diff --git a/init.php b/init.php index af5668d..a24fe11 100644 --- a/init.php +++ b/init.php @@ -19,7 +19,7 @@ function initDatabase() { clientData TEXT NOT NULL )', 'CREATE TABLE IF NOT EXISTS allowedClients ( - userId VARCHAR(255) NOT NULL PRIMARY KEY, + userId VARCHAR(255) NOT NULL, clientId VARCHAR(255) NOT NULL )', 'CREATE TABLE IF NOT EXISTS userStorage ( diff --git a/lib/Routes/SolidIdp.php b/lib/Routes/SolidIdp.php index 6cc3225..83316a6 100644 --- a/lib/Routes/SolidIdp.php +++ b/lib/Routes/SolidIdp.php @@ -120,11 +120,12 @@ public static function respondToRegister() { $generatedClientId = bin2hex(random_bytes(16)); // 32 chars for the client Id - $generatedClientSecret = bin2hex(random_bytes(32)); // and 64 chars for the client secret - $clientData['client_id_issued_at'] = time(); $clientData['client_id'] = $generatedClientId; - $clientData['client_secret'] = $generatedClientSecret; + if ($clientData['token_endpoint_auth_method'] !== 'none') { // generate and use secret if we have token endpoint authentication + $generatedClientSecret = bin2hex(random_bytes(32)); // and 64 chars for the client secret + $clientData['client_secret'] = $generatedClientSecret; + } $clientData['origin'] = $origin; ClientRegistration::saveClientRegistration($clientData); @@ -133,16 +134,21 @@ public static function respondToRegister() { $responseData = array( 'redirect_uris' => $client['redirect_uris'], 'client_id' => $client['client_id'], - 'client_secret' => $client['client_secret'], 'response_types' => array('code'), 'grant_types' => array('authorization_code', 'refresh_token'), 'application_type' => $client['application_type'] ?? 'web', 'client_name' => $client['client_name'] ?? $client['client_id'], 'id_token_signed_response_alg' => 'RS256', - 'token_endpoint_auth_method' => 'client_secret_basic', - 'client_id_issued_at' => $client['client_id_issued_at'], - 'client_secret_expires_at' => 0 + 'client_id_issued_at' => $client['client_id_issued_at'] ); + if (isset($client['client_secret'])) { + $responseData['client_secret'] = $client['client_secret']; + $responseData['token_endpoint_auth_method'] = 'client_secret_basic'; + $responseData['client_secret_expires_at'] = 0; + } else { + $responseData['token_endpoint_auth_method'] = 'none'; // No client secret means we can't authenticate on the token endpoint; + } + header("HTTP/1.1 201 Created"); header("Content-type: application/json"); echo json_encode($responseData, JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR); diff --git a/lib/Server.php b/lib/Server.php index ab128a8..80882b5 100644 --- a/lib/Server.php +++ b/lib/Server.php @@ -67,6 +67,13 @@ public static function getConfigClient() { $registeredClient = ClientRegistration::getRegistration($clientId); } if (isset($registeredClient)) { + /* + If the token_endpoint_auth_method is 'none', this means we are dealing with a public client that is not able to securely store the client secret. + In that case, we remove the client_secret so we treat the client as a public client + */ + if ($registeredClient['token_endpoint_auth_method'] === "none") { + unset($registeredClient['client_secret']); + } return new ConfigClient( $clientId, $registeredClient['client_secret'] ?? '', diff --git a/upgrade/0.4.1/upgrade.php b/upgrade/0.4.1/upgrade.php new file mode 100644 index 0000000..c00f8ee --- /dev/null +++ b/upgrade/0.4.1/upgrade.php @@ -0,0 +1,28 @@ +exec($statement); + } + } catch(\PDOException $e) { + echo $e->getMessage(); + } + } + upgradeDatabase();