Reflect issuer_state in access_token

mrvanes · mrvanes · commit f7db44f0da0e · 2025-10-21T11:22:12.000+02:00
diff --git a/src/Entities/AccessTokenEntity.php b/src/Entities/AccessTokenEntity.php
@@ -74,6 +74,7 @@ public function __construct(
         protected readonly ?array $authorizationDetails = null,
         protected readonly ?string $boundClientId = null,
         protected readonly ?string $boundRedirectUri = null,
+        protected ?string $issuerState = null,
     ) {
         $this->setIdentifier($id);
         $this->setClient($clientEntity);
@@ -89,6 +90,7 @@ public function __construct(
             $this->revoke();
         }
         $jwtConfiguration !== null ? $this->jwtConfiguration = $jwtConfiguration : $this->initJwtConfiguration();
+        $this->issuerState = $issuerState;
     }
 
     /**
@@ -125,6 +127,7 @@ public function getState(): array
                 null,
             'bound_client_id' => $this->boundClientId,
             'bound_redirect_uri' => $this->boundRedirectUri,
+            'issuer_state' => $this->issuerState,
         ];
     }
 
@@ -166,6 +169,9 @@ protected function convertToJWT(): Token
             ->expiresAt($this->getExpiryDateTime())
             ->relatedTo((string) $this->getUserIdentifier())
             ->withClaim('scopes', $this->getScopes());
+        if ($this->issuerState !== null) {
+            $jwtBuilder = $jwtBuilder->withClaim('issuer_state', $this->issuerState);
+        }
 
         return $this->jsonWebTokenBuilderService->getSignedProtocolJwt($jwtBuilder);
     }
diff --git a/src/Entities/AuthCodeEntity.php b/src/Entities/AuthCodeEntity.php
@@ -32,6 +32,12 @@ class AuthCodeEntity implements AuthCodeEntityInterface, MementoInterface
     use OidcAuthCodeTrait;
     use RevokeTokenTrait;
 
+    /**
+     * issuer state
+     * @var string $issuerState
+     */
+    protected ?string $issuerState = null;
+
     /**
      * @param \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes
      */
@@ -49,6 +55,7 @@ public function __construct(
         protected readonly ?array $authorizationDetails = null,
         protected readonly ?string $boundClientId = null,
         protected readonly ?string $boundRedirectUri = null,
+        protected ?string $issuer_state = null,
     ) {
         $this->identifier = $id;
         $this->client = $client;
@@ -58,6 +65,7 @@ public function __construct(
         $this->redirectUri = $redirectUri;
         $this->nonce = $nonce;
         $this->isRevoked = $isRevoked;
+        $this->issuerState = $issuer_state;
     }
 
     /**
@@ -81,6 +89,7 @@ public function getState(): array
                 null,
             'bound_client_id' => $this->boundClientId,
             'bound_redirect_uri' => $this->boundRedirectUri,
+            'issuer_state' => $this->issuerState,
         ];
     }
 
@@ -113,4 +122,10 @@ public function getBoundRedirectUri(): ?string
     {
         return $this->boundRedirectUri;
     }
+
+    public function getIssuerState(): ?string
+    {
+        return $this->issuerState;
+    }
+
 }
diff --git a/src/Factories/Entities/AccessTokenEntityFactory.php b/src/Factories/Entities/AccessTokenEntityFactory.php
@@ -40,6 +40,7 @@ public function fromData(
         ?array $authorizationDetails = null,
         ?string $boundClientId = null,
         ?string $boundRedirectUri = null,
+        ?string $issuerState = null,
     ): AccessTokenEntity {
         return new AccessTokenEntity(
             $id,
@@ -56,6 +57,7 @@ public function fromData(
             authorizationDetails: $authorizationDetails,
             boundClientId: $boundClientId,
             boundRedirectUri: $boundRedirectUri,
+            issuerState: $issuerState,
         );
     }
 
diff --git a/src/Factories/Entities/AuthCodeEntityFactory.php b/src/Factories/Entities/AuthCodeEntityFactory.php
@@ -31,6 +31,7 @@ public function fromData(
         ?string $userIdentifier = null,
         ?string $redirectUri = null,
         ?string $nonce = null,
+        ?string $issuer_state = null,
         bool $isRevoked = false,
         ?FlowTypeEnum $flowTypeEnum = null,
         ?string $txCode = null,
@@ -52,6 +53,7 @@ public function fromData(
             $authorizationDetails,
             $boundClientId,
             $boundRedirectUri,
+            $issuer_state,
         );
     }
 
@@ -94,6 +96,7 @@ public function fromState(array $state): AuthCodeEntity
         $isRevoked = (bool) $state['is_revoked'];
         $flowType = empty($state['flow_type']) ? null : FlowTypeEnum::tryFrom((string)$state['flow_type']);
         $txCode = empty($state['tx_code']) ? null : (string)$state['tx_code'];
+        $issuerState = (string) $state['issuer_state'];
 
         /** @psalm-suppress MixedAssignment */
         $authorizationDetails = isset($state['authorization_details']) && is_string($state['authorization_details']) ?
@@ -112,6 +115,7 @@ public function fromState(array $state): AuthCodeEntity
             $userIdentifier,
             $redirectUri,
             $nonce,
+            $issuerState,
             $isRevoked,
             $flowType,
             $txCode,
diff --git a/src/Factories/RequestRulesManagerFactory.php b/src/Factories/RequestRulesManagerFactory.php
@@ -24,7 +24,6 @@
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeChallengeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeVerifierRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IdTokenHintRule;
-use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IssuerStateRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\MaxAgeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\PostLogoutRedirectUriRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\PromptRule;
@@ -36,6 +35,7 @@
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeOfflineAccessRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule;
+use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IssuerStateRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule;
 use SimpleSAML\Module\oidc\Services\AuthenticationService;
 use SimpleSAML\Module\oidc\Services\LoggerService;
@@ -89,6 +89,7 @@ private function getDefaultRules(): array
     {
         return [
             new StateRule($this->requestParamsResolver, $this->helpers),
+            new IssuerStateRule($this->requestParamsResolver, $this->helpers),
             new ClientRule(
                 $this->requestParamsResolver,
                 $this->helpers,
@@ -147,7 +148,6 @@ private function getDefaultRules(): array
                 $this->protocolCache,
             ),
             new CodeVerifierRule($this->requestParamsResolver, $this->helpers),
-            new IssuerStateRule($this->requestParamsResolver, $this->helpers, $this->issuerStateRepository),
             new AuthorizationDetailsRule($this->requestParamsResolver, $this->helpers, $this->moduleConfig),
             new ClientIdRule($this->requestParamsResolver, $this->helpers),
         ];
diff --git a/src/Repositories/AccessTokenRepository.php b/src/Repositories/AccessTokenRepository.php
@@ -113,7 +113,8 @@ public function persistNewAccessToken(OAuth2AccessTokenEntityInterface $accessTo
                 flow_type,
                 authorization_details,
                 bound_client_id,
-                bound_redirect_uri
+                bound_redirect_uri,
+                issuer_state
                 ) "
             . "VALUES (
                           :id,
@@ -127,7 +128,8 @@ public function persistNewAccessToken(OAuth2AccessTokenEntityInterface $accessTo
                           :flow_type,
                           :authorization_details,
                           :bound_client_id,
-                          :bound_redirect_uri
+                          :bound_redirect_uri,
+                          :issuer_state
                           )",
             $this->getTableName(),
         );
@@ -267,7 +269,7 @@ private function update(AccessTokenEntity $accessTokenEntity): void
                 . "client_id = :client_id, is_revoked = :is_revoked, auth_code_id = :auth_code_id, "
                 . "requested_claims = :requested_claims, flow_type = :flow_type, " .
             "authorization_details = :authorization_details, bound_client_id = :bound_client_id, " .
-            "bound_redirect_uri = :bound_redirect_uri WHERE id = :id",
+            "bound_redirect_uri = :bound_redirect_uri, issuer_state = :issuer_state WHERE id = :id",
             $this->getTableName(),
         );
 
diff --git a/src/Repositories/AuthCodeRepository.php b/src/Repositories/AuthCodeRepository.php
@@ -84,7 +84,8 @@ public function persistNewAuthCode(OAuth2AuthCodeEntityInterface $authCodeEntity
                 tx_code,
                 authorization_details,
                 bound_client_id,
-                bound_redirect_uri
+                bound_redirect_uri,
+                issuer_state
             ) VALUES (
                 :id,
                 :scopes,
@@ -98,7 +99,8 @@ public function persistNewAuthCode(OAuth2AuthCodeEntityInterface $authCodeEntity
                 :tx_code,
                 :authorization_details,
                 :bound_client_id,
-                :bound_redirect_uri
+                :bound_redirect_uri,
+                :issuer_state
             )
             EOS,
             $this->getTableName(),
@@ -224,7 +226,8 @@ private function update(AuthCodeEntity $authCodeEntity): void
                 tx_code = :tx_code,
                 authorization_details = :authorization_details,
                 bound_client_id = :bound_client_id,
-                bound_redirect_uri = :bound_redirect_uri
+                bound_redirect_uri = :bound_redirect_uri,
+                issuer_state = :issuer_state
             WHERE id = :id
 EOS
             ,
diff --git a/src/Server/AuthorizationServer.php b/src/Server/AuthorizationServer.php
@@ -23,6 +23,7 @@
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IdTokenHintRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\PostLogoutRedirectUriRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule;
+use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IssuerStateRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule;
 use SimpleSAML\Module\oidc\Server\RequestTypes\LogoutRequest;
 use SimpleSAML\Module\oidc\Services\LoggerService;
@@ -83,6 +84,7 @@ public function validateAuthorizationRequest(ServerRequestInterface $request): O
 
         $rulesToExecute = [
             StateRule::class,
+            IssuerStateRule::class,
             ClientRule::class,
             ClientRedirectUriRule::class,
         ];
diff --git a/src/Server/Grants/AuthCodeGrant.php b/src/Server/Grants/AuthCodeGrant.php
@@ -52,7 +52,6 @@
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeChallengeMethodRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeChallengeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\CodeVerifierRule;
-use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IssuerStateRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\MaxAgeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\PromptRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequestedClaimsRule;
@@ -61,6 +60,7 @@
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeOfflineAccessRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule;
+use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IssuerStateRule;
 use SimpleSAML\Module\oidc\Server\RequestTypes\AuthorizationRequest;
 use SimpleSAML\Module\oidc\Server\ResponseTypes\Interfaces\AcrResponseTypeInterface;
 use SimpleSAML\Module\oidc\Server\ResponseTypes\Interfaces\AuthTimeResponseTypeInterface;
@@ -347,6 +347,7 @@ protected function issueOidcAuthCode(
                     $userIdentifier,
                     $redirectUri,
                     $authorizationRequest->getNonce(),
+                    $authorizationRequest->getIssuerState(),
                     flowTypeEnum: $flowType,
                     authorizationDetails: $authorizationRequest->getAuthorizationDetails(),
                     boundClientId: $authorizationRequest->getBoundClientId(),
@@ -603,6 +604,12 @@ public function respondToAccessTokenRequest(
         json_decode(json_encode($authCodePayload->claims, JSON_THROW_ON_ERROR), true, 512, JSON_THROW_ON_ERROR)
         : null;
 
+        $auth_code_id = $authCodePayload->auth_code_id;
+        $authCodeEntity = $this->authCodeRepository->findById($auth_code_id);
+
+        /** @var string $issuerState */
+        $issuerState = $authCodeEntity->getIssuerState();
+
         // Issue and persist new access token
         $accessToken = $this->issueAccessToken(
             $accessTokenTTL,
@@ -615,6 +622,7 @@ public function respondToAccessTokenRequest(
             $storedAuthCodeEntity->getAuthorizationDetails(),
             $storedAuthCodeEntity->getBoundClientId(),
             $storedAuthCodeEntity->getBoundRedirectUri(),
+            $issuerState,
         );
         $this->getEmitter()->emit(new RequestEvent(RequestEvent::ACCESS_TOKEN_ISSUED, $request));
         $responseType->setAccessToken($accessToken);
@@ -759,6 +767,8 @@ public function validateAuthorizationRequestWithRequestRules(
         $redirectUri = $resultBag->getOrFail(ClientRedirectUriRule::class)->getValue();
         /** @var string|null $state */
         $state = $resultBag->getOrFail(StateRule::class)->getValue();
+        /** @var string|null $issuer_state */
+        $issuer_state = $resultBag->getOrFail(IssuerStateRule::class)->getValue();
         /** @var \SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface $client */
         $client = $resultBag->getOrFail(ClientRule::class)->getValue();
 
@@ -881,9 +891,9 @@ public function validateAuthorizationRequestWithRequestRules(
         $authorizationRequest->setFlowType($flowType);
 
         /** @var ?string $issuerState */
-        $issuerState = $resultBag->get(IssuerStateRule::class)?->getValue();
-        $this->loggerService->debug('AuthCodeGrant: Issuer state: ', ['issuerState' => $issuerState]);
-        $authorizationRequest->setIssuerState($issuerState);
+        if ($issuer_state !== null) {
+            $authorizationRequest->setIssuerState($issuer_state);
+        }
 
         /** @var ?array $authorizationDetails */
         $authorizationDetails = $resultBag->get(AuthorizationDetailsRule::class)?->getValue();
diff --git a/src/Server/Grants/Traits/IssueAccessTokenTrait.php b/src/Server/Grants/Traits/IssueAccessTokenTrait.php
@@ -55,6 +55,7 @@ protected function issueAccessToken(
         ?array $authorizationDetails = null,
         ?string $boundClientId = null,
         ?string $boundRedirectUri = null,
+        ?string $issuerState = null,
     ): AccessTokenEntityInterface {
         $maxGenerationAttempts = AbstractGrant::MAX_RANDOM_TOKEN_GENERATION_ATTEMPTS;
 
@@ -79,6 +80,7 @@ protected function issueAccessToken(
                     authorizationDetails: $authorizationDetails,
                     boundClientId: $boundClientId,
                     boundRedirectUri: $boundRedirectUri,
+                    issuerState: $issuerState
                 );
                 $this->accessTokenRepository->persistNewAccessToken($accessToken);
                 return $accessToken;
diff --git a/src/Server/RequestRules/Rules/IssuerStateRule.php b/src/Server/RequestRules/Rules/IssuerStateRule.php
@@ -5,27 +5,15 @@
 namespace SimpleSAML\Module\oidc\Server\RequestRules\Rules;
 
 use Psr\Http\Message\ServerRequestInterface;
-use SimpleSAML\Module\oidc\Helpers;
-use SimpleSAML\Module\oidc\Repositories\IssuerStateRepository;
-use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
 use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultBagInterface;
 use SimpleSAML\Module\oidc\Server\RequestRules\Interfaces\ResultInterface;
 use SimpleSAML\Module\oidc\Server\RequestRules\Result;
 use SimpleSAML\Module\oidc\Services\LoggerService;
-use SimpleSAML\Module\oidc\Utils\RequestParamsResolver;
 use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum;
 use SimpleSAML\OpenID\Codebooks\ParamsEnum;
 
 class IssuerStateRule extends AbstractRule
 {
-    public function __construct(
-        RequestParamsResolver $requestParamsResolver,
-        Helpers $helpers,
-        protected readonly IssuerStateRepository $issuerStateRepository,
-    ) {
-        parent::__construct($requestParamsResolver, $helpers);
-    }
-
     /**
      * @inheritDoc
      */
@@ -37,25 +25,12 @@ public function checkRule(
         bool $useFragmentInHttpErrorResponses = false,
         array $allowedServerRequestMethods = [HttpMethodsEnum::GET],
     ): ?ResultInterface {
-        $loggerService->debug('IssuerStateRule::checkRule');
-
-        $issuerState = $this->requestParamsResolver->getAsStringBasedOnAllowedMethods(
+        $issuer_state = $this->requestParamsResolver->getAsStringBasedOnAllowedMethods(
             ParamsEnum::IssuerState->value,
             $request,
             $allowedServerRequestMethods,
         );
 
-        if ($issuerState === null) {
-            return null;
-        }
-
-        if ($this->issuerStateRepository->findValid($issuerState) === null) {
-            $loggerService->error('IssuerStateRule: Invalid issuer state: ' . $issuerState);
-            throw OidcServerException::invalidRequest(ParamsEnum::IssuerState->value);
-        }
-
-        $loggerService->debug('IssuerStateRule: Valid issuer state: ' . $issuerState);
-
-        return new Result($this->getKey(), $issuerState);
+        return new Result($this->getKey(), $issuer_state);
     }
 }
diff --git a/src/Services/DatabaseMigration.php b/src/Services/DatabaseMigration.php
