Beispiel #1
0
 /**
  * Check whether a token is valid (i.e. not expired) and that an application with the given key exists.
  */
 function isValid()
 {
     if (!\IdnoPlugins\OAuth2\Application::getOne(['key' => $this->key])) {
         return false;
     }
     return $this->created + $this->expires_in > time();
 }
Beispiel #2
0
 function getContent()
 {
     $this->gatekeeper();
     $fwd = $this->getInput('fwd');
     // return page
     $client_id = $this->getInput('client_id');
     $scope = $this->getInput('scope');
     $client = \IdnoPlugins\OAuth2\Application::getOne(['key' => $client_id]);
     if ($client) {
         $t = \Idno\Core\site()->template();
         $t->body = $t->__(array('fwd' => $fwd, 'client_id' => $client_id, 'scope' => $scope, 'client' => $client))->draw('oauth2/forms/connect');
         $t->title = 'Authorise connection...';
         $t->drawPage();
     } else {
         throw new \Exception("Could not load client associated with {$client_id}");
     }
 }
Beispiel #3
0
 function postContent()
 {
     $this->gatekeeper();
     $action = $this->getInput('action');
     switch ($action) {
         case 'create':
             $app = \IdnoPlugins\OAuth2\Application::newApplication($this->getInput('name'));
             if ($app->save()) {
                 \Idno\Core\site()->session()->addMessage("New application " . $app->getTitle() . " created!");
             } else {
                 \Idno\Core\site()->session()->addErrorMessage("Problem creating new application...");
             }
             break;
         case 'delete':
             $uuid = $this->getInput('app_uuid');
             if ($app = \IdnoPlugins\OAuth2\Application::getByUUID($uuid)) {
                 if ($app->delete()) {
                     \Idno\Core\site()->session()->addMessage($app->getTitle() . " was removed.");
                 }
             }
             break;
     }
     $this->forward(\Idno\Core\site()->config()->getURL() . 'account/oauth2/');
 }
Beispiel #4
0
 function getContent()
 {
     try {
         try {
             $scope = $this->getInput('scope');
             $state = $this->getInput('state');
             $code = $this->getInput('code');
             $grant_type = $this->getInput('grant_type');
             $client_id = $this->getInput('client_id');
             $redirect_uri = $this->getInput('redirect_uri');
             if (!$grant_type) {
                 throw new \IdnoPlugins\OAuth2\OAuth2Exception("Required parameter grant_type is missing!", 'invalid_request', $state);
             }
             switch ($grant_type) {
                 // Refresh token
                 case 'refresh_token':
                     $refresh_token = $this->getInput('refresh_token');
                     if (!$refresh_token) {
                         throw new \IdnoPlugins\OAuth2\OAuth2Exception("Required parameter refresh_token is missing!", 'invalid_request', $state);
                     }
                     if (!($token = \IdnoPlugins\OAuth2\Token::getOne(['refresh_token' => $refresh_token]))) {
                         throw new \IdnoPlugins\OAuth2\OAuth2Exception("Sorry, that refresh token appears to be invalid!", 'invalid_grant', $state);
                     }
                     // Check state on object
                     if ($token->state) {
                         if ($token->state != $state) {
                             throw new \IdnoPlugins\OAuth2\OAuth2Exception("Invalid state given", 'access_denied', $state);
                         }
                     }
                     // OK so far, so generate new token
                     $newtoken = new \IdnoPlugins\OAuth2\Token();
                     // Add state and scope variables
                     $newtoken->state = $token->state;
                     $newtoken->scope = $token->scope;
                     // Bind to a client ID!
                     $newtoken->key = $token->key;
                     // Set owner from code object
                     $newtoken->setOwner($token->getOwner());
                     // Ok, delete old token and issue a new token
                     if ($token->delete() && $newtoken->save()) {
                         echo json_encode($newtoken);
                     } else {
                         throw new \IdnoPlugins\OAuth2\OAuth2Exception("Server problem, couldn't refresh token. Try again in a bit...", 'invalid_grant', $state);
                     }
                     break;
                     // Basic authorisation
                 // Basic authorisation
                 case 'authorization_code':
                 default:
                     if (!$client_id) {
                         throw new \IdnoPlugins\OAuth2\OAuth2Exception("Required parameter client_id is missing!", 'invalid_request', $state);
                     }
                     // Check Application
                     if (!\IdnoPlugins\OAuth2\Application::getOne(['key' => $client_id])) {
                         throw new \IdnoPlugins\OAuth2\OAuth2Exception("I have no knowledge of the application identified by {$client_id}", 'unauthorized_client', $state);
                     }
                     // Check code
                     if (!($code_obj = \IdnoPlugins\OAuth2\Code::getOne(['code' => $code, 'key' => $client_id])) || $code_obj->expires < time()) {
                         throw new \IdnoPlugins\OAuth2\OAuth2Exception("Sorry, unknown or expired code!", 'invalid_grant', $state);
                     }
                     // Check state on object
                     if ($code_obj->state) {
                         if ($code_obj->state != $state) {
                             throw new \IdnoPlugins\OAuth2\OAuth2Exception("Invalid state given", 'access_denied', $state);
                         }
                     }
                     // Check redirect
                     if ($code_obj->redirect_uri) {
                         if ($code_obj->redirect_uri != $redirect_uri) {
                             throw new \IdnoPlugins\OAuth2\OAuth2Exception("Sorry, redirect_uri doesn't match the one given before!", 'access_denied', $state);
                         }
                     }
                     // OK so far, so generate new token
                     $token = new \IdnoPlugins\OAuth2\Token();
                     // Add state and scope variables
                     $token->state = $state;
                     $token->scope = $code_obj->scope;
                     // Bind to a client ID!
                     $token->key = $client_id;
                     // Set owner from code object
                     $token->setOwner($code_obj->getOwner());
                     if (!$token->save()) {
                         throw new \IdnoPlugins\OAuth2\OAuth2Exception("Server problem, couldn't generate new tokens. Try again in a bit...", 'invalid_grant', $state);
                     }
                     echo json_encode($token);
             }
         } catch (\IdnoPlugins\OAuth2\OAuth2Exception $oa2e) {
             $this->setResponse($oa2e->http_code);
             echo json_encode($oa2e->jsonSerialize());
         }
     } catch (\Exception $e) {
         $this->setResponse(400);
         echo json_encode(['error' => 'invalid_request', 'error_description' => $e->getMessage()]);
     }
 }
Beispiel #5
0
 function getContent()
 {
     try {
         try {
             $state = $this->getInput('state');
             $scope = $this->getInput('scope');
             $response_type = $this->getInput('response_type');
             $client_id = $this->getInput('client_id');
             $redirect_uri = $this->getInput('redirect_uri');
             if (!$response_type) {
                 throw new \IdnoPlugins\OAuth2\OAuth2Exception("Required parameter response_type is missing!", 'invalid_request', $state);
             }
             if (!$client_id) {
                 throw new \IdnoPlugins\OAuth2\OAuth2Exception("Required parameter client_id is missing!", 'invalid_request', $state);
             }
             switch ($response_type) {
                 case 'token':
                     throw new \IdnoPlugins\OAuth2\OAuth2Exception("Sorry, implicit grant is currently not supported.", 'unsupported_response_type', $state);
                     break;
                 case 'code':
                 default:
                     // Generate code
                     $code = new \IdnoPlugins\OAuth2\Code();
                     // Save context
                     $code->scope = $scope;
                     $code->key = $client_id;
                     $code->state = $state;
                     $code->redirect_uri = $redirect_uri;
                     // Check Application
                     if (!\IdnoPlugins\OAuth2\Application::getOne(['key' => $client_id])) {
                         throw new \IdnoPlugins\OAuth2\OAuth2Exception("I have no knowledge of the application identified by {$client_id}", 'unauthorized_client', $state);
                     }
                     // Authenticate user
                     if (!($user = \Idno\Core\site()->session()->currentUser())) {
                         // Do login and redirect workflow
                         $this->forward('/session/login?fwd=' . urlencode($this->currentUrl()));
                     }
                     // Not authorized before, or change in scope?
                     if (!$user->oauth2[$client_id] || $user->oauth2[$client_id]['scope'] != $scope) {
                         $this->forward('/oauth2/connect?client_id=' . $client_id . '&scope=' . urlencode($scope) . '&fwd=' . urlencode($this->currentUrl()));
                     }
                     // Check code
                     if ($code->getOne(['code' => $code])) {
                         throw new \IdnoPlugins\OAuth2\OAuth2Exception("Sorry, this code has been seen before!", 'access_denied', $state);
                     }
                     // Save code so we've not seen it before
                     if (!$code->save()) {
                         throw new \IdnoPlugins\OAuth2\OAuth2Exception("Bang, code incorrect", 'invalid_request', $state);
                     }
                     // Forward or echo
                     if ($redirect_uri) {
                         // Normalise url and add parameters
                         if (strpos($redirect_uri, '?') === false) {
                             $redirect_uri .= '?';
                         }
                         $redirect_uri .= 'code=' . urlencode($code) . '&state=' . urlencode($state);
                         // Forward
                         $this->forward($redirect_uri);
                     } else {
                         // Otherwise echo result
                         echo json_encode(['code' => $code, 'state' => $state]);
                     }
             }
         } catch (\IdnoPlugins\OAuth2\OAuth2Exception $oa2e) {
             $this->setResponse($oa2e->http_code);
             echo json_encode($oa2e->jsonSerialize());
         }
     } catch (\Exception $e) {
         $this->setResponse(400);
         echo json_encode(['error' => 'invalid_request', 'error_description' => $e->getMessage()]);
     }
 }