getAccessToken provides optional username/password parameters which are not used

Created on 26 June 2023, over 1 year ago
Updated 7 August 2023, over 1 year ago

Problem/Motivation

The public getAccessToken() method in the service 'oauth2_client.service' provides optional username and password parameters in its interface and implementation. However, they are not used.

Steps to reproduce

Inspect code.

Proposed resolution

Further investigation shows that this module would be more secure in certain edge cases if a value object is used to pass these credentials. The committed code here does that and adds tests to verify the improvement.

User interface changes

None.

API changes

The following changes are made in 4.x. Similar changes are back-ported to 3.x but not detailed here. Although changes to interfaces should normally trigger a full version change in semantic versioning, this change is a security improvement to 3.x and 4.x and we cannot move 3.x up, so these changes are released in a minor version.

  • \Drupal\oauth2_client\Plugin\Oauth2Client\Oauth2ClientPluginInterface::getAccessToken This method did not have a parameter in its signature, which was the source of the problem reported in this issue. An optional parameter is added:
    public function getAccessToken(?OwnerCredentials $credentials): ?AccessTokenInterface;
    
  • \Drupal\oauth2_client\Service\Oauth2ClientServiceInterface::getAccessToken This method signature is changed to use the new value object.
      public function getAccessToken(string $pluginId, ?OwnerCredentials $credentials): ?AccessTokenInterface;
    
  • \Drupal\oauth2_client\OwnerCredentials This value object class is added for use in passing data to these two methods.
  • \Drupal\oauth2_client\Plugin\Oauth2GrantType\GrantWithCredentialsInterface This internal interface was adjusted to match the above changes.

Background information

  • This was originally reported to security.drupal.org. The Drupal Security Team decided it should be a public issue
  • security.drupal.org private issue: https://security.drupal.org/node/178442
    (included for reference. Please do not report access denied as an error.)
📌 Task
Status

Fixed

Version

4.0

Component

Code

Created by

🇳🇱Netherlands askibinski

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024