From 5dee72d95bc68e3222ff4486714baa1c469945fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dillenbourg?= <jeremy@dillenbourg.be>
Date: Tue, 17 Dec 2024 13:11:25 +0100
Subject: [PATCH] Extract issuedBy retrieval

---
 ecs.php                                 |  2 +-
 src/IdTokenResponse.php                 | 28 +++--------------------
 src/Laravel/DiscoveryController.php     |  7 +++---
 src/Laravel/PassportServiceProvider.php |  2 +-
 src/Laravel/config/openid.php           |  8 +++----
 src/Services/IssuedByGetter.php         | 30 +++++++++++++++++++++++++
 6 files changed, 43 insertions(+), 34 deletions(-)
 create mode 100644 src/Services/IssuedByGetter.php

diff --git a/ecs.php b/ecs.php
index e08db25..11b0d37 100644
--- a/ecs.php
+++ b/ecs.php
@@ -42,7 +42,7 @@
     $services->set(CastSpacingSniff::class);
     $services->set(SpaceAfterCastSniff::class);
     $services->set(LineLengthSniff::class)
-        ->property('absoluteLineLimit', 120);
+        ->property('absoluteLineLimit', 150);
     $services->set(FunctionSpacingSniff::class)
         ->property('spacing', 1)
         ->property('spacingBeforeFirst', 0)
diff --git a/src/IdTokenResponse.php b/src/IdTokenResponse.php
index c7f4e04..9902516 100644
--- a/src/IdTokenResponse.php
+++ b/src/IdTokenResponse.php
@@ -13,6 +13,7 @@
 use OpenIDConnect\Interfaces\CurrentRequestServiceInterface;
 use OpenIDConnect\Interfaces\IdentityEntityInterface;
 use OpenIDConnect\Interfaces\IdentityRepositoryInterface;
+use OpenIDConnect\Services\IssuedByGetter;
 
 class IdTokenResponse extends BearerTokenResponse {
     use CryptTrait;
@@ -36,7 +37,7 @@ public function __construct(
         bool $useMicroseconds = true,
         CurrentRequestServiceInterface $currentRequestService = null,
         $encryptionKey = null,
-        protected ?string $issuedBy = null
+        protected string $issuedByConfigured = 'laravel',
     ) {
         $this->identityRepository = $identityRepository;
         $this->claimExtractor = $claimExtractor;
@@ -59,35 +60,12 @@ protected function getBuilder(
         return $this->config
             ->builder()
             ->permittedFor($accessToken->getClient()->getIdentifier())
-            ->issuedBy($this->getIssuedBy())
+            ->issuedBy(IssuedByGetter::get($this->currentRequestService, $this->issuedByConfigured))
             ->issuedAt($dateTimeImmutableObject)
             ->expiresAt($dateTimeImmutableObject->add(new DateInterval('PT1H')))
             ->relatedTo($userEntity->getIdentifier());
     }
 
-    private function getIssuedBy(): string
-    {
-        if($this->issuedBy === 'laravel-url') {
-            return url('/');
-        } elseif($this->issuedBy === null || $this->issuedBy === 'auto-detect') {
-            $host = $_SERVER['HTTP_HOST'] ?? null;
-
-            if (empty($host)) {
-                return url('/');
-            }
-
-            $scheme = $_SERVER['REQUEST_SCHEME'] ?? null;
-
-            if (empty($scheme)) {
-                $scheme = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https' : 'http';
-            }
-
-            return $scheme . '://' . $host;
-        } else {
-            return $this->issuedBy;
-        }
-    }
-
     protected function getExtraParams(AccessTokenEntityInterface $accessToken): array {
         /**
          * Include the scope return value, which according to RFC 6749, section 5.1 (and 3.3)
diff --git a/src/Laravel/DiscoveryController.php b/src/Laravel/DiscoveryController.php
index a36d76e..6e55be8 100644
--- a/src/Laravel/DiscoveryController.php
+++ b/src/Laravel/DiscoveryController.php
@@ -6,18 +6,19 @@
 use Illuminate\Support\Facades\Route;
 use Illuminate\Support\Facades\URL;
 use Laravel\Passport\Passport;
+use OpenIDConnect\Services\IssuedByGetter;
 
 class DiscoveryController
 {
     /**
      * Compatible with https://openid.net/specs/openid-connect-discovery-1_0.html, chapter 3
      */
-    public function __invoke(Request $request)
+    public function __invoke(Request $request, LaravelCurrentRequestService $currentRequestService)
     {
         URL::forceScheme('https'); // for route() calls below
 
         $response = [
-            'issuer' => 'https://' . $_SERVER['HTTP_HOST'],
+            'issuer' => IssuedByGetter::get($currentRequestService, config('openid.issuedBy', 'laravel')),
             'authorization_endpoint' => route('passport.authorizations.authorize'),
             'token_endpoint' => route('passport.token'),
             'grant_types_supported' => $this->getSupportedGrantTypes(),
@@ -52,7 +53,7 @@ public function __invoke(Request $request)
 
     /**
      * Returns JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports.
-     * The server MUST support the openid scope value. 
+     * The server MUST support the openid scope value.
      * Servers MAY choose not to advertise some supported scope values even when this parameter is used,
      * although those defined in [OpenID.Core] SHOULD be listed, if supported.
      */
diff --git a/src/Laravel/PassportServiceProvider.php b/src/Laravel/PassportServiceProvider.php
index 9dcd80b..5da17cd 100644
--- a/src/Laravel/PassportServiceProvider.php
+++ b/src/Laravel/PassportServiceProvider.php
@@ -62,7 +62,7 @@ public function makeAuthorizationServer(): AuthorizationServer
             config('openid.use_microseconds'),
             app(LaravelCurrentRequestService::class),
             $encryptionKey,
-            config('openid.issuedBy', null)
+            config('openid.issuedBy', 'laravel')
         );
 
         return new AuthorizationServer(
diff --git a/src/Laravel/config/openid.php b/src/Laravel/config/openid.php
index 8ff61ea..91e8766 100644
--- a/src/Laravel/config/openid.php
+++ b/src/Laravel/config/openid.php
@@ -83,9 +83,9 @@
     'use_microseconds' => true,
 
     /**
-     * Value for the issuedBy params. By default: auto-detect to get the scheme and host from the $_SERVER variable.
-     * Use "laravel-url" to use url('/') and let laravel decide
-     * Use any other string for direct use of it.
+     * Value for the issuedBy params. By default: laravel to get the scheme and host from the $_SERVER variable.
+     * Options: laravel (use Request to extract scheme and host), server (use $_SERVER to detect)
+     * or another string that will be used as-is
      */
-    'issuedBy' => 'auto-detect',
+    'issuedBy' => 'laravel',
 ];
diff --git a/src/Services/IssuedByGetter.php b/src/Services/IssuedByGetter.php
new file mode 100644
index 0000000..b50dece
--- /dev/null
+++ b/src/Services/IssuedByGetter.php
@@ -0,0 +1,30 @@
+<?php
+
+namespace OpenIDConnect\Services;
+
+use OpenIDConnect\Interfaces\CurrentRequestServiceInterface;
+
+class IssuedByGetter
+{
+    public static function get(?CurrentRequestServiceInterface $currentRequestService, string $issuedByConfigured = 'laravel'): string
+    {
+        if($issuedByConfigured === 'laravel' && $currentRequestService) {
+            $uri = $currentRequestService->getRequest()->getUri();
+            return $uri->getScheme() . '://' . $uri->getHost() . ($uri->getPort() ? ':' . $uri->getPort() : '');
+        }
+
+        if($issuedByConfigured === 'server' || ($issuedByConfigured === 'laravel' && !$currentRequestService)) {
+            $host = $_SERVER['HTTP_HOST'] ?? null;
+
+            $scheme = $_SERVER['REQUEST_SCHEME'] ?? null;
+
+            if (empty($scheme)) {
+                $scheme = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https' : 'http';
+            }
+
+            return $scheme . '://' . $host;
+        }
+
+        return $issuedByConfigured;
+    }
+}