diff --git a/data/web/inc/lib/composer.json b/data/web/inc/lib/composer.json index cc1fc7dd4..c2fef5fb1 100644 --- a/data/web/inc/lib/composer.json +++ b/data/web/inc/lib/composer.json @@ -10,6 +10,7 @@ "mustangostang/spyc": "^0.6.3", "directorytree/ldaprecord": "^2.4", "twig/twig": "^3.0", - "stevenmaguire/oauth2-keycloak": "^3.2" + "stevenmaguire/oauth2-keycloak": "^3.2", + "league/oauth2-client": "^2.7" } } diff --git a/data/web/inc/lib/composer.lock b/data/web/inc/lib/composer.lock index c03fe1c29..349056afc 100644 --- a/data/web/inc/lib/composer.lock +++ b/data/web/inc/lib/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "65fe6638523a3a93c55e67a061725223", + "content-hash": "ee35a2bf8c80a87b6825c3e86635f709", "packages": [ { "name": "bshaffer/oauth2-server-php", @@ -654,16 +654,16 @@ }, { "name": "league/oauth2-client", - "version": "2.6.1", + "version": "2.7.0", "source": { "type": "git", "url": "https://github.com/thephpleague/oauth2-client.git", - "reference": "2334c249907190c132364f5dae0287ab8666aa19" + "reference": "160d6274b03562ebeb55ed18399281d8118b76c8" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/thephpleague/oauth2-client/zipball/2334c249907190c132364f5dae0287ab8666aa19", - "reference": "2334c249907190c132364f5dae0287ab8666aa19", + "url": "https://api.github.com/repos/thephpleague/oauth2-client/zipball/160d6274b03562ebeb55ed18399281d8118b76c8", + "reference": "160d6274b03562ebeb55ed18399281d8118b76c8", "shasum": "" }, "require": { @@ -718,9 +718,9 @@ ], "support": { "issues": "https://github.com/thephpleague/oauth2-client/issues", - "source": "https://github.com/thephpleague/oauth2-client/tree/2.6.1" + "source": "https://github.com/thephpleague/oauth2-client/tree/2.7.0" }, - "time": "2021-12-22T16:42:49+00:00" + "time": "2023-04-16T18:19:15+00:00" }, { "name": "matthiasmullie/minify", diff --git a/data/web/inc/lib/vendor/composer/autoload_psr4.php b/data/web/inc/lib/vendor/composer/autoload_psr4.php index 6112acbac..8e959eac3 100644 --- a/data/web/inc/lib/vendor/composer/autoload_psr4.php +++ b/data/web/inc/lib/vendor/composer/autoload_psr4.php @@ -18,7 +18,7 @@ return array( 'RobThree\\Auth\\' => array($vendorDir . '/robthree/twofactorauth/lib'), 'Psr\\SimpleCache\\' => array($vendorDir . '/psr/simple-cache/src'), 'Psr\\Log\\' => array($vendorDir . '/psr/log/src'), - 'Psr\\Http\\Message\\' => array($vendorDir . '/psr/http-message/src', $vendorDir . '/psr/http-factory/src'), + 'Psr\\Http\\Message\\' => array($vendorDir . '/psr/http-factory/src', $vendorDir . '/psr/http-message/src'), 'Psr\\Http\\Client\\' => array($vendorDir . '/psr/http-client/src'), 'Psr\\Container\\' => array($vendorDir . '/psr/container/src'), 'PhpMimeMailParser\\' => array($vendorDir . '/php-mime-mail-parser/php-mime-mail-parser/src'), diff --git a/data/web/inc/lib/vendor/composer/autoload_static.php b/data/web/inc/lib/vendor/composer/autoload_static.php index 440edffbc..27a95eda8 100644 --- a/data/web/inc/lib/vendor/composer/autoload_static.php +++ b/data/web/inc/lib/vendor/composer/autoload_static.php @@ -140,8 +140,8 @@ class ComposerStaticInit873464e4bd965a3168f133248b1b218b ), 'Psr\\Http\\Message\\' => array ( - 0 => __DIR__ . '/..' . '/psr/http-message/src', - 1 => __DIR__ . '/..' . '/psr/http-factory/src', + 0 => __DIR__ . '/..' . '/psr/http-factory/src', + 1 => __DIR__ . '/..' . '/psr/http-message/src', ), 'Psr\\Http\\Client\\' => array ( diff --git a/data/web/inc/lib/vendor/composer/installed.json b/data/web/inc/lib/vendor/composer/installed.json index cec6e781d..ef7cac481 100644 --- a/data/web/inc/lib/vendor/composer/installed.json +++ b/data/web/inc/lib/vendor/composer/installed.json @@ -668,17 +668,17 @@ }, { "name": "league/oauth2-client", - "version": "2.6.1", - "version_normalized": "2.6.1.0", + "version": "2.7.0", + "version_normalized": "2.7.0.0", "source": { "type": "git", "url": "https://github.com/thephpleague/oauth2-client.git", - "reference": "2334c249907190c132364f5dae0287ab8666aa19" + "reference": "160d6274b03562ebeb55ed18399281d8118b76c8" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/thephpleague/oauth2-client/zipball/2334c249907190c132364f5dae0287ab8666aa19", - "reference": "2334c249907190c132364f5dae0287ab8666aa19", + "url": "https://api.github.com/repos/thephpleague/oauth2-client/zipball/160d6274b03562ebeb55ed18399281d8118b76c8", + "reference": "160d6274b03562ebeb55ed18399281d8118b76c8", "shasum": "" }, "require": { @@ -692,7 +692,7 @@ "phpunit/phpunit": "^5.7 || ^6.0 || ^9.5", "squizlabs/php_codesniffer": "^2.3 || ^3.0" }, - "time": "2021-12-22T16:42:49+00:00", + "time": "2023-04-16T18:19:15+00:00", "type": "library", "extra": { "branch-alias": { @@ -735,7 +735,7 @@ ], "support": { "issues": "https://github.com/thephpleague/oauth2-client/issues", - "source": "https://github.com/thephpleague/oauth2-client/tree/2.6.1" + "source": "https://github.com/thephpleague/oauth2-client/tree/2.7.0" }, "install-path": "../league/oauth2-client" }, diff --git a/data/web/inc/lib/vendor/composer/installed.php b/data/web/inc/lib/vendor/composer/installed.php index 07db23e07..a9737b061 100644 --- a/data/web/inc/lib/vendor/composer/installed.php +++ b/data/web/inc/lib/vendor/composer/installed.php @@ -3,7 +3,7 @@ 'name' => '__root__', 'pretty_version' => 'dev-master', 'version' => 'dev-master', - 'reference' => 'ea394d702dd7fe05f9b28c818fd912c5a60e71f4', + 'reference' => '07edec4ea50b8eedae10c28eba0b4b2774df537e', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), @@ -13,7 +13,7 @@ '__root__' => array( 'pretty_version' => 'dev-master', 'version' => 'dev-master', - 'reference' => 'ea394d702dd7fe05f9b28c818fd912c5a60e71f4', + 'reference' => '07edec4ea50b8eedae10c28eba0b4b2774df537e', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), @@ -98,9 +98,9 @@ 'dev_requirement' => false, ), 'league/oauth2-client' => array( - 'pretty_version' => '2.6.1', - 'version' => '2.6.1.0', - 'reference' => '2334c249907190c132364f5dae0287ab8666aa19', + 'pretty_version' => '2.7.0', + 'version' => '2.7.0.0', + 'reference' => '160d6274b03562ebeb55ed18399281d8118b76c8', 'type' => 'library', 'install_path' => __DIR__ . '/../league/oauth2-client', 'aliases' => array(), diff --git a/data/web/inc/lib/vendor/league/oauth2-client/README.md b/data/web/inc/lib/vendor/league/oauth2-client/README.md index f35d53e8a..cbb449d48 100644 --- a/data/web/inc/lib/vendor/league/oauth2-client/README.md +++ b/data/web/inc/lib/vendor/league/oauth2-client/README.md @@ -6,7 +6,7 @@ This package provides a base for integrating with [OAuth 2.0](http://oauth.net/2 [![Source Code](https://img.shields.io/badge/source-thephpleague/oauth2--client-blue.svg?style=flat-square)](https://github.com/thephpleague/oauth2-client) [![Latest Version](https://img.shields.io/github/release/thephpleague/oauth2-client.svg?style=flat-square)](https://github.com/thephpleague/oauth2-client/releases) [![Software License](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square)](https://github.com/thephpleague/oauth2-client/blob/master/LICENSE) -[![Build Status](https://img.shields.io/github/workflow/status/thephpleague/oauth2-client/CI?label=CI&logo=github&style=flat-square)](https://github.com/thephpleague/oauth2-client/actions?query=workflow%3ACI) +[![Build Status](https://img.shields.io/github/actions/workflow/status/thephpleague/oauth2-client/continuous-integration.yml?label=CI&logo=github&style=flat-square)](https://github.com/thephpleague/oauth2-client/actions?query=workflow%3ACI) [![Codecov Code Coverage](https://img.shields.io/codecov/c/gh/thephpleague/oauth2-client?label=codecov&logo=codecov&style=flat-square)](https://codecov.io/gh/thephpleague/oauth2-client) [![Total Downloads](https://img.shields.io/packagist/dt/league/oauth2-client.svg?style=flat-square)](https://packagist.org/packages/league/oauth2-client) diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/AbstractProvider.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/AbstractProvider.php index d1679998c..293a54d6e 100644 --- a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/AbstractProvider.php +++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/AbstractProvider.php @@ -17,6 +17,7 @@ namespace League\OAuth2\Client\Provider; use GuzzleHttp\Client as HttpClient; use GuzzleHttp\ClientInterface as HttpClientInterface; use GuzzleHttp\Exception\BadResponseException; +use InvalidArgumentException; use League\OAuth2\Client\Grant\AbstractGrant; use League\OAuth2\Client\Grant\GrantFactory; use League\OAuth2\Client\OptionProvider\OptionProviderInterface; @@ -44,7 +45,7 @@ abstract class AbstractProvider use QueryBuilderTrait; /** - * @var string Key used in a token response to identify the resource owner. + * @var string|null Key used in a token response to identify the resource owner. */ const ACCESS_TOKEN_RESOURCE_OWNER_ID = null; @@ -58,6 +59,19 @@ abstract class AbstractProvider */ const METHOD_POST = 'POST'; + /** + * @var string PKCE method used to fetch authorization token. + * The PKCE code challenge will be hashed with sha256 (recommended). + */ + const PKCE_METHOD_S256 = 'S256'; + + /** + * @var string PKCE method used to fetch authorization token. + * The PKCE code challenge will be sent as plain text, this is NOT recommended. + * Only use `plain` if no other option is possible. + */ + const PKCE_METHOD_PLAIN = 'plain'; + /** * @var string */ @@ -78,6 +92,11 @@ abstract class AbstractProvider */ protected $state; + /** + * @var string|null + */ + protected $pkceCode = null; + /** * @var GrantFactory */ @@ -264,6 +283,32 @@ abstract class AbstractProvider return $this->state; } + /** + * Set the value of the pkceCode parameter. + * + * When using PKCE this should be set before requesting an access token. + * + * @param string $pkceCode + * @return self + */ + public function setPkceCode($pkceCode) + { + $this->pkceCode = $pkceCode; + return $this; + } + + /** + * Returns the current value of the pkceCode parameter. + * + * This can be accessed by the redirect handler during authorization. + * + * @return string|null + */ + public function getPkceCode() + { + return $this->pkceCode; + } + /** * Returns the base URL for authorizing a client. * @@ -305,6 +350,27 @@ abstract class AbstractProvider return bin2hex(random_bytes($length / 2)); } + /** + * Returns a new random string to use as PKCE code_verifier and + * hashed as code_challenge parameters in an authorization flow. + * Must be between 43 and 128 characters long. + * + * @param int $length Length of the random string to be generated. + * @return string + */ + protected function getRandomPkceCode($length = 64) + { + return substr( + strtr( + base64_encode(random_bytes($length)), + '+/', + '-_' + ), + 0, + $length + ); + } + /** * Returns the default scopes used by this provider. * @@ -326,6 +392,14 @@ abstract class AbstractProvider return ','; } + /** + * @return string|null + */ + protected function getPkceMethod() + { + return null; + } + /** * Returns authorization parameters based on provided options. * @@ -355,6 +429,26 @@ abstract class AbstractProvider // Store the state as it may need to be accessed later on. $this->state = $options['state']; + $pkceMethod = $this->getPkceMethod(); + if (!empty($pkceMethod)) { + $this->pkceCode = $this->getRandomPkceCode(); + if ($pkceMethod === static::PKCE_METHOD_S256) { + $options['code_challenge'] = trim( + strtr( + base64_encode(hash('sha256', $this->pkceCode, true)), + '+/', + '-_' + ), + '=' + ); + } elseif ($pkceMethod === static::PKCE_METHOD_PLAIN) { + $options['code_challenge'] = $this->pkceCode; + } else { + throw new InvalidArgumentException('Unknown PKCE method "' . $pkceMethod . '".'); + } + $options['code_challenge_method'] = $pkceMethod; + } + // Business code layer might set a different redirect_uri parameter // depending on the context, leave it as-is if (!isset($options['redirect_uri'])) { @@ -517,8 +611,8 @@ abstract class AbstractProvider /** * Requests an access token using a specified grant and option set. * - * @param mixed $grant - * @param array $options + * @param mixed $grant + * @param array $options * @throws IdentityProviderException * @return AccessTokenInterface */ @@ -532,6 +626,10 @@ abstract class AbstractProvider 'redirect_uri' => $this->redirectUri, ]; + if (!empty($this->pkceCode)) { + $params['code_verifier'] = $this->pkceCode; + } + $params = $grant->prepareRequestParameters($params, $options); $request = $this->getAccessTokenRequest($params); $response = $this->getParsedResponse($request); @@ -564,7 +662,7 @@ abstract class AbstractProvider * * @param string $method * @param string $url - * @param AccessTokenInterface|string $token + * @param AccessTokenInterface|string|null $token * @param array $options Any of "headers", "body", and "protocolVersion". * @return RequestInterface */ diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/Exception/IdentityProviderException.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/Exception/IdentityProviderException.php index 52b7e0353..55cb438fb 100644 --- a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/Exception/IdentityProviderException.php +++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/Exception/IdentityProviderException.php @@ -27,7 +27,7 @@ class IdentityProviderException extends \Exception /** * @param string $message * @param int $code - * @param array|string $response The response body + * @param mixed $response The response body */ public function __construct($message, $code, $response) { @@ -39,7 +39,7 @@ class IdentityProviderException extends \Exception /** * Returns the exception's response body. * - * @return array|string + * @return mixed */ public function getResponseBody() { diff --git a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericProvider.php b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericProvider.php index 74393ffda..0fc95f250 100644 --- a/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericProvider.php +++ b/data/web/inc/lib/vendor/league/oauth2-client/src/Provider/GenericProvider.php @@ -78,6 +78,11 @@ class GenericProvider extends AbstractProvider */ private $responseResourceOwnerId = 'id'; + /** + * @var string|null + */ + private $pkceMethod = null; + /** * @param array $options * @param array $collaborators @@ -114,6 +119,7 @@ class GenericProvider extends AbstractProvider 'responseCode', 'responseResourceOwnerId', 'scopes', + 'pkceMethod', ]); } @@ -205,6 +211,14 @@ class GenericProvider extends AbstractProvider return $this->scopeSeparator ?: parent::getScopeSeparator(); } + /** + * @inheritdoc + */ + protected function getPkceMethod() + { + return $this->pkceMethod ?: parent::getPkceMethod(); + } + /** * @inheritdoc */