/**
* {@inheritdoc}
*/
public function prepareAuthorization(AuthorizationInterface $authorization)
{
$token_type = $this->getTokenTypeFromRequest($authorization->getQueryParams());
$token = $this->getAccessTokenManager()->createAccessToken($authorization->getClient(), $authorization->getUserAccount(), $token_type->getTokenTypeInformation(), $authorization->getQueryParams(), $authorization->getScopes(), null, null, ['redirect_uri' => $authorization->getRedirectUri()]);
$authorization->setData('access_token', $token);
return $token->toArray();
}
/**
* {@inheritdoc}
*/
public function processUserAccountIsAvailable(UserAccountInterface $user_account, $is_fully_authenticated, ServerRequestInterface $request, ResponseInterface $response, AuthorizationInterface $authorization)
{
// Whatever the prompt is, if the max_age constraint is not satisfied, the user is redirected to the login page
if ($authorization->hasQueryParam('max_age') && time() - $user_account->getLastLoginAt() > $authorization->getQueryParam('max_age')) {
throw new RedirectToLoginPageException($authorization);
}
}
/**
* {@inheritdoc}
*/
protected function calculateSessionState(ServerRequestInterface $request, AuthorizationInterface $authorization, $browser_state)
{
$origin = $this->getOriginUri($authorization->getRedirectUri());
$salt = Base64Url::encode(random_bytes(16));
$hash = hash('sha256', sprintf('%s%s%s%s', $authorization->getClient()->getPublicId(), $origin, $browser_state, $salt));
return sprintf('%s.%s', $hash, $salt);
}
/**
* {@inheritdoc}
*/
public function process(array &$response_parameters, ServerRequestInterface $request, ResponseInterface &$response, AuthorizationInterface $authorization)
{
if (!$authorization->hasScope('openid')) {
return;
}
$browser_state = $this->getBrowserState($request);
if (null === $browser_state) {
$browser_state = $this->generateBrowserState();
$this->saveBrowserState($response, $browser_state);
}
$session_state = $this->calculateSessionState($request, $authorization, $browser_state);
$response_parameters['session_state'] = $session_state;
}
/**
* {@inheritdoc}
*/
public function processUserAccount(ServerRequestInterface $request, ResponseInterface &$response, AuthorizationInterface $authorization, UserAccountInterface &$user_account = null)
{
// The query parameter 'id_token_hint' and the Id Token Manager are set
if ($authorization->hasQueryParam('id_token_hint') && null !== $this->getIdTokenManager()) {
try {
$id_token_hint = $this->getIdTokenManager()->loadIdToken($authorization->getQueryParam('id_token_hint'));
Assertion::true($id_token_hint->hasClaim('sub'), 'Invalid "id_token_hint" parameter.');
$public_id = $this->getIdTokenManager()->getPublicIdFromSubjectIdentifier($id_token_hint->getClaim('sub'));
Assertion::notNull($public_id, 'Invalid "id_token_hint" parameter.');
if (null === $user_account) {
$user_account = $this->getUserAccountManager()->getUserAccountByPublicId($public_id);
} else {
if ($user_account->getPublicId() !== $public_id) {
throw new RedirectToLoginPageException($authorization);
}
}
} catch (\InvalidArgumentException $e) {
throw new CreateRedirectionException($authorization, ExceptionManagerInterface::BAD_REQUEST, $e->getMessage());
}
}
}
/**
* @param \Symfony\Component\Form\FormInterface $form
* @param \Psr\Http\Message\ServerRequestInterface $request
* @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization
* @param \SpomkyLabs\OAuth2ServerBundle\Plugin\AuthorizationEndpointPlugin\Form\Model\AuthorizationModel $authorization_model
*
* @return bool
*/
public function handle(FormInterface $form, ServerRequestInterface $request, AuthorizationInterface $authorization, AuthorizationModel $authorization_model)
{
if ('POST' !== $request->getMethod()) {
return false;
}
$httpFoundationFactory = new HttpFoundationFactory();
$symfony_request = $httpFoundationFactory->createRequest($request);
$form->submit($symfony_request->get($form->getName()));
if (!$form->isValid()) {
return false;
}
$button = $form->get('accept');
if (!$button instanceof ClickableInterface) {
throw new InvalidArgumentException('Unable to find the button named "accept".');
}
$authorization->setAuthorized($button->isClicked());
$refused_scopes = array_diff($authorization->getScopes(), $authorization_model->getScopes());
foreach ($refused_scopes as $refused_scope) {
$authorization->removeScope($refused_scope);
}
return true;
}
/**
* {@inheritdoc}
*/
public function processUserAccountIsAvailable(UserAccountInterface $user_account, $is_fully_authenticated, ServerRequestInterface $request, ResponseInterface $response, AuthorizationInterface $authorization)
{
if ($authorization->hasPrompt('login') && !$is_fully_authenticated) {
throw new RedirectToLoginPageException($authorization);
}
}
/**
* {@inheritdoc}
*/
public function prepareAuthorization(AuthorizationInterface $authorization)
{
$token_type = $this->getTokenTypeFromRequest($authorization->getQueryParams());
$token = $this->getAccessTokenManager()->createAccessToken($authorization->getClient(), $authorization->getUserAccount(), $token_type->getTokenTypeInformation(), $authorization->getQueryParams(), $authorization->getScopes(), null, null, ['redirect_uri' => $authorization->getQueryParam('redirect_uri')]);
$authorization->setData('access_token', $token);
foreach ($this->listeners as $listener) {
$listener->call($token);
}
return [];
}
/**
* {@inheritdoc}
*/
public function process(array &$response_parameters, ServerRequestInterface $request, ResponseInterface &$response, AuthorizationInterface $authorization)
{
if ($authorization->hasQueryParam('state')) {
$response_parameters['state'] = $authorization->getQueryParam('state');
}
}
/**
* @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization
* @param \Psr\Http\Message\ResponseInterface $response
* @param string $error
* @param string|null $error_description
*/
private function createRedirectionException(AuthorizationInterface $authorization, ResponseInterface &$response, $error, $error_description = null)
{
$params = ['response_mode' => $authorization->getResponseMode(), 'redirect_uri' => $authorization->getRedirectUri()];
if (true === $authorization->hasQueryParam('state')) {
$params['state'] = $authorization->getQueryParam('state');
}
$exception = $this->getExceptionManager()->getRedirectException($error, $error_description, $params);
$exception->getHttpResponse($response);
}
/**
* @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization
*
* @return null|\OAuth2\Endpoint\Authorization\PreConfiguredAuthorization\PreConfiguredAuthorizationInterface
*/
private function findPreConfiguredAuthorization(AuthorizationInterface $authorization)
{
if (null !== $this->getPreConfiguredAuthorizationManager()) {
return $this->getPreConfiguredAuthorizationManager()->findOnePreConfiguredAuthorization($authorization->getUserAccount()->getUserPublicId(), $authorization->getClient()->getPublicId(), $authorization->getScopes());
}
}
/**
* @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization
*
* @return null|string
*/
private function getUiLocale(AuthorizationInterface $authorization)
{
if (!method_exists($this->translator, 'getCatalogue') || !$authorization->hasQueryParam('ui_locales')) {
return;
}
$ui_locales = explode(' ', $authorization->getQueryParam('ui_locales'));
foreach ($ui_locales as $ui_locale) {
$catalogue = $this->translator->getCatalogue($ui_locale);
if (in_array('SpomkyLabsOAuth2Server', $catalogue->getDomains())) {
return $ui_locale;
}
}
}
/**
* @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization
*
* @return array
*/
private function getIdTokenClaims(AuthorizationInterface $authorization)
{
if (!$authorization->hasQueryParam('claims')) {
return [];
}
$requested_claims = $authorization->getQueryParam('claims');
if (true === array_key_exists('id_token', $requested_claims)) {
return $requested_claims['id_token'];
}
return [];
}
/**
* @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization
*
* @return bool
*/
private function isOfflineAccess(AuthorizationInterface $authorization)
{
// The scope offline_access is not requested
if (!in_array('offline_access', $authorization->getScopes())) {
return false;
}
// The scope offline_access is requested but prompt is not consent
// The scope offline_access is ignored
if (!$authorization->hasQueryParam('prompt') || !in_array('consent', $authorization->getQueryParam('prompt'))) {
$authorization->removeScope('offline_access');
return false;
}
return true;
}
