diff --git a/.env.example b/.env.example index 30eb92d0..0d1c7994 100644 --- a/.env.example +++ b/.env.example @@ -115,6 +115,8 @@ AUTH_PASSWORD_SHAPE_PATTERN="^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^ AUTH_PASSWORD_SHAPE_WARNING="Password must include at least one uppercase letter, one lowercase letter, one number, and one special character." +OAUTH2_VALIDATE_RESOURCE_SERVER_IP=true + #Open Telemetry OTEL_SERVICE_ENABLED=true OTEL_SERVICE_NAME=idp-api diff --git a/app/Models/OAuth2/ResourceServer.php b/app/Models/OAuth2/ResourceServer.php index ae8d7ea5..7e3ac8fd 100644 --- a/app/Models/OAuth2/ResourceServer.php +++ b/app/Models/OAuth2/ResourceServer.php @@ -65,7 +65,9 @@ class ResourceServer extends BaseEntity * @return bool */ public function isOwn($ip) - { $provided_ips = array_map('trim', explode(',', $ip)); + { + + $provided_ips = array_map('trim', explode(',', $ip)); $own_ips = array_map('trim', explode(',', $this->ips)); Log::debug ( diff --git a/app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php b/app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php index 0866af98..3421e873 100644 --- a/app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php +++ b/app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php @@ -78,31 +78,31 @@ public function validate(AccessToken $access_token, IClient $client) 'resource server is disabled!' ); } - //check resource server ip address - if (!$resource_server->isOwn($current_ip)) - { - throw new BearerTokenDisclosureAttemptException - ( - sprintf + if (config('oauth2.validate_resource_server_ip', false)) { + //check resource server ip address + if (!$resource_server->isOwn($current_ip)) { + throw new BearerTokenDisclosureAttemptException ( - 'resource server ip (%s) differs from current request ip %s', - $resource_server->getIPAddresses(), - $current_ip - ) - ); - } - // check if current ip belongs to a registered resource server audience - if (!$this->token_service->checkAccessTokenAudience($access_token, $current_ip)) - { - throw new BearerTokenDisclosureAttemptException - ( - sprintf + sprintf + ( + 'resource server ip (%s) differs from current request ip %s', + $resource_server->getIPAddresses(), + $current_ip + ) + ); + } + // check if current ip belongs to a registered resource server audience + if (!$this->token_service->checkAccessTokenAudience($access_token, $current_ip)) { + throw new BearerTokenDisclosureAttemptException ( - 'access token current audience (%s) does not match with current request ip %s', - $access_token->getAudience(), - $current_ip - ) - ); + sprintf + ( + 'access token current audience (%s) does not match with current request ip %s', + $access_token->getAudience(), + $current_ip + ) + ); + } } } } \ No newline at end of file diff --git a/config/oauth2.php b/config/oauth2.php new file mode 100644 index 00000000..c8736d26 --- /dev/null +++ b/config/oauth2.php @@ -0,0 +1,15 @@ + env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', false), +];