From 7de2564cb2d47ec1beee7ac11024ccc61cde0d60 Mon Sep 17 00:00:00 2001 From: Ben Peachey Date: Mon, 24 Nov 2025 15:54:10 +0100 Subject: [PATCH 1/2] Add issuer `iss` as HTTP Query Parameter to redirect URL in OAuth responses. --- src/Server.php | 43 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/src/Server.php b/src/Server.php index 6e098d1..838e7d3 100644 --- a/src/Server.php +++ b/src/Server.php @@ -40,10 +40,12 @@ final public function respondToAccessTokenRequest(Request $request) : Response $response = $this->response; try { - return $authorizationServer->respondToAccessTokenRequest($request, $response); + $httpResponse = $authorizationServer->respondToAccessTokenRequest($request, $response); } catch (OAuthServerException $serverException) { - return $this->createOauthServerExceptionResponse($response, $serverException); + $httpResponse = $this->createOauthServerExceptionResponse($response, $serverException); } + + return $this->addIssuerToRedirectUrl($httpResponse); } /** @@ -95,6 +97,7 @@ final public function respondToAuthorizationRequest( // Return the HTTP redirect response $response = $authorizationServer->completeAuthorizationRequest($authRequest, $response); + $response = $this->addIssuerToRedirectUrl($response); } else { // @CHECKME: 404 or throw Exception? $response = $response->withStatus(404); @@ -150,4 +153,40 @@ private function createJsonResponse(Response $response, $json = null) : Response return $response->withHeader('content-type', 'application/json; charset=UTF-8'); } + + /** + * Add `iss` query param to the Location header, if present and not already set. + * + * @see https://www.ietf.org/rfc/rfc9207 + */ + private function addIssuerToRedirectUrl(Response $response): Response + { + if ($response->hasHeader('Location')) { + $location = $response->getHeaderLine('Location'); + + $urlParts = parse_url($location); + $queryParams = []; + if (isset($urlParts['query'])) { + parse_str($urlParts['query'], $queryParams); + } + + if ( ! array_key_exists('iss', $queryParams)) { + $issuer = $this->config->getServer()->get(OidcMeta::ISSUER); + $queryParams['iss'] = $issuer; + + $urlParts['query'] = http_build_query($queryParams); + + $location = vsprintf("%s%s%s?%s", [ + isset($urlParts['scheme']) ? $urlParts['scheme'] . '://' : '', + $urlParts['host'] ?? '', + $urlParts['path'] ?? '', + $urlParts['query'] + ]); + + $response = $response->withHeader('Location', $location); + } + } + + return $response; + } } From c74618fc7954c0dfe9dea61da281959b8106f294 Mon Sep 17 00:00:00 2001 From: Ben Peachey Date: Mon, 24 Nov 2025 15:54:34 +0100 Subject: [PATCH 2/2] [@CHECKME] Add issuer `iss` as HTTP Query Parameter to redirect URL in OAuth responses. --- src/Server.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/Server.php b/src/Server.php index 838e7d3..43a6d8c 100644 --- a/src/Server.php +++ b/src/Server.php @@ -73,7 +73,11 @@ final public function respondToAuthorizationRequest( // Validate the HTTP request and return an AuthorizationRequest object. $authRequest = $authorizationServer->validateAuthorizationRequest($request); } catch (OAuthServerException $serverException) { - return $this->createOauthServerExceptionResponse($response, $serverException); + $httpResponse = $this->createOauthServerExceptionResponse($response, $serverException); + // @CHECKME: Is this a 302 redirect? If so, a `iss` query param should be added to the redirect URL in the Location header + $httpResponse = $this->addIssuerToRedirectUrl($httpResponse); + + return $httpResponse; } if ($user instanceof UserEntityInterface) {