Beispiel #1
0
 public function validateRequest(HTTP_OAuth2_RequestInterface $request, HTTP_OAuth2_ResponseInterface $response)
 {
     if (!$request->request('code')) {
         $response->setError(400, 'invalid_request', 'Missing parameter: "code" is required');
         return false;
     }
     $code = $request->request('code');
     if (!($authCode = $this->storage->getAuthorizationCode($code))) {
         $response->setError(400, 'invalid_grant', 'Authorization code doesn\'t exist or is invalid for the client');
         return false;
     }
     /*
      * 4.1.3 - ensure that the "redirect_uri" parameter is present if the "redirect_uri" parameter was included in the initial authorization request
      * @uri - http://tools.ietf.org/html/rfc6749#section-4.1.3
      */
     if (isset($authCode['redirect_uri']) && $authCode['redirect_uri']) {
         if (!$request->request('redirect_uri') || urldecode($request->request('redirect_uri')) != $authCode['redirect_uri']) {
             $response->setError(400, 'redirect_uri_mismatch', "The redirect URI is missing or do not match", "#section-4.1.3");
             return false;
         }
     }
     if (!isset($authCode['expires'])) {
         throw new Exception('Storage must return authcode with a value for "expires"');
     }
     if ($authCode["expires"] < time()) {
         $response->setError(400, 'invalid_grant', "The authorization code has expired");
         return false;
     }
     if (!isset($authCode['code'])) {
         $authCode['code'] = $code;
         // used to expire the code after the access token is granted
     }
     $this->authCode = $authCode;
     return true;
 }
Beispiel #2
0
 /**
  * This is a convenience function that can be used to get the token, which can then
  * be passed to getAccessTokenData(). The constraints specified by the draft are
  * attempted to be adheared to in this method.
  *
  * As per the Bearer spec (draft 8, section 2) - there are three ways for a client
  * to specify the bearer token, in order of preference: Authorization Header,
  * POST and GET.
  *
  * NB: Resource servers MUST accept tokens via the Authorization scheme
  * (http://tools.ietf.org/html/rfc6750#section-2).
  *
  * @todo Should we enforce TLS/SSL in this function?
  *
  * @see http://tools.ietf.org/html/rfc6750#section-2.1
  * @see http://tools.ietf.org/html/rfc6750#section-2.2
  * @see http://tools.ietf.org/html/rfc6750#section-2.3
  *
  * Old Android version bug (at least with version 2.2)
  * @see http://code.google.com/p/android/issues/detail?id=6684
  *
  */
 public function getAccessTokenParameter(HTTP_OAuth2_RequestInterface $request, HTTP_OAuth2_ResponseInterface $response)
 {
     $headers = $request->headers('AUTHORIZATION');
     /**
      * Ensure more than one method is not used for including an
      * access token
      *
      * @see http://tools.ietf.org/html/rfc6750#section-3.1
      */
     $methodsUsed = !empty($headers) + (bool) $request->query($this->config['token_param_name']) + (bool) $request->request($this->config['token_param_name']);
     if ($methodsUsed > 1) {
         $response->setError(400, 'invalid_request', 'Only one method may be used to authenticate at a time (Auth header, GET or POST)');
         return null;
     }
     /**
      * If no authentication is provided, set the status code
      * to 401 and return no other error information
      *
      * @see http://tools.ietf.org/html/rfc6750#section-3.1
      */
     if ($methodsUsed == 0) {
         $response->setStatusCode(401);
         return null;
     }
     // HEADER: Get the access token from the header
     if (!empty($headers)) {
         if (!preg_match('/' . $this->config['token_bearer_header_name'] . '\\s(\\S+)/', $headers, $matches)) {
             $response->setError(400, 'invalid_request', 'Malformed auth header');
             return null;
         }
         return $matches[1];
     }
     if ($request->request($this->config['token_param_name'])) {
         // // POST: Get the token from POST data
         if (!in_array(strtolower($request->server('REQUEST_METHOD')), array('post', 'put'))) {
             $response->setError(400, 'invalid_request', 'When putting the token in the body, the method must be POST or PUT', '#section-2.2');
             return null;
         }
         $contentType = $request->server('CONTENT_TYPE');
         if (false !== ($pos = strpos($contentType, ';'))) {
             $contentType = substr($contentType, 0, $pos);
         }
         if ($contentType !== null && $contentType != 'application/x-www-form-urlencoded' && $contentType != 'multipart/form-data') {
             // IETF specifies content-type. NB: Not all webservers populate this _SERVER variable
             // @see http://tools.ietf.org/html/rfc6750#section-2.2
             $response->setError(400, 'invalid_request', 'The content type for POST requests must be "application/x-www-form-urlencoded" OR "multipart/form-data"');
             return null;
         }
         return $request->request($this->config['token_param_name']);
     }
     // GET method
     return $request->query($this->config['token_param_name']);
 }
Beispiel #3
0
 public function validateRequest(HTTP_OAuth2_RequestInterface $request, HTTP_OAuth2_ResponseInterface $response)
 {
     if (!$request->request("refresh_token")) {
         $response->setError(400, 'invalid_request', 'Missing parameter: "refresh_token" is required');
         return null;
     }
     if (!($refreshToken = $this->storage->getRefreshToken($request->request("refresh_token")))) {
         $response->setError(400, 'invalid_grant', 'Invalid refresh token');
         return null;
     }
     if ($refreshToken['expires'] > 0 && $refreshToken["expires"] < time()) {
         $response->setError(400, 'invalid_grant', 'Refresh token has expired');
         return null;
     }
     // store the refresh token locally so we can delete it when a new refresh token is generated
     $this->refreshToken = $refreshToken;
     return true;
 }
Beispiel #4
0
 public function validateRequest(HTTP_OAuth2_RequestInterface $request, HTTP_OAuth2_ResponseInterface $response)
 {
     if (!$request->request("password") || !$request->request("username")) {
         $response->setError(400, 'invalid_request', 'Missing parameters: "username" and "password" required');
         return null;
     }
     if (!$this->storage->checkUserCredentials($request->request("username"), $request->request("password"))) {
         $response->setError(401, 'invalid_grant', 'Invalid username and password combination');
         return null;
     }
     $userInfo = $this->storage->getUserDetails($request->request("username"));
     if (empty($userInfo)) {
         $response->setError(400, 'invalid_grant', 'Unable to retrieve user information');
         return null;
     }
     if (!isset($userInfo['user_id'])) {
         throw new LogicException("you must set the user_id on the array returned by getUserDetails");
     }
     $this->userInfo = $userInfo;
     return true;
 }
Beispiel #5
0
 /**
  * Grant or deny a requested access token.
  * This would be called from the "/token" endpoint as defined in the spec.
  * You can call your endpoint whatever you want.
  *
  * @param $request - RequestInterface
  * Request object to grant access token
  *
  * @throws InvalidArgumentException
  * @throws LogicException
  *
  * @see http://tools.ietf.org/html/rfc6749#section-4
  * @see http://tools.ietf.org/html/rfc6749#section-10.6
  * @see http://tools.ietf.org/html/rfc6749#section-4.1.3
  *
  * @ingroup oauth2_section_4
  */
 public function grantAccessToken(HTTP_OAuth2_RequestInterface $request, HTTP_OAuth2_ResponseInterface $response)
 {
     if (strtolower($request->server('REQUEST_METHOD')) != 'post') {
         $response->setError(405, 'invalid_request', 'The request method must be POST when requesting an access token', '#section-3.2');
         $response->addHttpHeaders(array('Allow' => 'POST'));
         return null;
     }
     /**
      * Determine grant type from request
      * and validate the request for that grant type
      */
     if (!($grantTypeIdentifier = $request->request('grant_type'))) {
         $response->setError(400, 'invalid_request', 'The grant type was not specified in the request');
         return null;
     }
     if (!isset($this->grantTypes[$grantTypeIdentifier])) {
         /* TODO: If this is an OAuth2 supported grant type that we have chosen not to implement, throw a 501 Not Implemented instead */
         $response->setError(400, 'unsupported_grant_type', sprintf('Grant type "%s" not supported', $grantTypeIdentifier));
         return null;
     }
     $grantType = $this->grantTypes[$grantTypeIdentifier];
     /**
      * Retrieve the client information from the request
      * ClientAssertionTypes allow for grant types which also assert the client data
      * in which case ClientAssertion is handled in the validateRequest method
      *
      * @see OAuth2\GrantType\JWTBearer
      * @see OAuth2\GrantType\ClientCredentials
      */
     if (!$grantType instanceof HTTP_OAuth2_ClientAssertionType_ClientAssertionTypeInterface) {
         if (!$this->clientAssertionType->validateRequest($request, $response)) {
             return null;
         }
         $clientId = $this->clientAssertionType->getClientId();
     }
     /**
      * Retrieve the grant type information from the request
      * The GrantTypeInterface object handles all validation
      * If the object is an instance of ClientAssertionTypeInterface,
      * That logic is handled here as well
      */
     if (!$grantType->validateRequest($request, $response)) {
         return null;
     }
     if ($grantType instanceof HTTP_OAuth2_ClientAssertionType_ClientAssertionTypeInterface) {
         $clientId = $grantType->getClientId();
     } else {
         // validate the Client ID (if applicable)
         if (!is_null($storedClientId = $grantType->getClientId()) && $storedClientId != $clientId) {
             $response->setError(400, 'invalid_grant', sprintf('%s doesn\'t exist or is invalid for the client', $grantTypeIdentifier));
             return null;
         }
     }
     /**
      * Validate the client can use the requested grant type
      */
     if (!$this->clientStorage->checkRestrictedGrantType($clientId, $grantTypeIdentifier)) {
         $response->setError(400, 'unauthorized_client', 'The grant type is unauthorized for this client_id');
         return false;
     }
     /**
      * Validate the scope of the token
      *
      * requestedScope - the scope specified in the token request
      * availableScope - the scope associated with the grant type
      *  ex: in the case of the "Authorization Code" grant type,
      *  the scope is specified in the authorize request
      *
      * @see http://tools.ietf.org/html/rfc6749#section-3.3
      */
     $requestedScope = $this->scopeUtil->getScopeFromRequest($request);
     $availableScope = $grantType->getScope();
     if ($requestedScope) {
         // validate the requested scope
         if ($availableScope) {
             if (!$this->scopeUtil->checkScope($requestedScope, $availableScope)) {
                 $response->setError(400, 'invalid_scope', 'The scope requested is invalid for this request');
                 return null;
             }
         } else {
             // validate the client has access to this scope
             if ($clientScope = $this->clientStorage->getClientScope($clientId)) {
                 if (!$this->scopeUtil->checkScope($requestedScope, $clientScope)) {
                     $response->setError(400, 'invalid_scope', 'The scope requested is invalid for this client');
                     return false;
                 }
             } elseif (!$this->scopeUtil->scopeExists($requestedScope)) {
                 $response->setError(400, 'invalid_scope', 'An unsupported scope was requested');
                 return null;
             }
         }
     } elseif ($availableScope) {
         // use the scope associated with this grant type
         $requestedScope = $availableScope;
     } else {
         // use a globally-defined default scope
         $defaultScope = $this->scopeUtil->getDefaultScope($clientId);
         // "false" means default scopes are not allowed
         if (false === $defaultScope) {
             $response->setError(400, 'invalid_scope', 'This application requires you specify a scope parameter');
             return null;
         }
         $requestedScope = $defaultScope;
     }
     return $grantType->createAccessToken($this->accessToken, $clientId, $grantType->getUserId(), $requestedScope);
 }
Beispiel #6
0
 /**
  * Internal function used to get the client credentials from HTTP basic
  * auth or POST data.
  *
  * According to the spec (draft 20), the client_id can be provided in
  * the Basic Authorization header (recommended) or via GET/POST.
  *
  * @return
  * A list containing the client identifier and password, for example
  * @code
  * return array(
  *     "client_id"     => CLIENT_ID,        // REQUIRED the client id
  *     "client_secret" => CLIENT_SECRET,    // OPTIONAL the client secret (may be omitted for public clients)
  * );
  * @endcode
  *
  * @see http://tools.ietf.org/html/rfc6749#section-2.3.1
  *
  * @ingroup oauth2_section_2
  */
 public function getClientCredentials(HTTP_OAuth2_RequestInterface $request, HTTP_OAuth2_ResponseInterface $response = null)
 {
     if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) {
         return array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW'));
     }
     if ($this->config['allow_credentials_in_request_body']) {
         // Using POST for HttpBasic authorization is not recommended, but is supported by specification
         if (!is_null($request->request('client_id'))) {
             /**
              * client_secret can be null if the client's password is an empty string
              * @see http://tools.ietf.org/html/rfc6749#section-2.3.1
              */
             return array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret'));
         }
     }
     if ($response) {
         $message = $this->config['allow_credentials_in_request_body'] ? ' or body' : '';
         $response->setError(400, 'invalid_client', 'Client credentials were not found in the headers' . $message);
     }
     return null;
 }
Beispiel #7
0
 /**
  * Validates the data from the decoded JWT.
  *
  * @return
  * TRUE if the JWT request is valid and can be decoded. Otherwise, FALSE is returned.
  *
  * @see OAuth2\GrantType\GrantTypeInterface::getTokenData()
  */
 public function validateRequest(HTTP_OAuth2_RequestInterface $request, HTTP_OAuth2_ResponseInterface $response)
 {
     if (!$request->request("assertion")) {
         $response->setError(400, 'invalid_request', 'Missing parameters: "assertion" required');
         return null;
     }
     // Store the undecoded JWT for later use
     $undecodedJWT = $request->request('assertion');
     // Decode the JWT
     $jwt = $this->jwtUtil->decode($request->request('assertion'), null, false);
     if (!$jwt) {
         $response->setError(400, 'invalid_request', "JWT is malformed");
         return null;
     }
     // ensure these properties contain a value
     // @todo: throw malformed error for missing properties
     $jwt = array_merge(array('scope' => null, 'iss' => null, 'sub' => null, 'aud' => null, 'exp' => null, 'nbf' => null, 'iat' => null, 'jti' => null, 'typ' => null), $jwt);
     if (!isset($jwt['iss'])) {
         $response->setError(400, 'invalid_grant', "Invalid issuer (iss) provided");
         return null;
     }
     if (!isset($jwt['sub'])) {
         $response->setError(400, 'invalid_grant', "Invalid subject (sub) provided");
         return null;
     }
     if (!isset($jwt['exp'])) {
         $response->setError(400, 'invalid_grant', "Expiration (exp) time must be present");
         return null;
     }
     // Check expiration
     if (ctype_digit($jwt['exp'])) {
         if ($jwt['exp'] <= time()) {
             $response->setError(400, 'invalid_grant', "JWT has expired");
             return null;
         }
     } else {
         $response->setError(400, 'invalid_grant', "Expiration (exp) time must be a unix time stamp");
         return null;
     }
     // Check the not before time
     if ($notBefore = $jwt['nbf']) {
         if (ctype_digit($notBefore)) {
             if ($notBefore > time()) {
                 $response->setError(400, 'invalid_grant', "JWT cannot be used before the Not Before (nbf) time");
                 return null;
             }
         } else {
             $response->setError(400, 'invalid_grant', "Not Before (nbf) time must be a unix time stamp");
             return null;
         }
     }
     // Check the audience if required to match
     if (!isset($jwt['aud']) || $jwt['aud'] != $this->audience) {
         $response->setError(400, 'invalid_grant', "Invalid audience (aud)");
         return null;
     }
     // Check the jti (nonce)
     // @see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-13#section-4.1.7
     if (isset($jwt['jti'])) {
         $jti = $this->storage->getJti($jwt['iss'], $jwt['sub'], $jwt['aud'], $jwt['exp'], $jwt['jti']);
         //Reject if jti is used and jwt is still valid (exp parameter has not expired).
         if ($jti && $jti['expires'] > time()) {
             $response->setError(400, 'invalid_grant', "JSON Token Identifier (jti) has already been used");
             return null;
         } else {
             $this->storage->setJti($jwt['iss'], $jwt['sub'], $jwt['aud'], $jwt['exp'], $jwt['jti']);
         }
     }
     // Get the iss's public key
     // @see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06#section-4.1.1
     if (!($key = $this->storage->getClientKey($jwt['iss'], $jwt['sub']))) {
         $response->setError(400, 'invalid_grant', "Invalid issuer (iss) or subject (sub) provided");
         return null;
     }
     // Verify the JWT
     if (!$this->jwtUtil->decode($undecodedJWT, $key, true)) {
         $response->setError(400, 'invalid_grant', "JWT failed signature verification");
         return null;
     }
     $this->jwt = $jwt;
     return true;
 }
Beispiel #8
0
 public function validateAuthorizeRequest(HTTP_OAuth2_RequestInterface $request, HTTP_OAuth2_ResponseInterface $response)
 {
     // Make sure a valid client id was supplied (we can not redirect because we were unable to verify the URI)
     if (!($client_id = $request->query("client_id"))) {
         // We don't have a good URI to use
         $response->setError(400, 'invalid_client', "No client id supplied");
         return false;
     }
     // Get client details
     if (!($clientData = $this->clientStorage->getClientDetails($client_id))) {
         $response->setError(400, 'invalid_client', 'The client id supplied is invalid');
         return false;
     }
     $registered_redirect_uri = isset($clientData['redirect_uri']) ? $clientData['redirect_uri'] : '';
     // Make sure a valid redirect_uri was supplied. If specified, it must match the clientData URI.
     // @see http://tools.ietf.org/html/rfc6749#section-3.1.2
     // @see http://tools.ietf.org/html/rfc6749#section-4.1.2.1
     // @see http://tools.ietf.org/html/rfc6749#section-4.2.2.1
     if ($supplied_redirect_uri = $request->query('redirect_uri')) {
         // validate there is no fragment supplied
         $parts = parse_url($supplied_redirect_uri);
         if (isset($parts['fragment']) && $parts['fragment']) {
             $response->setError(400, 'invalid_uri', 'The redirect URI must not contain a fragment');
             return false;
         }
         // validate against the registered redirect uri(s) if available
         if ($registered_redirect_uri && !$this->validateRedirectUri($supplied_redirect_uri, $registered_redirect_uri)) {
             $response->setError(400, 'redirect_uri_mismatch', 'The redirect URI provided is missing or does not match', '#section-3.1.2');
             return false;
         }
         $redirect_uri = $supplied_redirect_uri;
     } else {
         // use the registered redirect_uri if none has been supplied, if possible
         if (!$registered_redirect_uri) {
             $response->setError(400, 'invalid_uri', 'No redirect URI was supplied or stored');
             return false;
         }
         if (count(explode(' ', $registered_redirect_uri)) > 1) {
             $response->setError(400, 'invalid_uri', 'A redirect URI must be supplied when multiple redirect URIs are registered', '#section-3.1.2.3');
             return false;
         }
         $redirect_uri = $registered_redirect_uri;
     }
     // Select the redirect URI
     $response_type = $request->query('response_type');
     $state = $request->query('state');
     // type and client_id are required
     if (!$response_type || !in_array($response_type, $this->getValidResponseTypes())) {
         $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'invalid_request', 'Invalid or missing response type', null);
         return false;
     }
     if ($response_type == self::RESPONSE_TYPE_AUTHORIZATION_CODE) {
         if (!isset($this->responseTypes['code'])) {
             $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unsupported_response_type', 'authorization code grant type not supported', null);
             return false;
         }
         if (!$this->clientStorage->checkRestrictedGrantType($client_id, 'authorization_code')) {
             $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unauthorized_client', 'The grant type is unauthorized for this client_id', null);
             return false;
         }
         if ($this->responseTypes['code']->enforceRedirect() && !$redirect_uri) {
             $response->setError(400, 'redirect_uri_mismatch', 'The redirect URI is mandatory and was not supplied');
             return false;
         }
     } else {
         if (!$this->config['allow_implicit']) {
             $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unsupported_response_type', 'implicit grant type not supported', null);
             return false;
         }
         if (!$this->clientStorage->checkRestrictedGrantType($client_id, 'implicit')) {
             $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'unauthorized_client', 'The grant type is unauthorized for this client_id', null);
             return false;
         }
     }
     // validate requested scope if it exists
     $requestedScope = $this->scopeUtil->getScopeFromRequest($request);
     if ($requestedScope) {
         // restrict scope by client specific scope if applicable,
         // otherwise verify the scope exists
         $clientScope = $this->clientStorage->getClientScope($client_id);
         if (is_null($clientScope) && !$this->scopeUtil->scopeExists($requestedScope) || $clientScope && !$this->scopeUtil->checkScope($requestedScope, $clientScope)) {
             $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'invalid_scope', 'An unsupported scope was requested', null);
             return false;
         }
     } else {
         // use a globally-defined default scope
         $defaultScope = $this->scopeUtil->getDefaultScope($client_id);
         if (false === $defaultScope) {
             $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, $state, 'invalid_client', 'This application requires you specify a scope parameter', null);
             return false;
         }
         $requestedScope = $defaultScope;
     }
     // Validate state parameter exists (if configured to enforce this)
     if ($this->config['enforce_state'] && !$state) {
         $response->setRedirect($this->config['redirect_status_code'], $redirect_uri, null, 'invalid_request', 'The state parameter is required');
         return false;
     }
     // save the input data and return true
     $this->scope = $requestedScope;
     $this->state = $state;
     $this->client_id = $client_id;
     // Only save the SUPPLIED redirect URI (@see http://tools.ietf.org/html/rfc6749#section-4.1.3)
     $this->redirect_uri = $supplied_redirect_uri;
     $this->response_type = $response_type;
     return true;
 }