Merge pull request #118 from lart2150/feature/support-no-consent-clients

feat: add a configuration option to support clients that don't require consent

Author: ashfame

src/Http/Handlers/AuthenticateHandler.php

@@ -6,13 +6,14 @@
 use OAuth2\Response;
 use OpenIDConnectServer\Http\RequestHandler;
 use OpenIDConnectServer\Http\Router;
+use OpenIDConnectServer\Storage\ClientCredentialsStorage;
 use OpenIDConnectServer\Storage\ConsentStorage;
 
 class AuthenticateHandler extends RequestHandler {
 	private ConsentStorage $consent_storage;
-	private array $clients;
+	private ClientCredentialsStorage $clients;
 
-	public function __construct( ConsentStorage $consent_storage, array $clients ) {
+	public function __construct( ConsentStorage $consent_storage, ClientCredentialsStorage $clients ) {
 		$this->consent_storage = $consent_storage;
 		$this->clients         = $clients;
 	}
@@ -22,15 +23,19 @@ public function handle( Request $request, Response $response ): Response {
 			auth_redirect();
 		}
 
-		$client_name = $this->get_client_name( $request );
+		$client_id = $request->query( 'client_id' );
+
+		$client_name = $this->clients->getClientName( $client_id );
 		if ( empty( $client_name ) ) {
 			$response->setStatusCode( 404 );
 
 			return $response;
 		}
 
-		$client_id = $request->query( 'client_id' );
-		if ( ! $this->consent_storage->needs_consent( get_current_user_id(), $client_id ) ) {
+		if (
+		! $this->clients->clientRequiresConsent( $client_id )
+		|| ! $this->consent_storage->needs_consent( get_current_user_id(), $client_id )
+		) {
 			$this->redirect( $request );
 			// TODO: return response instead of exiting.
 			exit;
@@ -155,25 +160,6 @@ private function redirect( Request $request ) {
 		);
 	}
 
-	/**
-	 * TODO: Remove this function in favour of ClientCredentialsStorage?
-	 */
-	private function get_client_name( Request $request ): string {
-		$client_id = $request->query( 'client_id' );
-
-		if ( ! isset( $this->clients[ $client_id ] ) ) {
-			return '';
-		}
-
-		$client = $this->clients[ $client_id ];
-
-		if ( empty( $client['name'] ) ) {
-			return '';
-		}
-
-		return $client['name'];
-	}
-
 	private function get_cancel_url( Request $request ) {
 		return add_query_arg(
 			array(

src/Http/Handlers/AuthorizeHandler.php

@@ -8,17 +8,20 @@
 use OAuth2\Response;
 use OAuth2\Server as OAuth2Server;
 use OpenIDConnectServer\Http\RequestHandler;
+use OpenIDConnectServer\Storage\ClientCredentialsStorage;
 use OpenIDConnectServer\Storage\ConsentStorage;
 
 const OIDC_DEFAULT_MINIMAL_CAPABILITY = 'edit_posts';
 
 class AuthorizeHandler extends RequestHandler {
 	private OAuth2Server $server;
 	private ConsentStorage $consent_storage;
+	private ClientCredentialsStorage $clients;
 
-	public function __construct( OAuth2Server $server, ConsentStorage $consent_storage ) {
+	public function __construct( OAuth2Server $server, ConsentStorage $consent_storage, ClientCredentialsStorage $clients ) {
 		$this->server          = $server;
 		$this->consent_storage = $consent_storage;
+		$this->clients         = $clients;
 	}
 
 	public function handle( Request $request, Response $response ): Response {
@@ -44,7 +47,10 @@ public function handle( Request $request, Response $response ): Response {
 		$user = wp_get_current_user();
 
 		$client_id = $request->query( 'client_id', $request->request( 'client_id' ) );
-		if ( $this->consent_storage->needs_consent( $user->ID, $client_id ) ) {
+		if (
+			$this->clients->clientRequiresConsent( $client_id )
+			&& $this->consent_storage->needs_consent( $user->ID, $client_id )
+		) {
 			if ( ! isset( $_POST['authorize'] ) || __( 'Authorize', 'openid-connect-server' ) !== $_POST['authorize'] ) {
 				$response->setError( 403, 'user_authorization_required', 'This application requires your consent.' );
 				return $response;

src/OpenIDConnectServer.php

@@ -20,13 +20,13 @@
 
 class OpenIDConnectServer {
 	private string $public_key;
-	private array $clients;
+	private ClientCredentialsStorage $clients;
 	private Router $router;
 	private ConsentStorage $consent_storage;
 
 	public function __construct( string $public_key, string $private_key, array $clients ) {
 		$this->public_key      = $public_key;
-		$this->clients         = $clients;
+		$this->clients         = new ClientCredentialsStorage( $clients );
 		$this->router          = new Router();
 		$this->consent_storage = new ConsentStorage();
 
@@ -38,7 +38,7 @@ public function __construct( string $public_key, string $private_key, array $cli
 
 		$server = new Server( new AuthorizationCodeStorage(), $config );
 		$server->addStorage( new PublicKeyStorage( $public_key, $private_key ), 'public_key' );
-		$server->addStorage( new ClientCredentialsStorage( $clients ), 'client_credentials' );
+		$server->addStorage( $this->clients, 'client_credentials' );
 		$server->addStorage( new UserClaimsStorage(), 'user_claims' );
 
 		// Declare rest routes.
@@ -50,7 +50,7 @@ public function __construct( string $public_key, string $private_key, array $cli
 		);
 		$this->router->add_rest_route(
 			'authorize',
-			new AuthorizeHandler( $server, $this->consent_storage ),
+			new AuthorizeHandler( $server, $this->consent_storage, $this->clients ),
 			array( 'GET', 'POST' ),
 			$this->expected_arguments_specification( 'authorize' ),
 		);

src/Storage/ClientCredentialsStorage.php

@@ -25,6 +25,34 @@ public function getClientDetails( $client_id ) {
 		);
 	}
 
+	public function getClientName( $client_id ) {
+		if ( ! $this->has( $client_id ) ) {
+			return '';
+		}
+
+		$client = $this->get( $client_id );
+
+		if ( empty( $client['name'] ) ) {
+			return '';
+		}
+
+		return $client['name'];
+	}
+
+	public function clientRequiresConsent( $client_id ): bool {
+		if ( ! $this->has( $client_id ) ) {
+			return true;
+		}
+
+		$client = $this->get( $client_id );
+
+		if ( ! array_key_exists( 'requires_consent', $client ) ) {
+			return true;
+		}
+
+		return false !== $client['requires_consent'];
+	}
+
 	public function getClientScope( $client_id ) {
 		if ( ! $this->has( $client_id ) ) {
 			return '';