/**
* {@inheritdoc}
*/
private function getDefaultScopesForClient(ClientInterface $client)
{
return $client->has('default_scope') && null !== $client->get('default_scope') ? $client->get('default_scope') : $this->getDefaultScopes();
}
private function checkRequestAndClient(ServerRequestInterface $request, ClientInterface $client)
{
Assertion::true($this->isRequestSecured($request), 'The request must be secured.');
Assertion::true($client->has('registration_access_token'), 'Invalid client.');
$values = [];
$token = $this->bearer_token->findToken($request, $values);
Assertion::notNull($token, 'Initial Access Token is missing or invalid.');
Assertion::eq($token, $client->get('registration_access_token'), 'Initial Access Token is missing or invalid.');
}
/**
* @param \OAuth2\Client\ClientInterface $client
*
* @throws \OAuth2\Exception\BadRequestExceptionInterface
*
* @return string[]
*/
private function getClientRequestUris(ClientInterface $client)
{
if (false === $client->has('request_uris') || empty($request_uris = $client->get('request_uris'))) {
throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_CLIENT, 'The client must register at least one request Uri.');
}
return $request_uris;
}
/**
* {@inheritdoc}
*/
public function isClientAuthenticated(ClientInterface $client, $client_credentials, ServerRequestInterface $request)
{
return hash_equals($client->get('client_secret'), $client_credentials);
}
/**
* @param array $claims
* @param \OAuth2\Client\ClientInterface $client
*
* @return string
*/
private function signAndEncrypt($claims, ClientInterface $client)
{
$signature_key = $this->signature_key_set->getKey(0);
Assertion::notNull($signature_key, 'Unable to find a key to sign the userinfo response. Please verify the selected key set contains suitable keys.');
$jwt = $this->getJWTCreator()->sign($claims, ['typ' => 'JWT', 'alg' => $this->signature_algorithm], $signature_key);
if ($client->hasPublicKeySet() && $client->has('id_token_encrypted_response_alg') && $client->has('id_token_encrypted_response_enc')) {
$key_set = $client->getPublicKeySet();
$key = $key_set->selectKey('enc');
if (null !== $key) {
$jwt = $this->getJWTCreator()->encrypt($jwt, ['alg' => $client->get('id_token_encrypted_response_alg'), 'enc' => $client->get('id_token_encrypted_response_enc')], $key);
}
}
return $jwt;
}
/**
* Check if the redirect URIs stored by the client.
*
* @param \OAuth2\Client\ClientInterface $client
* @param array $parameters
*
* @throws \InvalidArgumentException
*
* @return array
*
* @see http://tools.ietf.org/html/rfc6749#section-3.1.2.2
*/
private function getClientRedirectUris(ClientInterface $client, array $parameters)
{
if (!$client->has('redirect_uris') || empty($redirect_uris = $client->get('redirect_uris'))) {
$this->checkRedirectUriForAllClient();
$this->checkRedirectUriForNonConfidentialClient($client);
$this->checkRedirectUriForConfidentialClient($client, $parameters);
return [];
}
return $redirect_uris;
}
/**
* {@inheritdoc}
*/
public function getScopePolicyForClient(ClientInterface $client)
{
if ($client->has('scope_policy') && null !== ($policy_name = $client->get('scope_policy'))) {
return $this->getScopePolicy($policy_name);
}
return $this->getDefaultScopePolicy();
}
/**
* @param \Psr\Http\Message\ServerRequestInterface $request
* @param \OAuth2\Client\ClientInterface $client
* @param \OAuth2\TokenEndpointAuthMethod\TokenEndpointAuthMethodInterface $authentication_method
* @param mixed|null $client_credentials
*
* @return true
*/
public function isClientAuthenticated(ServerRequestInterface $request, ClientInterface $client, TokenEndpointAuthMethodInterface $authentication_method, $client_credentials)
{
if (in_array($client->get('token_endpoint_auth_method'), $authentication_method->getSupportedAuthenticationMethods())) {
if (false === $client->areClientCredentialsExpired()) {
return $authentication_method->isClientAuthenticated($client, $client_credentials, $request);
}
}
return false;
}
/**
* @param \OAuth2\Client\ClientInterface $client
*
* @return bool
*/
private function isClientAResourceServer(ClientInterface $client)
{
return $client->has('is_resource_server') && true === $client->get('is_resource_server');
}
/**
* @param \OAuth2\Client\ClientInterface $client
* @param array $registration_parameters
*/
private function checkResponseTypes(ClientInterface $client, array $registration_parameters)
{
Assertion::isArray($registration_parameters['response_types'], 'The parameter "response_types" must be an array of strings.');
Assertion::allString($registration_parameters['response_types'], 'The parameter "grant_types" must be an array of strings.');
foreach ($registration_parameters['response_types'] as $response_type) {
$types = $this->getResponseTypeManager()->getResponseTypes($response_type);
if (!in_array($response_type, $client->get('response_types'))) {
$response_types = $client->get('response_types');
$response_types[] = $response_type;
$client->set('response_types', $response_types);
}
foreach ($types as $type) {
$associated_grant_types = $type->getAssociatedGrantTypes();
$diff = array_diff($associated_grant_types, $registration_parameters['grant_types']);
Assertion::true(empty($diff), sprintf('The response type "%s" is associated with the grant types "%s" but this response type is missing.', $type->getResponseType(), json_encode($diff)));
$client->set('grant_types', array_unique(array_merge($client->get('grant_types'), $associated_grant_types)));
}
}
}
/**
* {@inheritdoc}
*/
public function introspectToken(TokenInterface $token, ClientInterface $client)
{
if (!$token instanceof AccessTokenInterface) {
return [];
}
$result = ['active' => !$token->hasExpired(), 'client_id' => $token->getClientPublicId(), 'token_type' => $token->getTokenTypeParameter('token_type'), 'exp' => $token->getExpiresAt()];
// If the client is the subject, we add this information.
//
// The subject is not added if the client is not a resource owner.
// The reason is that if the client received an ID Token, the subject may have been computed (pairwise) and
// the subject returned here may be different. As per the OpenID Connect specification, the client must reject the token
// if subject are different and we want to avoid this case.
if ($client->getPublicId() === $token->getResourceOwnerPublicId()) {
$result['sub'] = $token->getResourceOwnerPublicId();
}
// If the client is a resource server, we return all the information stored in the access token including the metadata
if ($client->has('is_resource_server') && true === $client->get('is_resource_server')) {
$result['sub'] = $token->getResourceOwnerPublicId();
}
if (!empty($token->getScope())) {
$result['scp'] = $token->getScope();
}
if ($token instanceof JWTAccessTokenInterface) {
$result = array_merge($result, $this->getJWTInformation($token->getJWS()));
}
return $result;
}
/**
* @param \OAuth2\Client\ClientInterface $client
* @param string $redirect_uri
*
* @return string
*/
private function getSectorIdentifierHost(ClientInterface $client, $redirect_uri)
{
$uri = $redirect_uri;
if (true === $client->has('sector_identifier_uri')) {
$uri = $client->get('sector_identifier_uri');
}
$data = parse_url($uri);
Assertion::true(is_array($data) && array_key_exists('host', $data), sprintf('Invalid Sector Identifier Uri "%s".', $uri));
return $data['host'];
}
