stable
Clone or download
If an authorization code is detected as reused, the token endpoint rejects the request and revoke existing access tokens [0]. Test scenario: 1. In the project admin create an OAuth2 app (note the ID and the given secret) 2. Access the authorize page at the URL https://tuleap.example.com/oauth2/authorize?client_id=<client_d>&scope=demo&response_type=code&redirect_uri=<redirect_uri> 3. Quickly retrieve (it is valid only 1 minute) the authorization code from the URL 4. Exchange the authorization code for an access token: shell> curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \ --user '<client_id>:<client_secret>' \ --data 'grant_type=authorization_code&redirect_uri=<redirect_uri>&code=<authorization_code>' \ https://tuleap.example.com/oauth2/token 5. Try to replay the same request. No access token should be delivered and the previous one should be revoked. This is part of story #14542: have OAuth2 flow [0] https://tools.ietf.org/html/rfc6749#section-4.1.2 Change-Id: I5f74186d21319b2d28e946cb9a94803bacd98d01
Modified Files
| Name | ||||
|---|---|---|---|---|
| M | plugins/oauth2_server/include/Grant/AuthorizationCode/OAuth2AuthorizationCodeDAO.php | +13 | −0 | Go to diff View file |
| M | plugins/oauth2_server/include/Grant/AuthorizationCode/OAuth2AuthorizationCodeVerifier.php | +20 | −0 | Go to diff View file |
| M | plugins/oauth2_server/phpunit/Grant/AuthorizationCode/OAuth2AuthorizationCodeVerifierTest.php | +1 | −0 | Go to diff View file |
| A | plugins/oauth2_server/tests/.simpletest_skip | +0 | −0 | Go to diff View file |
| A | plugins/oauth2_server/tests/integration/Grant/AuthorizationCode/OAuth2AuthorizationCodeDAOTest.php | +105 | −0 | Go to diff View file |
| M | tests/integration/bin/setup.sh | +1 | −0 | Go to diff View file |