stable
Clone or download
Per the RFC6749 section 10.5 [0] the authorization codes can be used only once. Later knowing if an authorization code has already been used or not will be used to revoke all access tokens and refresh tokens created with it in case of a compromision (i.e. when a an auth code is reused). 1. In the project admin create an OAuth2 app (note the ID and the given secret) 2. Access the authorize page at the URL https://tuleap.example.com/oauth2/authorize?client_id=<client_d>&scope=demo&response_type=code&redirect_uri=<redirect_uri> 3. Quickly retrieve (it is valid only 1 minute) the authorization code from the URL 4. Exchange the authorization code for an access token: shell> curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \ --user '<client_id>:<client_secret>' \ --data 'grant_type=authorization_code&redirect_uri=<redirect_uri>&code=<authorization_code>' \ https://tuleap.example.com/oauth2/token 5. The auth code should be marked has already used in the DB and it cannot be reused to get another access token. This is part of story #14542: have OAuth2 flow [0] https://tools.ietf.org/html/rfc6749#section-10.5 Change-Id: Id023e8674631b023896a381a201c5d5c614e9a36
Modified Files
| Name | ||||
|---|---|---|---|---|
| M | plugins/oauth2_server/db/install.sql | +1 | −0 | Go to diff View file |
| A | plugins/oauth2_server/db/mysql/2020/202003111600_add_already_used_column_oauth2_auth_code.php | +52 | −0 | Go to diff View file |
| A | plugins/oauth2_server/include/Grant/AuthorizationCode/OAuth2AuthCodeReusedException.php | +34 | −0 | Go to diff View file |
| M | plugins/oauth2_server/include/Grant/AuthorizationCode/OAuth2AuthorizationCodeDAO.php | +13 | −6 | Go to diff View file |
| M | plugins/oauth2_server/include/Grant/AuthorizationCode/OAuth2AuthorizationCodeVerifier.php | +4 | −0 | Go to diff View file |
| M | plugins/oauth2_server/phpunit/Grant/AuthorizationCode/OAuth2AuthorizationCodeVerifierTest.php | +36 | −12 | Go to diff View file |