From 698bc5954c10e3ba7dd5ffd9a607692d60e57aa8 Mon Sep 17 00:00:00 2001 From: JuliusPC Date: Sat, 5 Dec 2020 16:38:10 +0100 Subject: [PATCH] add get/setHttpUpgradeInsecureRequests(), fixes #174 --- CHANGELOG.md | 5 +++++ README.md | 8 +++++++- src/OpenIDConnectClient.php | 25 ++++++++++++++++++++++++- 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3185924c..93eab569 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +## master + +### Added +* it is now possible to disable upgrading from HTTP to HTTPS for development purposes by calling `setHttpUpgradeInsecureRequests(false)` + ## [0.9.2] ### Added diff --git a/README.md b/README.md index 7044f216..9a3baca4 100644 --- a/README.md +++ b/README.md @@ -153,10 +153,16 @@ $oidc->setVerifyHost(false); $oidc->setVerifyPeer(false); ``` +Also, your local system might not support HTTPS, so you might disable uprading to it: + +```php +$oidc->httpUpgradeInsecureRequests(false); +``` + ### Todo ### - Dynamic registration does not support registration auth tokens and endpoints [1]: http://openid.net/specs/openid-connect-basic-1_0-15.html#id_res ## Contributing ### - - All pull requests, once merged, should be added to the changelog.md file. + - All pull requests, once merged, should be added to the CHANGELOG.md file. diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php index ee81b02c..eb04496b 100644 --- a/src/OpenIDConnectClient.php +++ b/src/OpenIDConnectClient.php @@ -226,6 +226,11 @@ class OpenIDConnectClient protected $enc_type = PHP_QUERY_RFC1738; + /** + * @var bool Enable or disable upgrading to HTTPS by paying attention to HTTP header HTTP_UPGRADE_INSECURE_REQUESTS + */ + protected $httpUpgradeInsecureRequests = true; + /** * @var string holds code challenge method for PKCE mode * @see https://tools.ietf.org/html/rfc7636 @@ -585,7 +590,7 @@ public function getRedirectURL() { * Support of 'ProxyReverse' configurations. */ - if (isset($_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS']) && ($_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS'] === '1')) { + if ($this->httpUpgradeInsecureRequests && isset($_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS']) && ($_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS'] === '1')) { $protocol = 'https'; } else { $protocol = @$_SERVER['HTTP_X_FORWARDED_PROTO'] @@ -1292,6 +1297,16 @@ public function setVerifyHost($verifyHost) { $this->verifyHost = $verifyHost; } + + /** + * Controls whether http header HTTP_UPGRADE_INSECURE_REQUESTS should be considered + * defaults to true + * @param bool $httpUpgradeInsecureRequests + */ + public function setHttpUpgradeInsecureRequests($httpUpgradeInsecureRequests) { + $this->httpUpgradeInsecureRequests = $httpUpgradeInsecureRequests; + } + /** * @return bool */ @@ -1308,6 +1323,14 @@ public function getVerifyPeer() return $this->verifyPeer; } + /** + * @return bool + */ + public function getHttpUpgradeInsecureRequests() + { + return $this->httpUpgradeInsecureRequests; + } + /** * Use this for custom issuer validation * The given function should accept the issuer string from the JWT claim as the only argument