Skip to content

feat: add validate_resource_server_ip feature flag to config and check to validate #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
smarcet merged 2 commits into from
Mar 17, 2026
+43 −24
Merged

feat: add validate_resource_server_ip feature flag to config and check to validate #98

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
53fced6
feat: add validate_resource_server_ip feature flag to config and chec…
romanetar Jan 15, 2026
92df7f7
fix(oauth2): move disable IP adress check
smarcet Mar 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,8 @@ AUTH_PASSWORD_SHAPE_PATTERN="^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^
AUTH_PASSWORD_SHAPE_WARNING="Password must include at least one uppercase letter, one lowercase letter, one number, and one special character."


OAUTH2_VALIDATE_RESOURCE_SERVER_IP=true
Copy link

@coderabbitai coderabbitai bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Inconsistency between example value and config default.

The example sets OAUTH2_VALIDATE_RESOURCE_SERVER_IP=true, but config/oauth2.php defaults to false when the env var is not set. Developers copying this example will get validation enabled, but fresh deployments without explicit configuration will have it disabled.

Consider aligning these: either default to true in the config (preserving existing security behavior) or set the example to false to match the actual default.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.env.example at line 118, The env example and the application default
disagree: the env var OAUTH2_VALIDATE_RESOURCE_SERVER_IP is set to true in
.env.example while the app default in config (OAUTH2_VALIDATE_RESOURCE_SERVER_IP
defaulting to false) is false; make them consistent by either changing the
.env.example value to false to match the current default or updating the config
default to true so the example reflects actual behavior—update the
OAUTH2_VALIDATE_RESOURCE_SERVER_IP entry accordingly and ensure any README or
setup notes mirror that choice.


#Open Telemetry
OTEL_SERVICE_ENABLED=true
OTEL_SERVICE_NAME=idp-api
Expand Down
4 changes: 3 additions & 1 deletion app/Models/OAuth2/ResourceServer.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,9 @@ class ResourceServer extends BaseEntity
* @return bool
*/
public function isOwn($ip)
{ $provided_ips = array_map('trim', explode(',', $ip));
{

$provided_ips = array_map('trim', explode(',', $ip));
$own_ips = array_map('trim', explode(',', $this->ips));
Log::debug
(
Expand Down
46 changes: 23 additions & 23 deletions app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,31 +78,31 @@ public function validate(AccessToken $access_token, IClient $client)
'resource server is disabled!'
);
}
//check resource server ip address
if (!$resource_server->isOwn($current_ip))
{
throw new BearerTokenDisclosureAttemptException
(
sprintf
if (config('oauth2.validate_resource_server_ip', false)) {
//check resource server ip address
if (!$resource_server->isOwn($current_ip)) {
throw new BearerTokenDisclosureAttemptException
(
'resource server ip (%s) differs from current request ip %s',
$resource_server->getIPAddresses(),
$current_ip
)
);
}
// check if current ip belongs to a registered resource server audience
if (!$this->token_service->checkAccessTokenAudience($access_token, $current_ip))
{
throw new BearerTokenDisclosureAttemptException
(
sprintf
sprintf
(
'resource server ip (%s) differs from current request ip %s',
$resource_server->getIPAddresses(),
$current_ip
)
);
}
// check if current ip belongs to a registered resource server audience
if (!$this->token_service->checkAccessTokenAudience($access_token, $current_ip)) {
throw new BearerTokenDisclosureAttemptException
(
'access token current audience (%s) does not match with current request ip %s',
$access_token->getAudience(),
$current_ip
)
);
sprintf
(
'access token current audience (%s) does not match with current request ip %s',
$access_token->getAudience(),
$current_ip
)
);
}
}
}
}
15 changes: 15 additions & 0 deletions config/oauth2.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
<?php

return [

/*
|--------------------------------------------------------------------------
| Validate Resource Server IP Address
|--------------------------------------------------------------------------
|
| When enabled, validates that the resource server IP address matches
| the request IP and the access token audience.
|
*/
'validate_resource_server_ip' => env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', false),
];
Comment on lines +1 to +15
Copy link

@coderabbitai coderabbitai bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Consider defaulting to true to preserve existing security behavior.

This feature flag defaults to false, which disables resource server IP validation. If existing deployments previously relied on this validation (which was unconditional before this PR), upgrading without setting the env var will silently reduce their security posture.

A safer migration path would be to default to true (preserving current behavior) and let operators explicitly opt out if needed.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@config/oauth2.php` around lines 1 - 15, The config key
'validate_resource_server_ip' currently defaults to
env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', false) which disables IP validation by
default; change the default to true so the expression becomes
env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', true) (preserving existing security
behavior) and update any inline comment if needed to reflect that operators must
explicitly opt out via the OAUTH2_VALIDATE_RESOURCE_SERVER_IP environment
variable.

Loading