/**
* The currently authenticated type must implement oauthable and we need any scopes requested.
*
* @param \Atrauzzi\Oauth2Server\Domain\Service\Scope $scopeService
* @param \Atrauzzi\Oauth2Server\Domain\Repository\Client $clientRepository
* @return bool
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidRequest
*/
public function authorize(ScopeService $scopeService, ClientRepository $clientRepository)
{
try {
$this->requestedScopes = $scopeService->findValid($this->get('scope'), 'authorization', $this->get('client_id'), $this->get('redirect_uri'));
} catch (InvalidScope $ex) {
return false;
}
$this->client = $clientRepository->find($this->get('client_id'), null, 'authorization', $this->get('redirect_uri'));
return $this->user() instanceof Oauthable;
}
/**
* @param \Symfony\Component\HttpFoundation\Request $request
* @param int $grantTypeFlow
* @param \Atrauzzi\Oauth2Server\Domain\Entity\Oauthable $oauthable
* @return array
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidClient
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidCredentials
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidRefresh
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidRequest
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidScope
* @throws \Atrauzzi\Oauth2Server\Exception\UnsupportedFlow
*/
public function doFlow(Request $request, $grantTypeFlow, Oauthable $oauthable = null)
{
if ($grantTypeFlow != self::FLOW_DEFAULT) {
throw new UnsupportedFlow(get_class(), $grantTypeFlow);
}
if (!($clientId = $request->get('client_id', $request->getUser()))) {
throw new InvalidRequest('client_id');
}
if (!($clientSecret = $request->get('client_secret', $request->getPassword()))) {
throw new InvalidRequest('client_secret');
}
if (!($oldRefreshTokenParam = $request->get('refresh_token', null))) {
throw new InvalidRequest('refresh_token');
}
if (!($client = $this->clientRepository->find($clientId, $clientSecret, $this->getIdentifier()))) {
throw new InvalidClient();
}
if (!($originalRefreshToken = $this->refreshTokenRepository->find($oldRefreshTokenParam))) {
throw new InvalidRefresh();
}
if ($originalRefreshToken->isExpired()) {
throw new InvalidRefresh();
}
//
//
$originalScopes = $originalRefreshToken->getScopeNames();
$requestedScopes = array_keys($this->scopeService->findValid($request->get('scope'), null, $client->getId(), $this->getIdentifier()));
$disallowedScopes = array_diff($requestedScopes, $originalScopes);
if (count($disallowedScopes)) {
throw new InvalidScope($disallowedScopes);
}
$scopes = count($requestedScopes) ? $requestedScopes : $originalScopes;
$accessToken = $this->accessTokenRepository->create(SecureKey::generate(), $this->config->getAccessTokenTtl() + time(), $originalRefreshToken->getOauthableId(), $originalRefreshToken->getOauthableType(), $client->getId(), $scopes);
$tokenStrategy = $this->config->getTokenStrategy();
if ($this->config->shouldRotateRefreshTokens()) {
$newRefreshToken = $this->refreshTokenRepository->create(SecureKey::generate(), $this->config->getRefreshTokenTtl() + time(), $originalRefreshToken->getOauthableId(), $originalRefreshToken->getOauthableType(), $client->getId(), $scopes);
$this->refreshTokenRepository->delete($originalRefreshToken);
unset($originalRefreshToken);
$this->refreshTokenRepository->persist($newRefreshToken);
$accessToken->setRefreshTokenId($newRefreshToken->getId());
// ToDo: Should we try to convey refresh token expiry?
$tokenStrategy->setParam('refresh_token', $newRefreshToken->getId());
}
$this->accessTokenRepository->persist($accessToken);
$tokenStrategy->setParam('access_token', $accessToken->getId());
$tokenStrategy->setParam('expires_in', $this->config->getAccessTokenTtl());
return $tokenStrategy->generateResponse();
}
/**
* @param \Symfony\Component\HttpFoundation\Request $request
* @param \Atrauzzi\Oauth2Server\Domain\Entity\Oauthable $oauthable
* @return string
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidClient
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidCredentials
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidRequest
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidScope
* @throws \Atrauzzi\Oauth2Server\Exception\UnsupportedResponseType
*/
protected function doAuthorizeFlow(Request $request, Oauthable $oauthable)
{
if (!$oauthable) {
throw new InvalidCredentials();
}
if (!($clientId = $request->query->get('client_id'))) {
throw new InvalidRequest('client_id');
}
if (!($redirectUri = $request->query->get('redirect_uri'))) {
throw new InvalidRequest('redirect_uri');
}
$state = $request->query->get('state');
if ($this->config->stateParamRequired() && !$state) {
throw new InvalidRequest('state', $redirectUri);
}
if (!($responseType = $request->query->get('response_type'))) {
throw new InvalidRequest('response_type', $redirectUri);
}
if ($responseType != $this->getResponseType()) {
throw new UnsupportedResponseType($responseType, $redirectUri);
}
$client = $this->clientRepository->find($clientId, null, $this->getIdentifier(), $redirectUri);
if (!$client instanceof Client) {
throw new InvalidClient();
}
if ($this->config->requireRedirectDomainMatch() && !$this->validateRedirectUri($client->getRedirectUri(), $redirectUri)) {
throw new InvalidRequest('redirect_uri', $redirectUri);
}
//
//
$scopes = $this->scopeService->findValid($request->query->get('scope'), $this->getIdentifier(), $client->getId(), $redirectUri);
$authCode = $this->authorizationCodeRepository->create(SecureKey::generate(), time() + $this->config->getAuthorizationCodeTtl(), $oauthable->getId(), $oauthable->getType(), $client->getId(), $scopes ? array_keys($scopes) : null, $request->get('redirect_uri'));
$this->authorizationCodeRepository->persist($authCode);
return ['authorization_code' => $authCode, 'redirect_uri' => $authCode->generateRedirectUri($state)];
}
/**
* Conducts the checks and operations necessary for the flow indicated in the request.
*
* @param \Symfony\Component\HttpFoundation\Request $request
* @param int $grantTypeFlow
* @param \Atrauzzi\Oauth2Server\Domain\Entity\Oauthable $oauthable
* @return array
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidClient
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidRequest
*/
public function doFlow(Request $request, $grantTypeFlow, Oauthable $oauthable = null)
{
if (!($clientId = $request->get('client_id', $request->getUser()))) {
throw new InvalidRequest('client_id');
}
if (!($clientSecret = $request->get('client_secret', $request->getPassword()))) {
throw new InvalidRequest('client_secret');
}
if (!($client = $this->clientRepository->find($clientId, $clientSecret, $this->getIdentifier()))) {
throw new InvalidClient();
}
$scopes = $this->scopeService->findValid($request->get('scope'));
//
//
$accessToken = $this->accessTokenRepository->create(SecureKey::generate(), $this->config->getAccessTokenTtl() + time(), $oauthable->getId(), $oauthable->getType(), $client->getId(), array_keys($scopes));
// ToDo: Do we do refresh tokens for this grant type?
$this->accessTokenRepository->persist($accessToken);
$tokenStrategy = $this->config->getTokenStrategy();
$tokenStrategy->setParam('access_token', $accessToken->getId());
$tokenStrategy->setParam('expires_in', $this->config->getAccessTokenTtl());
return $tokenStrategy->generateResponse();
}
/**
* @param \Symfony\Component\HttpFoundation\Request $request
* @param int $grantTypeFlow
* @param \Atrauzzi\Oauth2Server\Domain\Entity\Oauthable $oauthable
* @return mixed
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidClient
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidCredentials
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidRequest
* @throws \Atrauzzi\Oauth2Server\Exception\InvalidScope
* @throws \Atrauzzi\Oauth2Server\Exception\ServerError
*/
public function doFlow(Request $request, $grantTypeFlow, Oauthable $oauthable = null)
{
if (!$oauthable instanceof Oauthable) {
throw new InvalidCredentials();
}
if ($clientId = $request->get('client_id', $request->getUser())) {
throw new InvalidRequest('client_id');
}
if ($clientSecret = $request->get('client_secret', $request->getPassword())) {
throw new InvalidRequest('client_secret');
}
if (!($client = $this->clientRepository->find($clientId, $clientSecret, $this->getIdentifier()))) {
throw new InvalidClient();
}
if (!($username = $request->get('username'))) {
throw new InvalidRequest('username');
}
if ($password = $request->get('password')) {
throw new InvalidRequest('password');
}
//
//
$scopes = $this->scopeService->findValid($request->get('scopes'), $this->getIdentifier(), $client->getId());
$accessToken = $this->accessTokenRepository->create(SecureKey::generate(), $this->config->getAccessTokenTtl() + time(), $oauthable->getId(), $oauthable->getType(), $client->getId(), array_keys($scopes));
$tokenStrategy = $this->config->getTokenStrategy();
if ($this->config->hasGrantType('refresh_token')) {
$refreshToken = $this->refreshTokenRepository->create(SecureKey::generate(), $this->config->getRefreshTokenTtl() + time(), $oauthable->getId(), $oauthable->getType(), $client->getId(), array_keys($scopes));
$this->refreshTokenRepository->persist($refreshToken);
$accessToken->setRefreshTokenId($refreshToken->getId());
$tokenStrategy->setParam('refresh_token', $refreshToken->getId());
}
$this->accessTokenRepository->persist($accessToken);
$tokenStrategy->setParam('access_token', $accessToken->getId());
$tokenStrategy->setParam('expires_in', $this->config->getAccessTokenTtl());
return $tokenStrategy->generateResponse();
}
