From fb2fa71bc32ac0cbce3912894ad17f8b6ef57032 Mon Sep 17 00:00:00 2001 From: Fred Cox Date: Wed, 9 Aug 2017 11:44:21 +0300 Subject: [PATCH] Allow multiple client id sources Its against the spec, but some clients send both basic and post variables and its nicer to allow this than ban it, as it doesnt do any harm --- .../Component/Security/Http/Firewall/TokenListener.php | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/src/Symfony/Component/Security/Http/Firewall/TokenListener.php b/src/Symfony/Component/Security/Http/Firewall/TokenListener.php index 25409fa9..65920216 100644 --- a/src/Symfony/Component/Security/Http/Firewall/TokenListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/TokenListener.php @@ -52,15 +52,12 @@ public function handle(GetResponseEvent $event) { $request = $event->getRequest(); - // At least one (and only one) of client credentials method required. + // At least one of client credentials method required. + // If more than one is set then basic auth will be used. Some clients (incorrectly) use more than one. if (!$request->headers->get('PHP_AUTH_USER', false) && !$request->request->get('client_id', false)) { throw new InvalidRequestException([ 'error_description' => 'The request is missing a required parameter', ]); - } elseif ($request->headers->get('PHP_AUTH_USER', false) && $request->request->get('client_id', false)) { - throw new InvalidRequestException([ - 'error_description' => 'The request utilizes more than one mechanism for authenticating the client', - ]); } // Check with HTTP basic auth if exists.