diff --git a/app/Http/Controllers/OIDCController.php b/app/Http/Controllers/OIDCController.php index d1fd509..aa0153b 100644 --- a/app/Http/Controllers/OIDCController.php +++ b/app/Http/Controllers/OIDCController.php @@ -27,10 +27,10 @@ class OIDCController extends Controller } $user = auth()->user(); - + // Check if user has auto-approval enabled and has previously authorized this app $hasAuthorizedBefore = $user->tokens()->where('application_id', $client->id)->exists(); - + if ($user->auto_approve_apps && $hasAuthorizedBefore) { // Auto-approve: generate code and redirect directly $code = Str::random(40); @@ -83,7 +83,14 @@ class OIDCController extends Controller // whatever comes in the request $client = Application::findOrFail($payload['client_id']); + // Support basic auth. Sometimes the ID and secret might + // come in the header since it's TECHNICALLY part + // of the oauth spec + $client_id = $request->client_id ?? $request->getUser(); + $client_secret = $request->client_secret ?? $request->getPassword(); + if ($request->has('code_verifier')) { + // PKCE validation $verifier = $request->code_verifier; $method = $payload['code_challenge_method'] ?? 'plain'; @@ -97,13 +104,14 @@ class OIDCController extends Controller if (!$valid) { abort(403, 'Invalid PKCE code_verifier'); } - } elseif ($request->has('client_id') && $request->has('client_secret')) { + } elseif (!empty($client_id) && !empty($client_secret)) { // Client credentials validation - if ($request->client_id !== $client->client_id) { + if ($client_id !== $client->client_id) { abort(403, 'Client ID mismatch'); } - if (!hash_equals($client->client_secret, $request->client_secret)) { + + if (!hash_equals($client_secret, $client->client_secret)) { abort(403, 'Invalid client secret'); } } else { @@ -183,11 +191,11 @@ class OIDCController extends Controller // if (!$token || $token->expires_at->isPast()) { // return response()->json(['error' => 'invalid_token'], 401); // } - + if (empty($token)) { return response()->json(['error' => 'invalid_token'], 401); } - + $user = $token->user; if (empty($user)) { return response()->json(['error' => 'invalid_token'], 401); diff --git a/resources/views/livewire/app-info-modal.blade.php b/resources/views/livewire/app-info-modal.blade.php index 9baef12..7bc286a 100644 --- a/resources/views/livewire/app-info-modal.blade.php +++ b/resources/views/livewire/app-info-modal.blade.php @@ -38,7 +38,7 @@
- + diff --git a/resources/views/livewire/consent-screen.blade.php b/resources/views/livewire/consent-screen.blade.php index 4cc2f39..edec2d1 100644 --- a/resources/views/livewire/consent-screen.blade.php +++ b/resources/views/livewire/consent-screen.blade.php @@ -1,5 +1,5 @@
- + You're about to log into {{ $client->name }}