[BUG] [Security Issue] you are leaking the OAuth2 client_secret

[ppetermann]

In:

Auth/src/Oauth2/Client/ProviderManager.php

Line 167 in 2cddfab

'clientSecret' => $providerConfig->getClientSecret(),

the client_secret is put into the ProviderOptions, which is used here:

Auth/src/Oauth2/Handler/Remote.php

Line 184 in 2cddfab

$providerOptions = $this->providerManager->getProviderOptions($providerName);

Auth/src/Oauth2/Handler/Remote.php

Line 185 in 2cddfab

$options = array_merge($providerOptions, ['approval_prompt' => $approvalPrompt]);

Auth/src/Oauth2/Handler/Remote.php

Line 186 in 2cddfab

$authorizationUrl = $provider->getAuthorizationUrl($options);

to build the authorization Url, which ist send as a redirect to the users browser, thus exposing the client_secret.

the client_secret should only be used in the token exchange, thus when the server makes the request to the provider, and not during authorization when the browser of the user does.

This is NOT a flaw in Leagues client, this is due to too many options being included when forming the url in the aforementioned lines of code.

[SvanteRichter]

Hey,

Thanks for the report and digging into this. Also sorry for it being 3 days before I saw this, I'm looking for other maintainers for this repo. Do you have a fix for this ready? If so I'd be more than willing to merge it and tag a release ASAP. Otherwise I'll try to get time to fix this as soon as I can find time.

Thanks!

[rossriley]

@SahAssar I'll have a look at it if you've not had time yet.

[SvanteRichter]

@rossriley Thanks, that'd be great :)