diff --git a/composer.json b/composer.json index a403b67..1099572 100644 --- a/composer.json +++ b/composer.json @@ -15,7 +15,7 @@ } ], "require": { - "pdsinterop/solid-auth": "v0.14.1", + "pdsinterop/solid-auth": "v0.14.2", "pdsinterop/solid-crud": "v0.8.4", "phpmailer/phpmailer": "^6.10", "sweetrdf/easyrdf": "~1.15.0", diff --git a/init.php b/init.php index 94c1b72..21e739a 100644 --- a/init.php +++ b/init.php @@ -24,7 +24,7 @@ function initDatabase() clientData TEXT NOT NULL )', 'CREATE TABLE IF NOT EXISTS allowedClients ( - userId VARCHAR(255) NOT NULL PRIMARY KEY, + userId VARCHAR(255) NOT NULL, clientId VARCHAR(255) NOT NULL )', 'CREATE TABLE IF NOT EXISTS userStorage ( diff --git a/lib/Routes/SolidIdp.php b/lib/Routes/SolidIdp.php index 9e628bc..6effd9d 100644 --- a/lib/Routes/SolidIdp.php +++ b/lib/Routes/SolidIdp.php @@ -128,12 +128,17 @@ public static function respondToRegister() $generatedClientId = bin2hex(random_bytes(16)); // 32 chars for the client Id - $generatedClientSecret = bin2hex(random_bytes(32)); // and 64 chars for the client secret $clientData['client_id_issued_at'] = time(); $clientData['client_id'] = $generatedClientId; - $clientData['client_secret'] = $generatedClientSecret; $clientData['origin'] = $origin; + if ( + (!isset($clientData['token_endpoint_auth_method'])) || // if not set, assume we have to add a client secret; + ($clientData['token_endpoint_auth_method'] !== 'none') + ) { // generate and use secret if we have token endpoint authentication + $generatedClientSecret = bin2hex(random_bytes(32)); // and 64 chars for the client secret + $clientData['client_secret'] = $generatedClientSecret; + } ClientRegistration::saveClientRegistration($clientData); $client = ClientRegistration::getRegistration($generatedClientId); @@ -141,16 +146,20 @@ public static function respondToRegister() $responseData = array( 'redirect_uris' => $client['redirect_uris'], 'client_id' => $client['client_id'], - 'client_secret' => $client['client_secret'], 'response_types' => array('code'), 'grant_types' => array('authorization_code', 'refresh_token'), 'application_type' => $client['application_type'] ?? 'web', 'client_name' => $client['client_name'] ?? $client['client_id'], 'id_token_signed_response_alg' => 'RS256', - 'token_endpoint_auth_method' => 'client_secret_basic', - 'client_id_issued_at' => $client['client_id_issued_at'], - 'client_secret_expires_at' => 0 + 'client_id_issued_at' => $client['client_id_issued_at'] ); + if (isset($client['client_secret'])) { + $responseData['client_secret'] = $client['client_secret']; + $responseData['token_endpoint_auth_method'] = 'client_secret_basic'; + $responseData['client_secret_expires_at'] = 0; + } else { + $responseData['token_endpoint_auth_method'] = 'none'; // No client secret means we can't authenticate on the token endpoint; + } header("HTTP/1.1 201 Created"); header("Content-type: application/json"); echo json_encode($responseData, JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR); diff --git a/lib/Server.php b/lib/Server.php index 204f5ab..98a1ed7 100644 --- a/lib/Server.php +++ b/lib/Server.php @@ -73,6 +73,20 @@ public static function getConfigClient() $registeredClient = ClientRegistration::getRegistration($clientId); } if (isset($registeredClient)) { + /* + If the token_endpoint_auth_method is 'none', + this means we are dealing with a public + client that is not able to securely store + the client secret. In that case, we remove + the client_secret so we treat the client as + a public client + */ + if ( + isset($registeredClient['token_endpoint_auth_method']) && + ($registeredClient['token_endpoint_auth_method'] === "none") + ) { + unset($registeredClient['client_secret']); + } return new ConfigClient( $clientId, $registeredClient['client_secret'] ?? '', diff --git a/upgrade/0.4.1/upgrade.functions.php b/upgrade/0.4.1/upgrade.functions.php new file mode 100644 index 0000000..f2d76d5 --- /dev/null +++ b/upgrade/0.4.1/upgrade.functions.php @@ -0,0 +1,24 @@ +exec($statement); + } + } catch (\PDOException $e) { + echo $e->getMessage(); + } +} diff --git a/upgrade/0.4.1/upgrade.php b/upgrade/0.4.1/upgrade.php new file mode 100644 index 0000000..9f09478 --- /dev/null +++ b/upgrade/0.4.1/upgrade.php @@ -0,0 +1,9 @@ +