/**
* {@inheritdoc}
*/
public function processUserAccountIsAvailable(UserAccountInterface $user_account, $is_fully_authenticated, ServerRequestInterface $request, ResponseInterface $response, AuthorizationInterface $authorization)
{
// Whatever the prompt is, if the max_age constraint is not satisfied, the user is redirected to the login page
if ($authorization->hasQueryParam('max_age') && time() - $user_account->getLastLoginAt() > $authorization->getQueryParam('max_age')) {
throw new RedirectToLoginPageException($authorization);
}
}
/**
* {@inheritdoc}
*/
public function createInitialAccessToken(UserAccountInterface $resource_owner, array $token_type_parameters)
{
$initial_access_token = $this->createEmptyInitialAccessToken();
$initial_access_token->setExpiresAt($this->getInitialAccessTokenLifetime());
$initial_access_token->setUserAccountPublicId($resource_owner->getPublicId());
foreach ($token_type_parameters as $key => $value) {
$initial_access_token->setParameter($key, $value);
}
$this->saveInitialAccessToken($initial_access_token);
return $initial_access_token;
}
/**
* @param \OAuth2\Client\ClientInterface $client
* @param \OAuth2\UserAccount\UserAccountInterface $user_account
* @param string $redirect_uri
*
* @return string
*/
protected function calculateSubjectIdentifier(ClientInterface $client, UserAccountInterface $user_account, $redirect_uri)
{
$sub = $user_account->getPublicId();
if (false === $this->isPairwiseSubjectIdentifierSupported()) {
return $sub;
}
if ($client->has('subject_type') && ('pairwise' === $client->get('subject_type') || true === $this->isPairwiseSubjectDefault())) {
$sector_identifier_host = $this->getSectorIdentifierHost($client, $redirect_uri);
return $this->pairwise_algorithm->calculateSubjectIdentifier($user_account, $sector_identifier_host);
}
return $sub;
}
/**
* {@inheritdoc}
*/
public function createAuthCode(ClientInterface $client, UserAccountInterface $resource_owner, array $query_params, $redirectUri, array $scope = [], $issueRefreshToken = false)
{
$auth_code = $this->createEmptyAuthorizationCode();
$auth_code->setScope($scope);
$auth_code->setResourceOwnerPublicId($resource_owner->getUserPublicId());
$auth_code->setUserAccountPublicId($resource_owner->getPublicId());
$auth_code->setClientPublicId($client->getPublicId());
$auth_code->setExpiresAt(time() + $this->getLifetime($client));
$auth_code->setToken($this->generateAuthorizationCode());
$auth_code->setIssueRefreshToken($issueRefreshToken);
$auth_code->setQueryParams($query_params);
$auth_code->setMetadata('redirect_uri', $redirectUri);
$this->updateAuthCode($auth_code);
$this->saveAuthorizationCode($auth_code);
return $auth_code;
}
/**
* @param \OAuth2\UserAccount\UserAccountInterface $user_account
* @param string $claim
* @param string $claim
* @param null|array $config
*
* @return null|mixed
*/
protected function getUserClaim(UserAccountInterface $user_account, $claim, $config)
{
//The parameter $config is not yet used and the claim is returned as-is whatever the client requested
//To be fixed
if ($user_account->has($claim)) {
return $user_account->get($claim);
}
}
/**
* {@inheritdoc}
*/
public function calculateSubjectIdentifier(BaseUserAccountInterface $user_account, $sector_identifier_host)
{
$prepared = sprintf('%s:%s:%s', $sector_identifier_host, $user_account->getPublicId(), $this->salt);
return Base64Url::encode(openssl_encrypt($prepared, $this->algorithm, $this->pairwise_encryption_key, OPENSSL_RAW_DATA, $this->iv));
}
/**
* {@inheritdoc}
*/
public function calculateSubjectIdentifier(BaseUserAccountInterface $user_account, $sector_identifier_host)
{
$prepared = sprintf('%s%s%s', $sector_identifier_host, $user_account->getPublicId(), $this->salt);
return Base64Url::encode(hash_hmac($this->algorithm, $prepared, $this->pairwise_hash_key, true));
}
