Add issuer iss as HTTP Query Parameter to redirect URL in OAuth responses.

Potherca · Potherca · commit 7de2564cb2d4 · 2025-11-24T15:54:10.000+01:00
diff --git a/src/Server.php b/src/Server.php
@@ -40,10 +40,12 @@ final public function respondToAccessTokenRequest(Request $request) : Response
         $response = $this->response;
 
         try {
-            return $authorizationServer->respondToAccessTokenRequest($request, $response);
+            $httpResponse = $authorizationServer->respondToAccessTokenRequest($request, $response);
         } catch (OAuthServerException $serverException) {
-            return $this->createOauthServerExceptionResponse($response, $serverException);
+            $httpResponse = $this->createOauthServerExceptionResponse($response, $serverException);
         }
+
+        return $this->addIssuerToRedirectUrl($httpResponse);
     }
 
     /**
@@ -95,6 +97,7 @@ final public function respondToAuthorizationRequest(
 
             // Return the HTTP redirect response
             $response = $authorizationServer->completeAuthorizationRequest($authRequest, $response);
+            $response = $this->addIssuerToRedirectUrl($response);
         } else {
             // @CHECKME: 404 or throw Exception?
             $response = $response->withStatus(404);
@@ -150,4 +153,40 @@ private function createJsonResponse(Response $response, $json = null) : Response
 
         return $response->withHeader('content-type', 'application/json; charset=UTF-8');
     }
+
+    /**
+     * Add `iss` query param to the Location header, if present and not already set.
+     *
+     * @see https://www.ietf.org/rfc/rfc9207
+     */
+    private function addIssuerToRedirectUrl(Response $response): Response
+    {
+        if ($response->hasHeader('Location')) {
+            $location = $response->getHeaderLine('Location');
+
+            $urlParts = parse_url($location);
+            $queryParams = [];
+            if (isset($urlParts['query'])) {
+                parse_str($urlParts['query'], $queryParams);
+            }
+
+            if ( ! array_key_exists('iss', $queryParams)) {
+                $issuer = $this->config->getServer()->get(OidcMeta::ISSUER);
+                $queryParams['iss'] = $issuer;
+
+                $urlParts['query'] = http_build_query($queryParams);
+
+                $location = vsprintf("%s%s%s?%s", [
+                    isset($urlParts['scheme']) ? $urlParts['scheme'] . '://' : '',
+                    $urlParts['host'] ?? '',
+                    $urlParts['path'] ?? '',
+                    $urlParts['query']
+                ]);
+
+                $response = $response->withHeader('Location', $location);
+            }
+        }
+
+        return $response;
+    }
 }
