column types are therefore integers, which also makes sense if you want to refer to the IDs of the tables oauth_clients and oauth_users.
But then the following array is assembled in Mezzio\Authentication\OAuth2\Repository\Pdo\AccessTokenRepository:

$params = [
    ':id'         => $accessTokenEntity->getIdentifier(),
    ':user_id'    => $accessTokenEntity->getUserIdentifier(),
    ':client_id'  => $accessTokenEntity->getClient()->getIdentifier(),
    ':scopes'     => $this->scopesToString($accessTokenEntity->getScopes()),
    ':revoked'    => 0,
    ':expires_at' => date(
        'Y-m-d H:i:s',
        $accessTokenEntity->getExpiryDateTime()->getTimestamp()
    ),
];

And here user_id and client_id are returned as a string, which is why the database INSERT subsequently fails and the UniqueTokenIdentifierConstraintViolationException is thrown.