-
Notifications
You must be signed in to change notification settings - Fork 783
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[13.x] Make client RFC compatible #1744
[13.x] Make client RFC compatible #1744
Conversation
A lot of breaking changes here and I'm not sure the ROI is there to support them. |
@taylorotwell This PR actually make this package easier to maintain and support by removing some deprecations and unnecessary configurations. Please let us know what the community can do to make Passport profitable in the way you prefer, e.g. I wanted to make Passport compatible with Laravel Jetstream / Fortify. We can also change its logo just like other Laravel first-party packages, etc. Many people are using Laravel to develop APIs and OAuth2 is a must in most scenarios. Sanctum is great, but you know the difference better than me. We have already added support for v9 of the OAuth2 Server (#1734). The latest version adds support for "Device Authorization Flow" RFC8628; I've already prepared a PR to support that on Passport that I will send after this one. cc @driesvints |
Hi @hafezdivandari. We really appreciate all of this work! But like Taylor said, I also feel this is a bit too much... The changes in this PR all seem sound to me but impose a hefty upgrade path on users, something we at Laravel try to avoid at all cost. There for, I feel we should cut on some of these changes. I would:
I realise this will cut a lot of the work you made but this will make the transition for users much more feasible. |
Hi @driesvints, thanks for your reply. I should have sent these changes as separate PRs, but I thought it would be hard to guess why each one is needed without knowing the whole picture. I'll resend separately, but please keep this one open as draft for a while. |
Finally, We are going to have a compatible OAuth Framework. The optional hash part of Passport is a security concern. User should instead need to specify they don't want it hashed rather than specify they wanted it hashed. |
@stanliwise you may check this #1745 |
From a security and maintainability perspective, I also agree, that aligning with the RFC is better! But of course at the same time aligning with the RFC, also makes it sometimes harder, because you need to know all of the RFCs related to OAuth 2.0, which is a lot. (Something which should be addressed with OAuth 2.1, which reduces the number of RFC to I think a single one. OAuth 2.1 is still WIP). |
@Jubeki thanks for your comment. This PR just fixes 2 problems that we already have with client registration: |
I personally still remain unconvinced the ROI is there on this PR. Every Passport app in the world will have to perform a pretty significant database change that will incur downtime for very marginal benefit as far as I can tell. People don't seem to be begging for this by the hundreds. |
@taylorotwell I've fixed this to be backward compatible, new installations will have
PR #729 merged on 2018 explains why Some people may don't know the risk here, e.g. every confidential client can be used as |
?Authenticatable $user = null | ||
): Client { | ||
$client = Passport::client(); | ||
$columns = $client->getConnection()->getSchemaBuilder()->getColumnListing($client->getTable()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about using a config option, instead of querying the column details?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also thought about a new config option, but it seems to be redundant when we can easily check for existing columns?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would save one query. But I will leave that decision to you / the Laravel Team.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah but client creation / updating doesn't happen frequently. Lets see what maintainers decide.
I would also like it if there are test cases with the old columns, so that you can continue checking if everything works as expected. |
This PR refactors OAuth2 Client implementation to make it more RFC compatible and more secure.
Client Grant Types
The problem: Currently there is no consistent way to determine what grants each client can handle, this is a security concern! We have
personal_access_client
andpassword_client
boolean properties but it's not a good idea to add a boolean attribute for each grant, e.g.client_credentials
.The solution: The
grant_types
property was added to theClient
model long time ago (first appearance was on #729 then #731). This PR addsgrant_types
column to theoauth_clients
table as a JSON array and makes other changes to always check the allowed grant types the client can handle, RFC7591. Here is the list of grant types:"authorization_code"
"personal_access"
"implicit"
"password"
"client_credentials"
"refresh_token"
"urn:ietf:params:oauth:grant-type:device_code"
(TBD [13.x] Device Authorization Grant RFC8628 #1750)For example, a client with
'grant_types' => ['authorization_code', 'refresh_token']
can handle "Authorization Code" and "Refresh Token" grant types.Client Redirect URIs
The problem: Auth clients ("Implicit" and "Auth Code" grants) may have multiple redirect URIs, we currently use comma separated list of values which is not RFC compatible.
The Solution: The
redirect
property of theClient
model has been renamed toredirect_uris
and is going to be stored as an array of strings instead of a comma-separated list of values, to be compatible with RFC7591Fixed
Client::hasGrantType()
method has been fixed to determine what grants the client handles.ClientRepository::create()
method andpassport:client
artisan command has been fixed:--implicit
option has been added for backward compatibility.Changes
grant_types
andredirect_uris
columns has been added onoauth_clients
table astext
(JSON array).redirect
,personal_access_client
, andpassword_client
columns ofoauth_clients
table has been removed.Upgrade Guide
No upgrade needed. When
oauth_clients
table doesn't havegrant_types
andredirect_uris
columns, it fallbacks to oldredirect
,personal_access_client
, andpassword_client
columns.