Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[11.x] Allow using custom BearerTokenValidator #1653

Closed
wants to merge 1 commit into from

Conversation

PaolaRuby
Copy link

@PaolaRuby PaolaRuby commented Apr 10, 2023

This PR does not break any existing features

This PR allows overriding the default BearerTokenValidator class by calling Passport::useBearerTokenValidator.

BearerTokenValidator could be extended or could be used with AuthorizationValidatorInterface

Why?

Because ResourceServer supports custom authorization validators but actually we have to overwrite PassportServiceProvider just for use this functionality

Complement of #1638

.gitignore Outdated Show resolved Hide resolved
@taylorotwell
Copy link
Member

Do you actually need this in a real-world project or is this being sent in for consistency?

@taylorotwell
Copy link
Member

Thanks for your pull request to Laravel!

Unfortunately, I'm going to delay merging this code for now. To preserve our ability to adequately maintain the framework, we need to be very careful regarding the amount of code we include.

If possible, please consider releasing your code as a package so that the community can still take advantage of your contributions!

If you feel absolutely certain that this code corrects a bug in the framework, please "@" mention me in a follow-up comment with further explanation so that GitHub will send me a notification of your response.

@taylorotwell
Copy link
Member

Closing pending description of real-world need and use case.

@PaolaRuby
Copy link
Author

PaolaRuby commented Apr 11, 2023

Do you actually need this in a real-world project or is this being sent in for consistency?

of course i need it

Closing pending description of real-world need and use case.

if you look #1638, it is to help on private claims, i have custom claims on token

So i am implementing my custom validator based on my custom private claims
https://github.com/thephpleague/oauth2-server/blob/43cd4d406906c6be5c8de2cee9bd3ad3753544ef/src/AuthorizationValidators/BearerTokenValidator.php#L119-L132

$claims = $token->claims();

if ($this->accessTokenRepository->isAccessTokenRevoked($claims->get('jti'))) {
    throw OAuthServerException::accessDenied('Access token has been revoked');
}

// Here check if token has been revoked on my custom validations
if ($this->validateAccessToken($claims)) {
    throw OAuthServerException::accessDenied('Access token is not valid');
}

return $request
    ->withAttribute('oauth_access_token_id', $claims->get('jti'))
    ->withAttribute('oauth_client_id', $this->convertSingleRecordAudToString($claims->get('aud')))
    ->withAttribute('oauth_user_id', $claims->get('sub'))
    ->withAttribute('oauth_scopes', $claims->get('scopes'))
   // here i return my private claims to my custom token guard
    ->withAttribute('oauth_custom_claims', $claims->get('custom_claims'));

@taylorotwell

@driesvints
Copy link
Member

@PaolaRuby looks like Taylor doesn't wants to merge this right now, sorry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants