public function testValidCredentialsInvalidScope()
{
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'password', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'username' => 'test-username', 'password' => 'testpass', 'scope' => 'invalid-scope'));
$token = $server->grantAccessToken($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_scope');
$this->assertEquals($response->getParameter('error_description'), 'An unsupported scope was requested');
}
public function testInvalidContentType()
{
$bearer = new Bearer();
$request = TestRequest::createPost(array('access_token' => 'ThisIsMyAccessToken'));
$request->server['CONTENT_TYPE'] = 'application/json; charset=UTF-8';
$param = $bearer->getAccessTokenParameter($request, $response = new Response());
$this->assertNull($param);
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_request');
$this->assertEquals($response->getParameter('error_description'), 'The content type for POST requests must be "application/x-www-form-urlencoded"');
}
/**
* Constructor.
* @param Response $response
* @param \Exception $previous The previous exception used for the exception chaining.
*/
public function __construct(Response $response, \Exception $previous = null)
{
if ((int) $response->getStatusCode() == 401) {
$errorCode = $response->getParameter('error', 'required_token');
$message = $response->getParameter('error_description', 'An Access Token is required.');
} else {
$errorCode = $response->getParameter('error', 'unknown');
$message = $response->getParameter('error_description', $response->getStatusText());
}
$this->errorCode = $errorCode;
$this->errorUri = $response->getParameter('error_uri');
return parent::__construct($response->getStatusCode(), $message, 0, $previous);
}
protected function getErrorMessage(\OAuth2\Response $response)
{
$message = Module::t('common', $response->getParameter('error_description'));
if ($message === null) {
$message = Module::t('common', 'An internal server error occurred.');
}
return $message;
}
public function testSuccessfulRequestStripsExtraParameters()
{
$server = $this->getTestServer(array('allow_implicit' => true));
$request = new Request(array('client_id' => 'Test Client ID', 'redirect_uri' => 'http://adobe.com?fake=something', 'response_type' => 'token', 'state' => 'test', 'fake' => 'something'));
$server->handleAuthorizeRequest($request, $response = new Response(), true);
$this->assertEquals($response->getStatusCode(), 302);
$this->assertNull($response->getParameter('error'));
$this->assertNull($response->getParameter('error_description'));
$location = $response->getHttpHeader('Location');
$parts = parse_url($location);
$this->assertFalse(isset($parts['fake']));
$this->assertArrayHasKey('fragment', $parts);
parse_str($parts['fragment'], $params);
$this->assertFalse(isset($parmas['fake']));
$this->assertArrayHasKey('state', $params);
$this->assertEquals($params['state'], 'test');
}
public function testRequestOverride()
{
$request = new TestRequest();
$server = $this->getTestServer();
// Smoke test for override request class
// $server->handleTokenRequest($request, $response = new Response());
// $this->assertInstanceOf('Response', $response);
// $server->handleAuthorizeRequest($request, $response = new Response(), true);
// $this->assertInstanceOf('Response', $response);
// $response = $server->verifyResourceRequest($request, $response = new Response());
// $this->assertTrue(is_bool($response));
/*** make some valid requests ***/
// Valid Token Request
$request->setPost(array('grant_type' => 'authorization_code', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'code' => 'testcode'));
$server->handleTokenRequest($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 200);
$this->assertNull($response->getParameter('error'));
$this->assertNotNUll($response->getParameter('access_token'));
}
public function testAccessResourceWithCryptoTokenUsingSecondaryStorage()
{
// add the test parameters in memory
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'client_credentials', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret'));
$server->handleTokenRequest($request, $response = new Response());
$this->assertNotNull($cryptoToken = $response->getParameter('access_token'));
// make a call to the resource server using the crypto token
$request = TestRequest::createPost(array('access_token' => $cryptoToken));
// create a resource server with the "memory" storage from the grant server
$resourceServer = new Server($server->getStorage('client_credentials'));
$this->assertTrue($resourceServer->verifyResourceRequest($request));
}
public function testCryptoTokenWithRefreshToken()
{
$server = $this->getTestServer();
// add "UserCredentials" grant type and "CryptoToken" response type
// and ensure "CryptoToken" response type has "RefreshToken" storage
$memoryStorage = Bootstrap::getInstance()->getMemoryStorage();
$server->addGrantType(new UserCredentials($memoryStorage));
$server->addGrantType(new RefreshToken($memoryStorage));
$server->addResponseType(new CryptoToken($memoryStorage, $memoryStorage, $memoryStorage), 'token');
$request = TestRequest::createPost(array('grant_type' => 'password', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'username' => 'test-username', 'password' => 'testpass'));
// make the call to grant a crypto token
$server->handleTokenRequest($request, $response = new Response());
$this->assertNotNull($cryptoToken = $response->getParameter('access_token'));
$this->assertNotNull($refreshToken = $response->getParameter('refresh_token'));
// decode token and make sure refresh_token isn't set
list($header, $payload, $signature) = explode('.', $cryptoToken);
$decodedToken = json_decode(base64_decode($payload), true);
$this->assertFalse(array_key_exists('refresh_token', $decodedToken));
// use the refresh token to get another access token
$request = TestRequest::createPost(array('grant_type' => 'refresh_token', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'refresh_token' => $refreshToken));
$server->handleTokenRequest($request, $response = new Response());
$this->assertNotNull($response->getParameter('access_token'));
}
public function testGrantCodeAccessTokenOnNewCode()
{
$request = TestRequest::createPost(array('grant_type' => 'device_code', 'client_id' => 'test_client_id'));
$this->server->handleDeviceRequest($request, $response = new Response());
$this->assertNotNull($response->getParameter('code'));
$deviceCodeResponse = $response;
// Get access token when user_id is null
$request = TestRequest::createPost(array('grant_type' => 'device_token', 'client_id' => 'test_client_id', 'code' => $deviceCodeResponse->getParameter('code')));
$this->server->handleDeviceRequest($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 400);
$this->assertArrayHasKey('error', $response->getParameters());
$this->assertEquals('authorization_pending', $response->getParameter('error'));
// Update user_id and verify response
$deviceStorage = $this->server->getStorage('device_code');
$code = $deviceStorage->getDeviceCode($deviceCodeResponse->getParameter('code'), 'test_client_id');
$deviceStorage->setDeviceCode($code['device_code'], $code['user_code'], $code['client_id'], 1, $code['expires'], $code['scope']);
$request = TestRequest::createPost(array('grant_type' => 'device_token', 'client_id' => 'test_client_id', 'code' => $deviceCodeResponse->getParameter('code')));
$this->server->handleDeviceRequest($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 200);
$this->assertArrayHasKey('access_token', $response->getParameters());
//ensure device code was deleted
$code = $deviceStorage->getDeviceCode($deviceCodeResponse->getParameter('code'), 'test_client_id');
$this->assertFalse($code);
}
public function testValidClientDifferentCode()
{
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'authorization_code', 'client_id' => 'Test Some Other Client', 'client_secret' => 'TestSecret3', 'code' => 'testcode'));
$token = $server->grantAccessToken($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_grant');
$this->assertEquals($response->getParameter('error_description'), 'authorization_code doesn\'t exist or is invalid for the client');
}
public function testMalformedToken()
{
$server = $this->getTestServer();
$request = Request::createFromGlobals();
$request->headers['AUTHORIZATION'] = 'Bearer accesstoken-malformed';
$allow = $server->verifyResourceRequest($request, $response = new Response());
$this->assertFalse($allow);
$this->assertEquals($response->getStatusCode(), 401);
$this->assertEquals($response->getParameter('error'), 'invalid_token');
$this->assertEquals($response->getParameter('error_description'), 'Malformed token (missing "expires")');
}
public function testInvalidClientIdScope()
{
// add the test parameters in memory
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'authorization_code', 'code' => 'testcode-with-scope', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'scope' => 'clientscope3'));
$server->handleTokenRequest($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_scope');
$this->assertEquals($response->getParameter('error_description'), 'The scope requested is invalid for this request');
}
public function testJtiReplayAttack()
{
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'assertion' => $this->getJWT(99999999900, null, '*****@*****.**', 'Test Client ID', 'totally_new_jti')));
$token = $server->grantAccessToken($request, $response = new Response());
$this->assertNotNull($token);
$this->assertArrayHasKey('access_token', $token);
//Replay the same request
$token = $server->grantAccessToken($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_grant');
$this->assertEquals($response->getParameter('error_description'), 'JSON Token Identifier (jti) has already been used');
}
public function testNoSecretWithConfidentialClient()
{
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'password', 'client_id' => 'Test Client ID', 'username' => 'test-username', 'password' => 'testpass'));
$token = $server->grantAccessToken($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_client');
$this->assertEquals($response->getParameter('error_description'), 'This client is invalid or must authenticate using a client secret');
}
/**
* @see http://tools.ietf.org/html/rfc6749#section-4.1.3
* @see https://github.com/bshaffer/oauth2-server-php/issues/163
*/
public function testNoRedirectUriSuppliedDoesNotRequireTokenRedirectUri()
{
$server = $this->getTestServer();
$request = new Request(array('client_id' => 'Test Client ID with Redirect Uri', 'response_type' => 'code', 'state' => 'xyz'));
$server->handleAuthorizeRequest($request, $response = new Response(), true);
$this->assertEquals($response->getStatusCode(), 302);
$this->assertContains('state', $response->getHttpHeader('Location'));
$this->assertStringStartsWith('http://brentertainment.com?code=', $response->getHttpHeader('Location'));
$parts = parse_url($response->getHttpHeader('Location'));
parse_str($parts['query'], $query);
// call token endpoint with no redirect_uri supplied
$request = TestRequest::createPost(array('client_id' => 'Test Client ID with Redirect Uri', 'client_secret' => 'TestSecret2', 'grant_type' => 'authorization_code', 'code' => $query['code']));
$server->handleTokenRequest($request, $response = new Response(), true);
$this->assertEquals($response->getStatusCode(), 200);
$this->assertNotNull($response->getParameter('access_token'));
}
public function testValidJwtInvalidScope()
{
$server = $this->getTestServer();
$request = TestRequest::createPost(array('grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'assertion' => $this->getJWT(null, null, null, 'Test Client ID', 'invalid-scope')));
$token = $server->grantAccessToken($request, $response = new Response());
$this->assertEquals($response->getStatusCode(), 400);
$this->assertEquals($response->getParameter('error'), 'invalid_scope');
$this->assertEquals($response->getParameter('error_description'), 'An unsupported scope was requested');
}
