From 6a4e50b47fce94a1326bab54f4fdc9abdbd950ce Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 28 Aug 2024 11:42:53 +0200 Subject: [PATCH 1/3] Use the same issuer in token and discovery responses --- src/IdTokenResponse.php | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/src/IdTokenResponse.php b/src/IdTokenResponse.php index be61c98..d5f2fbe 100644 --- a/src/IdTokenResponse.php +++ b/src/IdTokenResponse.php @@ -55,17 +55,10 @@ protected function getBuilder( ($this->useMicroseconds ? microtime(true) : time()) ); - if ($this->currentRequestService) { - $uri = $this->currentRequestService->getRequest()->getUri(); - $issuer = $uri->getScheme() . '://' . $uri->getHost() . ($uri->getPort() ? ':' . $uri->getPort() : ''); - } else { - $issuer = 'https://' . $_SERVER['HTTP_HOST']; - } - return $this->config ->builder() ->permittedFor($accessToken->getClient()->getIdentifier()) - ->issuedBy($issuer) + ->issuedBy(url('/')) ->issuedAt($dateTimeImmutableObject) ->expiresAt($dateTimeImmutableObject->add(new DateInterval('PT1H'))) ->relatedTo($userEntity->getIdentifier()); From e45784115871f85dd4c0cd83d0bafc53882152e8 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 28 Aug 2024 12:32:38 +0200 Subject: [PATCH 2/3] Unify issuer, force https:// on issuer and endpoints --- src/IdTokenResponse.php | 2 +- src/Laravel/DiscoveryController.php | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/IdTokenResponse.php b/src/IdTokenResponse.php index d5f2fbe..dfaa798 100644 --- a/src/IdTokenResponse.php +++ b/src/IdTokenResponse.php @@ -58,7 +58,7 @@ protected function getBuilder( return $this->config ->builder() ->permittedFor($accessToken->getClient()->getIdentifier()) - ->issuedBy(url('/')) + ->issuedBy('https://' . $_SERVER['HTTP_HOST']) ->issuedAt($dateTimeImmutableObject) ->expiresAt($dateTimeImmutableObject->add(new DateInterval('PT1H'))) ->relatedTo($userEntity->getIdentifier()); diff --git a/src/Laravel/DiscoveryController.php b/src/Laravel/DiscoveryController.php index cb7536d..fb5c848 100644 --- a/src/Laravel/DiscoveryController.php +++ b/src/Laravel/DiscoveryController.php @@ -14,9 +14,9 @@ class DiscoveryController public function __invoke(Request $request) { $response = [ - 'issuer' => url('/'), + 'issuer' => 'https://' . $_SERVER['HTTP_HOST'], 'authorization_endpoint' => route('passport.authorizations.authorize'), - 'token_endpoint' => route('passport.token'), + 'token_endpoint' => str_replace('http://', 'https://', route('passport.token')), 'grant_types_supported' => $this->getSupportedGrantTypes(), 'response_types_supported' => $this->getSupportedResponseTypes(), 'subject_types_supported' => [ @@ -33,15 +33,15 @@ public function __invoke(Request $request) ]; if (Route::has('openid.userinfo')) { - $response['userinfo_endpoint'] = route('openid.userinfo'); + $response['userinfo_endpoint'] = str_replace('http://', 'https://', route('openid.userinfo')); } if (Route::has('openid.jwks')) { - $response['jwks_uri'] = route('openid.jwks'); + $response['jwks_uri'] = str_replace('http://', 'https://', route('openid.jwks')); } if (Route::has('openid.end_session_endpoint')) { - $response['end_session_endpoint'] = route('openid.end_session_endpoint'); + $response['end_session_endpoint'] = str_replace('http://', 'https://', route('openid.end_session_endpoint')); } return response()->json($response, 200, [], JSON_PRETTY_PRINT); From 869ca84a0a5e0ad1b63eb213c80713caee996363 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 28 Aug 2024 12:50:50 +0200 Subject: [PATCH 3/3] Different approach --- src/Laravel/DiscoveryController.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/Laravel/DiscoveryController.php b/src/Laravel/DiscoveryController.php index fb5c848..a36d76e 100644 --- a/src/Laravel/DiscoveryController.php +++ b/src/Laravel/DiscoveryController.php @@ -4,6 +4,7 @@ use Illuminate\Http\Request; use Illuminate\Support\Facades\Route; +use Illuminate\Support\Facades\URL; use Laravel\Passport\Passport; class DiscoveryController @@ -13,10 +14,12 @@ class DiscoveryController */ public function __invoke(Request $request) { + URL::forceScheme('https'); // for route() calls below + $response = [ 'issuer' => 'https://' . $_SERVER['HTTP_HOST'], 'authorization_endpoint' => route('passport.authorizations.authorize'), - 'token_endpoint' => str_replace('http://', 'https://', route('passport.token')), + 'token_endpoint' => route('passport.token'), 'grant_types_supported' => $this->getSupportedGrantTypes(), 'response_types_supported' => $this->getSupportedResponseTypes(), 'subject_types_supported' => [ @@ -33,15 +36,15 @@ public function __invoke(Request $request) ]; if (Route::has('openid.userinfo')) { - $response['userinfo_endpoint'] = str_replace('http://', 'https://', route('openid.userinfo')); + $response['userinfo_endpoint'] = route('openid.userinfo'); } if (Route::has('openid.jwks')) { - $response['jwks_uri'] = str_replace('http://', 'https://', route('openid.jwks')); + $response['jwks_uri'] = route('openid.jwks'); } if (Route::has('openid.end_session_endpoint')) { - $response['end_session_endpoint'] = str_replace('http://', 'https://', route('openid.end_session_endpoint')); + $response['end_session_endpoint'] = route('openid.end_session_endpoint'); } return response()->json($response, 200, [], JSON_PRETTY_PRINT);