Remove OAuth2 Implicit flow

Author: cicnavi

routing/services/services.yml

@@ -56,8 +56,6 @@ services:
   # Grants
   SimpleSAML\Module\oidc\Server\Grants\AuthCodeGrant:
     factory: ['@SimpleSAML\Module\oidc\Factories\Grant\AuthCodeGrantFactory', 'build']
-  SimpleSAML\Module\oidc\Server\Grants\OAuth2ImplicitGrant:
-    factory: ['@SimpleSAML\Module\oidc\Factories\Grant\OAuth2ImplicitGrantFactory', 'build']
   SimpleSAML\Module\oidc\Server\Grants\ImplicitGrant:
     factory: ['@SimpleSAML\Module\oidc\Factories\Grant\ImplicitGrantFactory', 'build']
   SimpleSAML\Module\oidc\Server\Grants\RefreshTokenGrant:

src/Factories/AuthorizationServerFactory.php

@@ -24,7 +24,6 @@
 use SimpleSAML\Module\oidc\Server\AuthorizationServer;
 use SimpleSAML\Module\oidc\Server\Grants\AuthCodeGrant;
 use SimpleSAML\Module\oidc\Server\Grants\ImplicitGrant;
-use SimpleSAML\Module\oidc\Server\Grants\OAuth2ImplicitGrant;
 use SimpleSAML\Module\oidc\Server\Grants\RefreshTokenGrant;
 use SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager;
 use SimpleSAML\Module\oidc\Server\ResponseTypes\IdTokenResponse;
@@ -37,7 +36,6 @@ public function __construct(
         private readonly AccessTokenRepository $accessTokenRepository,
         private readonly ScopeRepository $scopeRepository,
         private readonly AuthCodeGrant $authCodeGrant,
-        private readonly OAuth2ImplicitGrant $oAuth2ImplicitGrant,
         private readonly ImplicitGrant $implicitGrant,
         private readonly RefreshTokenGrant $refreshTokenGrant,
         private readonly IdTokenResponse $idTokenResponse,
@@ -63,11 +61,6 @@ public function build(): AuthorizationServer
             $this->moduleConfig->getAccessTokenDuration(),
         );
 
-        $authorizationServer->enableGrantType(
-            $this->oAuth2ImplicitGrant,
-            $this->moduleConfig->getAccessTokenDuration(),
-        );
-
         $authorizationServer->enableGrantType(
             $this->implicitGrant,
             $this->moduleConfig->getAccessTokenDuration(),

src/Factories/Grant/OAuth2ImplicitGrantFactory.php

@@ -5,6 +5,7 @@
 namespace SimpleSAML\Module\oidc\Server\Grants;
 
 use DateInterval;
+use League\OAuth2\Server\Grant\ImplicitGrant as OAuth2ImplicitGrant;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequest as OAuth2AuthorizationRequest;
 use League\OAuth2\Server\ResponseTypes\RedirectResponse;
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
@@ -17,24 +18,32 @@
 use SimpleSAML\Module\oidc\Factories\Entities\AccessTokenEntityFactory;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\AccessTokenRepositoryInterface;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+use SimpleSAML\Module\oidc\Server\Grants\Interfaces\AuthorizationValidatableWithCheckerResultBagInterface;
 use SimpleSAML\Module\oidc\Server\Grants\Traits\IssueAccessTokenTrait;
 use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface;
 use SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\AcrValuesRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\AddClaimsToIdTokenRule;
+use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientIdRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\MaxAgeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\PromptRule;
+use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RedirectUriRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequestedClaimsRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequestObjectRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredNonceRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredOpenIdScopeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseTypeRule;
+use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule;
+use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule;
 use SimpleSAML\Module\oidc\Server\RequestTypes\AuthorizationRequest;
 use SimpleSAML\Module\oidc\Services\IdTokenBuilder;
 use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
 use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum;
 
-class ImplicitGrant extends OAuth2ImplicitGrant
+/**
+ * @psalm-suppress PropertyNotSetInConstructor
+ */
+class ImplicitGrant extends OAuth2ImplicitGrant implements AuthorizationValidatableWithCheckerResultBagInterface
 {
     use IssueAccessTokenTrait;
 
@@ -49,14 +58,15 @@ class ImplicitGrant extends OAuth2ImplicitGrant
 
     public function __construct(
         protected IdTokenBuilder $idTokenBuilder,
-        DateInterval $accessTokenTTL,
+        protected DateInterval $accessTokenTTL,
         AccessTokenRepositoryInterface $accessTokenRepository,
-        RequestRulesManager $requestRulesManager,
+        protected RequestRulesManager $requestRulesManager,
         protected RequestParamsResolver $requestParamsResolver,
-        string $queryDelimiter,
+        protected string $queryDelimiter,
         AccessTokenEntityFactory $accessTokenEntityFactory,
     ) {
-        parent::__construct($accessTokenTTL, $queryDelimiter, $requestRulesManager);
+        parent::__construct($accessTokenTTL, $queryDelimiter);
+
         $this->accessTokenRepository = $accessTokenRepository;
         $this->accessTokenEntityFactory = $accessTokenEntityFactory;
     }
@@ -112,10 +122,8 @@ public function validateAuthorizationRequestWithCheckerResultBag(
         ServerRequestInterface $request,
         ResultBagInterface $resultBag,
     ): OAuth2AuthorizationRequest {
-        $oAuth2AuthorizationRequest =
-        parent::validateAuthorizationRequestWithCheckerResultBag($request, $resultBag);
-
         $rulesToExecute = [
+            ScopeRule::class,
             RequestObjectRule::class,
             PromptRule::class,
             MaxAgeRule::class,
@@ -129,14 +137,35 @@ public function validateAuthorizationRequestWithCheckerResultBag(
 
         $this->requestRulesManager->predefineResultBag($resultBag);
 
+        /** @var string $redirectUri */
+        $redirectUri = $resultBag->getOrFail(RedirectUriRule::class)->getValue();
+        /** @var string|null $state */
+        $state = $resultBag->getOrFail(StateRule::class)->getValue();
+        /** @var \SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface $client */
+        $client = $resultBag->getOrFail(ClientIdRule::class)->getValue();
+
+        // Some rules need certain things available in order to work properly...
+        $this->requestRulesManager->setData('default_scope', $this->defaultScope);
+        $this->requestRulesManager->setData('scope_delimiter_string', self::SCOPE_DELIMITER_STRING);
+
         $resultBag = $this->requestRulesManager->check(
             $request,
             $rulesToExecute,
             $this->shouldUseFragment(),
             $this->allowedAuthorizationHttpMethods,
         );
 
-        $authorizationRequest = AuthorizationRequest::fromOAuth2AuthorizationRequest($oAuth2AuthorizationRequest);
+        /** @var \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes */
+        $scopes = $resultBag->getOrFail(ScopeRule::class)->getValue();
+
+        $authorizationRequest = new AuthorizationRequest();
+        $authorizationRequest->setClient($client);
+        $authorizationRequest->setRedirectUri($redirectUri);
+        $authorizationRequest->setScopes($scopes);
+        $authorizationRequest->setGrantTypeId($this->getIdentifier());
+        if ($state !== null) {
+            $authorizationRequest->setState($state);
+        }
 
         // nonce existence is validated using a rule, so we can get it from there.
         $authorizationRequest->setNonce((string)$resultBag->getOrFail(RequiredNonceRule::class)->getValue());

src/Server/Grants/ImplicitGrant.php

@@ -50,7 +50,6 @@
 use SimpleSAML\Module\oidc\Factories\FormFactory;
 use SimpleSAML\Module\oidc\Factories\Grant\AuthCodeGrantFactory;
 use SimpleSAML\Module\oidc\Factories\Grant\ImplicitGrantFactory;
-use SimpleSAML\Module\oidc\Factories\Grant\OAuth2ImplicitGrantFactory;
 use SimpleSAML\Module\oidc\Factories\Grant\RefreshTokenGrantFactory;
 use SimpleSAML\Module\oidc\Factories\IdTokenResponseFactory;
 use SimpleSAML\Module\oidc\Factories\JwksFactory;
@@ -71,7 +70,6 @@
 use SimpleSAML\Module\oidc\Server\AuthorizationServer;
 use SimpleSAML\Module\oidc\Server\Grants\AuthCodeGrant;
 use SimpleSAML\Module\oidc\Server\Grants\ImplicitGrant;
-use SimpleSAML\Module\oidc\Server\Grants\OAuth2ImplicitGrant;
 use SimpleSAML\Module\oidc\Server\Grants\RefreshTokenGrant;
 use SimpleSAML\Module\oidc\Server\RequestRules\RequestRulesManager;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\AcrValuesRule;
@@ -436,9 +434,6 @@ public function __construct()
         );
         $this->services[AuthCodeGrant::class] = $authCodeGrantFactory->build();
 
-        $oAuth2ImplicitGrantFactory = new OAuth2ImplicitGrantFactory($moduleConfig, $requestRuleManager);
-        $this->services[OAuth2ImplicitGrant::class] = $oAuth2ImplicitGrantFactory->build();
-
         $implicitGrantFactory = new ImplicitGrantFactory(
             $moduleConfig,
             $this->services[IdTokenBuilder::class],
@@ -463,7 +458,6 @@ public function __construct()
             $accessTokenRepository,
             $scopeRepository,
             $this->services[AuthCodeGrant::class],
-            $this->services[OAuth2ImplicitGrant::class],
             $this->services[ImplicitGrant::class],
             $this->services[RefreshTokenGrant::class],
             $this->services[IdTokenResponse::class],