Skip to content

Commit 94cbcb6

Browse files
romanetarromanetar
committed
feat: add validate_resource_server_ip feature flag to config and check to validate
Signed-off-by: romanetar <roman_ag@hotmail.com>
1 parent 9ee4d37 commit 94cbcb6

File tree

3 files changed

+18
-1
lines changed

3 files changed

+18
-1
lines changed

.env.example

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -115,6 +115,8 @@ AUTH_PASSWORD_SHAPE_PATTERN="^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^
115115
AUTH_PASSWORD_SHAPE_WARNING="Password must include at least one uppercase letter, one lowercase letter, one number, and one special character."
116116

117117

118+
OAUTH2_VALIDATE_RESOURCE_SERVER_IP=true
119+
118120
#Open Telemetry
119121
OTEL_SERVICE_ENABLED=true
120122
OTEL_SERVICE_NAME=idp-api

app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,7 @@ public function validate(AccessToken $access_token, IClient $client)
7979
);
8080
}
8181
//check resource server ip address
82-
if (!$resource_server->isOwn($current_ip))
82+
if (config('oauth2.validate_resource_server_ip', true) && !$resource_server->isOwn($current_ip))
8383
{
8484
throw new BearerTokenDisclosureAttemptException
8585
(

config/oauth2.php

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
<?php
2+
3+
return [
4+
5+
/*
6+
|--------------------------------------------------------------------------
7+
| Validate Resource Server IP Address
8+
|--------------------------------------------------------------------------
9+
|
10+
| When enabled, validates that the resource server IP address matches
11+
| the request IP and the access token audience.
12+
|
13+
*/
14+
'validate_resource_server_ip' => env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', true),
15+
];

0 commit comments

Comments
 (0)