Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,9 @@ run-tests.log
/phpstan.neon
# PHPStan cache directory
/.phpstan.cache/

# Added by horde-components QC --fix-qc-issues
# Horde installer plugin runtime data
/var/
# Horde installer plugin web-accessible directory
/web/
11 changes: 9 additions & 2 deletions src/Client/OAuth2Client.php
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,10 @@ private function tokenRequest(array $params): TokenSet
/**
* Revoke a token at the provider's revocation endpoint (RFC 7009).
*
* Client authentication uses revocation_endpoint_auth_methods_supported
* when advertised, falling back to token_endpoint_auth_methods_supported
* per RFC 8414 §2.
*
* @param string $token The token to revoke (access or refresh).
* @param string $tokenTypeHint 'access_token' or 'refresh_token'.
* @throws OAuthException If the provider has no revocation endpoint
Expand All @@ -236,10 +240,13 @@ public function revokeToken(string $token, string $tokenTypeHint = 'access_token
'client_id' => $this->clientId,
];

$authMethods = $this->provider->revocationEndpointAuthMethodsSupported
?? $this->provider->tokenEndpointAuthMethodsSupported;

$useBasic = false;
if ($this->clientSecret !== null) {
$useBasic = in_array('client_secret_basic', $this->provider->tokenEndpointAuthMethodsSupported, true)
&& !in_array('client_secret_post', $this->provider->tokenEndpointAuthMethodsSupported, true);
$useBasic = in_array('client_secret_basic', $authMethods, true)
&& !in_array('client_secret_post', $authMethods, true);

if (!$useBasic) {
$params['client_secret'] = $this->clientSecret;
Expand Down
19 changes: 14 additions & 5 deletions src/Client/ProviderConfig.php
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,15 @@
final class ProviderConfig
{
/**
* @param string[] $scopesSupported
* @param string[] $responseTypesSupported
* @param string[] $grantTypesSupported
* @param string[] $tokenEndpointAuthMethodsSupported
* @param string[] $idTokenSigningAlgValuesSupported
* @param string[] $scopesSupported
* @param string[] $responseTypesSupported
* @param string[] $grantTypesSupported
* @param string[] $tokenEndpointAuthMethodsSupported
* @param string[]|null $revocationEndpointAuthMethodsSupported RFC 8414
* §2 override for the revocation endpoint. Null means "not
* advertised; fall back to tokenEndpointAuthMethodsSupported per
* RFC 8414 §2's specified default."
* @param string[] $idTokenSigningAlgValuesSupported
*/
public function __construct(
public readonly string $issuer,
Expand All @@ -34,6 +38,7 @@ public function __construct(
public readonly array $responseTypesSupported = ['code'],
public readonly array $grantTypesSupported = [],
public readonly array $tokenEndpointAuthMethodsSupported = ['client_secret_basic'],
public readonly ?array $revocationEndpointAuthMethodsSupported = null,
public readonly array $idTokenSigningAlgValuesSupported = [],
) {}

Expand All @@ -54,6 +59,9 @@ public static function fromArray(array $data): self
responseTypesSupported: (array) ($data['response_types_supported'] ?? ['code']),
grantTypesSupported: (array) ($data['grant_types_supported'] ?? []),
tokenEndpointAuthMethodsSupported: (array) ($data['token_endpoint_auth_methods_supported'] ?? ['client_secret_basic']),
revocationEndpointAuthMethodsSupported: isset($data['revocation_endpoint_auth_methods_supported'])
? (array) $data['revocation_endpoint_auth_methods_supported']
: null,
idTokenSigningAlgValuesSupported: (array) ($data['id_token_signing_alg_values_supported'] ?? []),
);
}
Expand All @@ -75,6 +83,7 @@ public function toArray(): array
'response_types_supported' => $this->responseTypesSupported,
'grant_types_supported' => $this->grantTypesSupported,
'token_endpoint_auth_methods_supported' => $this->tokenEndpointAuthMethodsSupported,
'revocation_endpoint_auth_methods_supported' => $this->revocationEndpointAuthMethodsSupported,
'id_token_signing_alg_values_supported' => $this->idTokenSigningAlgValuesSupported,
], static fn($v) => $v !== null && $v !== []);
}
Expand Down
Loading