/** * Adds CSRF token to the authorization request * * @param RedirectEvent $event */ public function onAuthorizationRequest(RedirectEvent $event) { $url = $event->getUrl(); if ($url === null) { return; } $token = md5(uniqid(rand(), true)); $expiresIn = 120; $stateToken = $this->tokenManager->createToken("state"); $stateToken->setToken($token); $stateToken->setExpiresIn($expiresIn); $this->tokenManager->persistToken($stateToken); $url = $url . "&state={$token}"; $event->setUrl($url); }
/** * Sets response_type to code if the server allows authorization codes * * @param RedirectEvent $event */ public function onAuthorizationRequest(RedirectEvent $event) { if ($event->getUrl() !== null) { return; } $server = $this->credentialsProvider->getServerCredentials(); if ($server->supports("authorization_code") === false) { return; } $client = $this->credentialsProvider->getClientCredentials(); $queryData = ["client_id" => $client->getClientId(), "client_secret" => $client->getClientSecret(), "redirect_uri" => $client->getRedirectUri(), "response_type" => "code"]; $queryString = http_build_query($queryData); $url = $server->getAuthUrl() . "?" . $queryString; $event->setUrl($url); }