/**
* @param ServerRequestInterface $request
* @param string $clientId
*
* @throws OAuthServerException
*
* @return array
*/
protected function validateOldRefreshToken(ServerRequestInterface $request, $clientId)
{
$encryptedRefreshToken = $this->getRequestParameter('refresh_token', $request);
if (is_null($encryptedRefreshToken)) {
throw OAuthServerException::invalidRequest('refresh_token');
}
// Validate refresh token
try {
$refreshToken = $this->decrypt($encryptedRefreshToken);
} catch (\LogicException $e) {
throw OAuthServerException::invalidRefreshToken('Cannot decrypt the refresh token');
}
$refreshTokenData = json_decode($refreshToken, true);
if ($refreshTokenData['client_id'] !== $clientId) {
$this->getEmitter()->emit(new RequestEvent(RequestEvent::REFRESH_TOKEN_CLIENT_FAILED, $request));
throw OAuthServerException::invalidRefreshToken('Token is not linked to client');
}
if ($refreshTokenData['expire_time'] < time()) {
throw OAuthServerException::invalidRefreshToken('Token has expired');
}
if ($this->refreshTokenRepository->isRefreshTokenRevoked($refreshTokenData['refresh_token_id']) === true) {
throw OAuthServerException::invalidRefreshToken('Token has been revoked');
}
return $refreshTokenData;
}
/**
* @param \Psr\Http\Message\ServerRequestInterface $request
* @param \League\OAuth2\Server\Entities\ClientEntityInterface $client
*
* @throws \League\OAuth2\Server\Exception\OAuthServerException
*
* @return \League\OAuth2\Server\Entities\UserEntityInterface
*/
protected function validateUser(ServerRequestInterface $request, ClientEntityInterface $client)
{
$username = $this->getRequestParameter('username', $request);
if (is_null($username)) {
throw OAuthServerException::invalidRequest('username');
}
$password = $this->getRequestParameter('password', $request);
if (is_null($password)) {
throw OAuthServerException::invalidRequest('password');
}
$user = $this->userRepository->getUserEntityByUserCredentials($username, $password, $this->getIdentifier(), $client);
if (!$user instanceof UserEntityInterface) {
$this->getEmitter()->emit(new RequestEvent(RequestEvent::USER_AUTHENTICATION_FAILED, $request));
throw OAuthServerException::invalidCredentials();
}
return $user;
}
/**
* @param \lcon\Http\RequestInterface $request
* @param \League\OAuth2\Server\Entities\ClientEntityInterface $client
*
* @throws \League\OAuth2\Server\Exception\OAuthServerException
*
* @return \League\OAuth2\Server\Entities\UserEntityInterface
**/
protected function validateUser(\Phalcon\Http\RequestInterface $request, ClientEntityInterface $client)
{
$username = $this->getRequestParameter('username', $request);
if (is_null($username)) {
throw OAuthServerException::invalidRequest('username', '`%s` parameter is missing');
}
$password = $this->getRequestParameter('password', $request);
if (is_null($password)) {
throw OAuthServerException::invalidRequest('password', '`%s` parameter is missing');
}
$user = $this->userRepository->getUserEntityByUserCredentials($username, $password, $this->getIdentifier(), $client);
if (!$user instanceof UserEntityInterface) {
$this->getEmitter()->emit(new RequestEvent('user.authentication.failed', $request));
throw OAuthServerException::invalidCredentials();
}
return $user;
}
/**
* {@inheritdoc}
*/
public function respondToAccessTokenRequest(ServerRequestInterface $request, ResponseTypeInterface $responseType, DateInterval $accessTokenTTL)
{
// Validate request
$client = $this->validateClient($request);
$scopes = $this->validateScopes($this->getRequestParameter('scope', $request));
// Finalize the requested scopes
$scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
$userIdentifier = $this->getRequestParameter('user_id', $request);
if (is_null($userIdentifier)) {
throw OAuthServerException::invalidRequest('user_id');
}
$this->tokenName = $this->getRequestParameter('token_name', $request);
if (is_null($this->tokenName)) {
throw OAuthServerException::invalidRequest('token_name');
}
// Issue and persist access token
$accessToken = $this->issueAccessToken(new DateInterval('P5Y'), $client, $userIdentifier, $scopes);
// Inject access token into response type
$responseType->setAccessToken($accessToken);
return $responseType;
}
/**
* Validate the client.
*
* @param \lcon\Http\RequestInterface $request
*
* @throws \League\OAuth2\Server\Exception\OAuthServerException
*
* @return \League\OAuth2\Server\Entities\ClientEntityInterface
*/
protected function validateClient(\Phalcon\Http\RequestInterface $request)
{
$clientId = $this->getRequestParameter('client_id', $request, $this->getServerParameter('PHP_AUTH_USER', $request));
if (is_null($clientId)) {
throw OAuthServerException::invalidRequest('client_id');
}
// If the client is confidential require the client secret
$clientSecret = $this->getRequestParameter('client_secret', $request, $this->getServerParameter('PHP_AUTH_PW', $request));
$client = $this->clientRepository->getClientEntity($clientId, $this->getIdentifier(), $clientSecret, true);
if (!$client instanceof ClientEntityInterface) {
$this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
throw OAuthServerException::invalidClient();
}
// If a redirect URI is provided ensure it matches what is pre-registered
$redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
if ($redirectUri !== null) {
if (is_string($client->getRedirectUri()) && strcmp($client->getRedirectUri(), $redirectUri) !== 0) {
$this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
throw OAuthServerException::invalidClient();
} elseif (is_array($client->getRedirectUri()) && in_array($redirectUri, $client->getRedirectUri()) === false) {
$this->getEmitter()->emit(new RequestEvent('client.authentication.failed', $request));
throw OAuthServerException::invalidClient();
}
}
return $client;
}
/**
* {@inheritdoc}
*/
public function validateAuthorizationRequest(ServerRequestInterface $request)
{
$clientId = $this->getQueryStringParameter('client_id', $request, $this->getServerParameter('PHP_AUTH_USER', $request));
if (is_null($clientId)) {
throw OAuthServerException::invalidRequest('client_id');
}
$client = $this->clientRepository->getClientEntity($clientId, $this->getIdentifier(), null, false);
if ($client instanceof ClientEntityInterface === false) {
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
throw OAuthServerException::invalidClient();
}
$redirectUri = $this->getQueryStringParameter('redirect_uri', $request);
if ($redirectUri !== null) {
if (is_string($client->getRedirectUri()) && strcmp($client->getRedirectUri(), $redirectUri) !== 0) {
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
throw OAuthServerException::invalidClient();
} elseif (is_array($client->getRedirectUri()) && in_array($redirectUri, $client->getRedirectUri()) === false) {
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
throw OAuthServerException::invalidClient();
}
}
$scopes = $this->validateScopes($this->getQueryStringParameter('scope', $request), is_array($client->getRedirectUri()) ? $client->getRedirectUri()[0] : $client->getRedirectUri());
$stateParameter = $this->getQueryStringParameter('state', $request);
$authorizationRequest = new AuthorizationRequest();
$authorizationRequest->setGrantTypeId($this->getIdentifier());
$authorizationRequest->setClient($client);
$authorizationRequest->setRedirectUri($redirectUri);
$authorizationRequest->setState($stateParameter);
$authorizationRequest->setScopes($scopes);
if ($this->enableCodeExchangeProof === true) {
$codeChallenge = $this->getQueryStringParameter('code_challenge', $request);
if ($codeChallenge === null) {
throw OAuthServerException::invalidRequest('code_challenge');
}
$codeChallengeMethod = $this->getQueryStringParameter('code_challenge_method', $request, 'plain');
if (in_array($codeChallengeMethod, ['plain', 'S256']) === false) {
throw OAuthServerException::invalidRequest('code_challenge_method', 'Code challenge method must be `plain` or `S256`');
}
$authorizationRequest->setCodeChallenge($codeChallenge);
$authorizationRequest->setCodeChallengeMethod($codeChallengeMethod);
}
return $authorizationRequest;
}
/**
* {@inheritdoc}
*/
public function validateAuthorizationRequest(ServerRequestInterface $request)
{
$clientId = $this->getQueryStringParameter('client_id', $request, $this->getServerParameter('PHP_AUTH_USER', $request));
if (is_null($clientId)) {
throw OAuthServerException::invalidRequest('client_id');
}
$client = $this->clientRepository->getClientEntity($clientId, $this->getIdentifier(), null, false);
if ($client instanceof ClientEntityInterface === false) {
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
throw OAuthServerException::invalidClient();
}
$redirectUri = $this->getQueryStringParameter('redirect_uri', $request);
if ($redirectUri !== null) {
if (is_string($client->getRedirectUri()) && strcmp($client->getRedirectUri(), $redirectUri) !== 0) {
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
throw OAuthServerException::invalidClient();
} elseif (is_array($client->getRedirectUri()) && in_array($redirectUri, $client->getRedirectUri()) === false) {
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
throw OAuthServerException::invalidClient();
}
}
$scopes = $this->validateScopes($this->getQueryStringParameter('scope', $request), is_array($client->getRedirectUri()) ? $client->getRedirectUri()[0] : $client->getRedirectUri());
// Finalize the requested scopes
$scopes = $this->scopeRepository->finalizeScopes($scopes, $this->getIdentifier(), $client);
$stateParameter = $this->getQueryStringParameter('state', $request);
$authorizationRequest = new AuthorizationRequest();
$authorizationRequest->setGrantTypeId($this->getIdentifier());
$authorizationRequest->setClient($client);
$authorizationRequest->setRedirectUri($redirectUri);
$authorizationRequest->setState($stateParameter);
$authorizationRequest->setScopes($scopes);
return $authorizationRequest;
}
/**
* Validate the client.
*
* @param \Psr\Http\Message\ServerRequestInterface $request
*
* @throws \League\OAuth2\Server\Exception\OAuthServerException
*
* @return \League\OAuth2\Server\Entities\ClientEntityInterface
*/
protected function validateClient(ServerRequestInterface $request)
{
list($basicAuthUser, $basicAuthPassword) = $this->getBasicAuthCredentials($request);
$clientId = $this->getRequestParameter('client_id', $request, $basicAuthUser);
if (is_null($clientId)) {
throw OAuthServerException::invalidRequest('client_id');
}
// If the client is confidential require the client secret
$clientSecret = $this->getRequestParameter('client_secret', $request, $basicAuthPassword);
$client = $this->clientRepository->getClientEntity($clientId, $this->getIdentifier(), $clientSecret, true);
if (!$client instanceof ClientEntityInterface) {
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
throw OAuthServerException::invalidClient();
}
// If a redirect URI is provided ensure it matches what is pre-registered
$redirectUri = $this->getRequestParameter('redirect_uri', $request, null);
if ($redirectUri !== null) {
if (is_string($client->getRedirectUri()) && strcmp($client->getRedirectUri(), $redirectUri) !== 0) {
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
throw OAuthServerException::invalidClient();
} elseif (is_array($client->getRedirectUri()) && in_array($redirectUri, $client->getRedirectUri()) === false) {
$this->getEmitter()->emit(new RequestEvent(RequestEvent::CLIENT_AUTHENTICATION_FAILED, $request));
throw OAuthServerException::invalidClient();
}
}
return $client;
}
