-
Notifications
You must be signed in to change notification settings - Fork 783
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client_ID #14
Comments
I was wondering the same, UUID, or at least a random string of a given length seems more natural. |
Having an auto incrementing key as the client id could expose some unwanted info about the system (like how many clients are registered in the app) the easiest solution would be to hash the id when it's exposed to the outside world. Something like what the https://github.com/vinkla/laravel-hashids package does. |
Agreed, the spec tells it should be a string (VSCHAR) https://tools.ietf.org/html/rfc6749#page-71 https://tools.ietf.org/html/rfc6749#section-2.2 |
I feel like using a random string in a new indexed |
Hi, I made this #49 PR. I use md5 to hash userId and name. Is it enough? |
md5 is slow, I agree with @lucasmichot, a random string should be enough. |
@jbrooksuk, what about unique client_id? |
It's fine that it's auto incrementing. Client IDs are public values and there is not a security risk to exposing one. A UUID4 value is not sequential and is not nearly as efficient to index in the database as an auto incrementing value. |
That being said, I don't really care either way. It would be a major version break to switch to UUIDs now though. |
Some are not understanding that Client IDs are public on Twitter, so I'll post an example here. If you are an OAuth server supporting authorization_code grants your consumers have to include their client IDs directly in the URL when they redirect to your application. For example, I just tried to login to GitLab using GitHub OAuth and could easily just grab GitLab's client ID straight from the URL: bbe1fe17fd3206756805 |
@taylorotwell Have you had a look at @vinkla's package? It would solve this problem without altering the database structure. In your bridge to the league's package you would only need to decrypt the string to get the client id and viceversa. The only information leaking from a numeric auto-incrementing client id (which is public) would be the number of clients the service has registered, which sometimes is not desirable. |
Let's say I got a client_secret somehow for an unknown client of example.com. So I don't know client_id. In this case, I can easily find out client_id by checking OAuth using 1 to N numbers as client_id in a for loop. But it is not possible (at least not easy) in UUID or random string.
I hope at least you can make it is happen in next major version. |
I get that security through obscurity is bad, but I still don't want my clients to be able to guess other's ids, and as @lucadegasperi said, it
which is the main reason I care about the issue. |
As @lucadegasperi suggest, using @vinkla's package. Might help someone. Here's what I did
Just register the new controller on your preferred route or override the default passport route. |
what do we need to do to make the hashid visible to the user? do we need to overwrite the ClientController@forUser method? |
Let's think about this: Why do we want UUIDs or a non-integer non-primary key value for client IDs?
That being said, I'll work on a proper pull request for this and get back to you guys when I have something. |
@heisian I would add one thing to your list:
At any rate, I did implement this in a fork of my own. I did not bother to write tests because I had no intention of pull requesting it to this project, but feel free to check it out and use it for inspiration or as a base to start with, if you want. |
@denaje thanks! Def a good help to get me started. |
Hey guys, check my pull request. I don't think Taylor will merge it in since he thinks this thread wholly unnecessary, but my code allows using client UUIDs without introducing breaking changes. To use UUIDs you would simply add If you already have Passport installed, have no fear - I've included a If the pull request isn't available you can view my fork: https://github.com/heisian/passport |
No plans for this in Passport 1.0 at least. |
Another reason to want to use non-integers is migration from other oauth2 servers. People migrating from lucadegasperi/oauth2-server-laravel, which was the standard oauth2 server before passport, will need to change all their clients to modify the client id. It would be much nicer if one could migrate without client impact. |
I will do the due diligence here and keep my fork up-to-date w/ latest Passport versions. My company's API depends on it and as stated before I much, much prefer the UUID scheme for client IDs. That being said there's still some loose ends - I don't use Will be looking at merging any changes from The crux of the matter here IMO is retaining integer |
Latest changes from the 2.0 branch (v2.0.2) of |
As @corbosman mentioned migrations are quite complex without having UUID`s in oficial package. lucadegasperi/oauth2-server-laravel is deprecated and from 5.4 we are forced to migrate to passport that's weird about such breaking changes in application. |
You can use UUIDs by updating the migrations and using model listeners. https://mlo.io/blog/2018/08/17/laravel-passport-uuid/ |
How can I install your fork using composer? |
@baig772 I'm not sure if I would recommend it - it is waaay out of date in comparison w/ the latest passport. At my current company we use node on the backend (which I would steer clear of IMO!), so I haven't been in Laravel land for a while. @jjoao07 I would highly recommend trying @ssmulders's solution instead. I forget the specifics, but his workaround is better than the one I originally had come up with in my fork. |
Will there be an official movement on this? @taylorotwell |
@billriess eventually yeah probably but in the meantime any PRs for this are welcome. |
@driesvints There was already a PR on this ~2 years ago: #49. Any thoughts on re-opening that PR or use the approach there as a possible solution? |
@grEvenX not sure tbh. Don't have time atm to dig really deep into it. |
There is also this one from a while back: #168 |
Not sure you can try this https://github.com/diadal/passport |
@AmirrezaNasiri this is open source software. If you need this then feel free to put some work into a PR. |
@grEvenX I think if a new PR was attempted with a very good an thorough explanation and tests that it has a chance of being merged in. Best if you targeted master. I'm planning on doing some Passport work in September after Laracon EU. |
I'm currently in the process of setting up a Laravel Passport API. Enabling UUIDs was quite trivial given the few blog posts about it, yet having a more difficult experience enabling hashed client secrets. Will share my progress and code once I have it figured out. One thing I want to note is that you probably want to use UUIDs for your API clients (either by storing incremental IDs in your database and using HashIds or something similar to do dynamic routing or, even better, just use UUIDs in your database). And more importantly, that client secrets should be hashed, not encrypted, just like Laravel hashes user passwords. AFAIK there's no need for the OAuth server to know the actual secret, just verify the request's secret with the one in the database when issuing tokens. @driesvints I managed to get salted/hashed client secrets working the same way as user passwords when issuing tokens and accessing client credentials protected endpoints. Just had to setup the correct db field, enable hashing in the client model, and change the following lines in return ! $record->confidential() || hash_equals($record->secret, (string) $clientSecret); return ! $record->confidential() || app(Hasher::class)->check((string) $clientSecret, $record->secret); Apparently all checks (even the ones in the Going into weekend/holiday mode, but can probably whip up a PR after. Any tips you can give me on creating a PR with higher chances of getting merged? This feature has to be optional, I suppose? Or do you want to enforce security and require hashed client secrets and introduce a breaking change? I'll add as much documentation and tests as I can. |
Working WIP for hashed client secrets: #1145. Not sure how to go about properly introducing UUIDs in the current setup. It'll either be:
Feedback appreciated. |
For those interested, the PR to optionally use hashed secrets has been merged: #1145 (comment). Will probably be available in the next (major, minor?) release. Not planning on doing a PR to introduce UUIDs as I have no answer on the questions above and you can implement this yourself quite easily by extending the client model. |
using uuid i am getting error when i run General error: 1364 Field 'id' doesn't have a default value even after moding the boot method of AppServiceProvider.php to somethign like this
|
Here's a Passport client model you can use that takes care of this for you: https://gist.github.com/sebastiaanluca/d4b5d2b5611fe9320b7ffa525c5ea0fa. Also be sure to have a correct migration, including Edit: using |
@sebastiaanluca thanks for your quick reply so how can i create them UUIDs except using the command ``passport:install ``` |
@sebastiaanluca cause i have tried UUIDs for user table and it works if i use postman however if use the command |
@sebastiaanluca i have used that model like |
I was mixing things up yesterday, sorry 😅 But I'd ask on the Laracasts or laravel.io forums as this issue isn't meant to support non-existing features. I'm sure they can help you better there. |
@sebastiaanluca thanks for your help it is now working i made a mistake on the migrations and change all 'id' fields to uuid, only client_id and user_id fields needs to be uuid since my user model also uses uuid. |
With the possibility to override the OAuthClient and allow $keyType and $incrementing to be set, is there still a reason to keep this issue open? |
We've implemented a PR to automatically configure clients with UUID's when you set them up using the Given the gigantic impact with making UUID's the default we'll not be reconsidering that particularly approach. At least now there'll be a native way to do this. |
It feels a bit strange to get a client ID as the primary key of oauth_clients @taylorotwell
Would it not make sense to provide a uuid field for that ?
The text was updated successfully, but these errors were encountered: