From 53fced64303be66942239cd53ccdcfe3634a8c9f Mon Sep 17 00:00:00 2001 From: romanetar Date: Thu, 15 Jan 2026 16:58:56 +0100 Subject: [PATCH 1/2] feat: add validate_resource_server_ip feature flag to config and check to validate Signed-off-by: romanetar --- .env.example | 2 ++ app/Models/OAuth2/ResourceServer.php | 5 ++++- config/oauth2.php | 15 +++++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 config/oauth2.php diff --git a/.env.example b/.env.example index 30eb92d0..0d1c7994 100644 --- a/.env.example +++ b/.env.example @@ -115,6 +115,8 @@ AUTH_PASSWORD_SHAPE_PATTERN="^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^ AUTH_PASSWORD_SHAPE_WARNING="Password must include at least one uppercase letter, one lowercase letter, one number, and one special character." +OAUTH2_VALIDATE_RESOURCE_SERVER_IP=true + #Open Telemetry OTEL_SERVICE_ENABLED=true OTEL_SERVICE_NAME=idp-api diff --git a/app/Models/OAuth2/ResourceServer.php b/app/Models/OAuth2/ResourceServer.php index ae8d7ea5..d6d487f7 100644 --- a/app/Models/OAuth2/ResourceServer.php +++ b/app/Models/OAuth2/ResourceServer.php @@ -65,7 +65,10 @@ class ResourceServer extends BaseEntity * @return bool */ public function isOwn($ip) - { $provided_ips = array_map('trim', explode(',', $ip)); + { + if (!config('oauth2.validate_resource_server_ip', true)) return true; + + $provided_ips = array_map('trim', explode(',', $ip)); $own_ips = array_map('trim', explode(',', $this->ips)); Log::debug ( diff --git a/config/oauth2.php b/config/oauth2.php new file mode 100644 index 00000000..2b482422 --- /dev/null +++ b/config/oauth2.php @@ -0,0 +1,15 @@ + env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', true), +]; From 92df7f7a0c8ea225d2884ee3f7d52200ce16dd82 Mon Sep 17 00:00:00 2001 From: smarcet Date: Tue, 17 Mar 2026 10:52:33 -0300 Subject: [PATCH 2/2] fix(oauth2): move disable IP adress check --- app/Models/OAuth2/ResourceServer.php | 1 - ...idateBearerTokenResourceServerStrategy.php | 46 +++++++++---------- config/oauth2.php | 2 +- 3 files changed, 24 insertions(+), 25 deletions(-) diff --git a/app/Models/OAuth2/ResourceServer.php b/app/Models/OAuth2/ResourceServer.php index d6d487f7..7e3ac8fd 100644 --- a/app/Models/OAuth2/ResourceServer.php +++ b/app/Models/OAuth2/ResourceServer.php @@ -66,7 +66,6 @@ class ResourceServer extends BaseEntity */ public function isOwn($ip) { - if (!config('oauth2.validate_resource_server_ip', true)) return true; $provided_ips = array_map('trim', explode(',', $ip)); $own_ips = array_map('trim', explode(',', $this->ips)); diff --git a/app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php b/app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php index 0866af98..3421e873 100644 --- a/app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php +++ b/app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php @@ -78,31 +78,31 @@ public function validate(AccessToken $access_token, IClient $client) 'resource server is disabled!' ); } - //check resource server ip address - if (!$resource_server->isOwn($current_ip)) - { - throw new BearerTokenDisclosureAttemptException - ( - sprintf + if (config('oauth2.validate_resource_server_ip', false)) { + //check resource server ip address + if (!$resource_server->isOwn($current_ip)) { + throw new BearerTokenDisclosureAttemptException ( - 'resource server ip (%s) differs from current request ip %s', - $resource_server->getIPAddresses(), - $current_ip - ) - ); - } - // check if current ip belongs to a registered resource server audience - if (!$this->token_service->checkAccessTokenAudience($access_token, $current_ip)) - { - throw new BearerTokenDisclosureAttemptException - ( - sprintf + sprintf + ( + 'resource server ip (%s) differs from current request ip %s', + $resource_server->getIPAddresses(), + $current_ip + ) + ); + } + // check if current ip belongs to a registered resource server audience + if (!$this->token_service->checkAccessTokenAudience($access_token, $current_ip)) { + throw new BearerTokenDisclosureAttemptException ( - 'access token current audience (%s) does not match with current request ip %s', - $access_token->getAudience(), - $current_ip - ) - ); + sprintf + ( + 'access token current audience (%s) does not match with current request ip %s', + $access_token->getAudience(), + $current_ip + ) + ); + } } } } \ No newline at end of file diff --git a/config/oauth2.php b/config/oauth2.php index 2b482422..c8736d26 100644 --- a/config/oauth2.php +++ b/config/oauth2.php @@ -11,5 +11,5 @@ | the request IP and the access token audience. | */ - 'validate_resource_server_ip' => env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', true), + 'validate_resource_server_ip' => env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', false), ];