/**
* {@inheritdoc}
*/
public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
{
$refresh_token = RequestBody::getParameter($request, 'refresh_token');
if (null === $refresh_token) {
throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_REQUEST, 'No "refresh_token" parameter found');
}
$token = $this->getRefreshTokenManager()->getRefreshToken($refresh_token);
if (!$token instanceof RefreshTokenInterface) {
throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_GRANT, 'Invalid refresh token');
}
$this->checkRefreshToken($token, $client);
if (empty($grant_type_response->getRequestedScope())) {
$grant_type_response->setRequestedScope($token->getScope());
}
$grant_type_response->setAvailableScope($token->getScope());
$grant_type_response->setResourceOwnerPublicId($token->getResourceOwnerPublicId());
$grant_type_response->setUserAccountPublicId($token->getUserAccountPublicId());
$grant_type_response->setRefreshTokenIssued(true);
$grant_type_response->setRefreshTokenScope($token->getScope());
$grant_type_response->setRefreshTokenRevoked($token);
$grant_type_response->setAdditionalData('metadatas', $token->getMetadatas());
}
/**
* {@inheritdoc}
*/
public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
{
if (!$client instanceof ConfidentialClientInterface) {
throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_CLIENT, 'The client is not a confidential client');
}
$issue_refresh_token = $this->getConfiguration()->get('issue_refresh_token_with_client_credentials_grant_type', false);
$scope = RequestBody::getParameter($request, 'scope');
$grant_type_response->setRequestedScope($scope);
$grant_type_response->setAvailableScope(null);
$grant_type_response->setResourceOwnerPublicId($client->getPublicId());
$grant_type_response->setRefreshTokenIssued($issue_refresh_token);
$grant_type_response->setRefreshTokenScope($scope);
$grant_type_response->setRefreshTokenRevoked(null);
}
/**
* {@inheritdoc}
*/
public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
{
if ($client->isPublic()) {
throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_CLIENT, 'The client is not a confidential client');
}
$issue_refresh_token = $this->isRefreshTokenIssuedWithAccessToken();
$grant_type_response->setResourceOwnerPublicId($client->getPublicId());
$grant_type_response->setUserAccountPublicId(null);
$grant_type_response->setRefreshTokenIssued($issue_refresh_token);
$grant_type_response->setRefreshTokenScope($grant_type_response->getRequestedScope());
}
/**
* {@inheritdoc}
*/
public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
{
$username = RequestBody::getParameter($request, 'username');
$password = RequestBody::getParameter($request, 'password');
$end_user = $this->getEndUserManager()->getEndUser($username);
if (null === $end_user || !$this->getEndUserManager()->checkEndUserPasswordCredentials($end_user, $password)) {
throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_GRANT, 'Invalid username and password combination');
}
$scope = RequestBody::getParameter($request, 'scope');
$grant_type_response->setRequestedScope($scope);
$grant_type_response->setAvailableScope(null);
$grant_type_response->setResourceOwnerPublicId($end_user->getPublicId());
$grant_type_response->setRefreshTokenIssued($this->getIssueRefreshToken($client, $end_user));
$grant_type_response->setRefreshTokenScope($scope);
$grant_type_response->setRefreshTokenRevoked(null);
}
/**
* {@inheritdoc}
*/
public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
{
$refresh_token = RequestBody::getParameter($request, 'refresh_token');
if (null === $refresh_token) {
throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_REQUEST, 'No "refresh_token" parameter found');
}
$token = $this->getRefreshTokenManager()->getRefreshToken($refresh_token);
if (!$token instanceof RefreshTokenInterface || $token->isUsed()) {
throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_GRANT, 'Invalid refresh token');
}
$this->checkRefreshToken($token, $client);
$grant_type_response->setRequestedScope(RequestBody::getParameter($request, 'scope') ?: $token->getScope());
$grant_type_response->setAvailableScope($token->getScope());
$grant_type_response->setResourceOwnerPublicId($token->getResourceOwnerPublicId());
$grant_type_response->setRefreshTokenIssued(true);
$grant_type_response->setRefreshTokenScope($token->getScope());
$grant_type_response->setRefreshTokenRevoked($token);
}
/**
* {@inheritdoc}
*/
public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
{
if (false === $client->hasPublicKeySet()) {
throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_CLIENT, 'The client is not a client with signature capabilities.');
}
$jwt = $grant_type_response->getAdditionalData('jwt');
try {
$this->getJWTLoader()->verify($jwt, $client->getPublicKeySet());
} catch (\Exception $e) {
throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_REQUEST, $e->getMessage());
}
$issue_refresh_token = $this->isRefreshTokenIssuedWithAccessToken();
$grant_type_response->setResourceOwnerPublicId($client->getPublicId());
$grant_type_response->setUserAccountPublicId(null);
$grant_type_response->setRefreshTokenIssued($issue_refresh_token);
$grant_type_response->setRefreshTokenScope($grant_type_response->getRequestedScope());
}
/**
* {@inheritdoc}
*/
public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
{
$username = RequestBody::getParameter($request, 'username');
$password = RequestBody::getParameter($request, 'password');
$user_account = $this->getUserAccountManager()->getUserAccountByUsername($username);
if (null === $user_account || !$this->getUserAccountManager()->checkUserAccountPasswordCredentials($user_account, $password)) {
throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_GRANT, 'Invalid username and password combination');
}
$grant_type_response->setResourceOwnerPublicId($user_account->getUserPublicId());
$grant_type_response->setUserAccountPublicId($user_account->getPublicId());
$grant_type_response->setRefreshTokenIssued($this->issueRefreshToken($client));
$grant_type_response->setRefreshTokenScope($grant_type_response->getRequestedScope());
}
/**
* @param \OAuth2\Client\ClientInterface $client
* @param \OAuth2\Grant\GrantTypeResponseInterface $grant_type_response
* @param array $request_parameters
* @param array $token_type_information
* @param array $metadatas
*
* @throws \OAuth2\Exception\BaseExceptionInterface
*
* @return \OAuth2\Token\AccessTokenInterface
*/
private function createAccessToken(ClientInterface $client, GrantTypeResponseInterface $grant_type_response, array $request_parameters, array $token_type_information, array $metadatas)
{
$refresh_token = null;
$resource_owner = $this->getResourceOwner($grant_type_response->getResourceOwnerPublicId(), $grant_type_response->getUserAccountPublicId());
if (true === $this->hasRefreshTokenManager()) {
if (true === $grant_type_response->isRefreshTokenIssued()) {
$refresh_token = $this->getRefreshTokenManager()->createRefreshToken($client, $resource_owner, $grant_type_response->getRefreshTokenScope(), $metadatas);
}
}
$access_token = $this->getAccessTokenManager()->createAccessToken($client, $resource_owner, $token_type_information, $request_parameters, $grant_type_response->getRequestedScope(), $refresh_token, null, $metadatas);
return $access_token;
}
/**
* @param \Psr\Http\Message\ServerRequestInterface $request
* @param \OAuth2\Grant\GrantTypeResponseInterface $grant_type_response
*
* @throws \OAuth2\Exception\BaseExceptionInterface
*
* @return \OAuth2\Client\ClientInterface
*/
protected function findClient(ServerRequestInterface $request, GrantTypeResponseInterface $grant_type_response)
{
if (null === $grant_type_response->getClientPublicId()) {
$client = $this->getClientManagerSupervisor()->findClient($request);
} else {
$client_public_id = $grant_type_response->getClientPublicId();
$client = $this->getClientManagerSupervisor()->getClient($client_public_id);
}
if (!$client instanceof ClientInterface) {
throw $this->getClientManagerSupervisor()->buildAuthenticationException($request);
}
return $client;
}
/**
* {@inheritdoc}
*/
public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
{
$this->checkClient($request, $client);
$authCode = $this->getAuthCode($request);
if (!$authCode instanceof AuthCodeInterface) {
throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_GRANT, "Code doesn't exist or is invalid for the client.");
}
$this->checkPKCE($request, $authCode);
$this->checkAuthCode($authCode, $client);
$redirect_uri = RequestBody::getParameter($request, 'redirect_uri');
// Validate the redirect URI.
$this->checkRedirectUri($authCode, $redirect_uri);
$this->getAuthCodeManager()->markAuthCodeAsUsed($authCode);
$grant_type_response->setRequestedScope(RequestBody::getParameter($request, 'scope') ?: $authCode->getScope());
$grant_type_response->setAvailableScope($authCode->getScope());
$grant_type_response->setResourceOwnerPublicId($authCode->getResourceOwnerPublicId());
$grant_type_response->setRefreshTokenIssued($authCode->getIssueRefreshToken());
$grant_type_response->setRefreshTokenScope($authCode->getScope());
$grant_type_response->setRefreshTokenRevoked(null);
}
/**
* {@inheritdoc}
*/
public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
{
$this->checkClient($request, $client);
$authCode = $this->getAuthCode($request);
$this->checkPKCE($request, $authCode, $client);
$this->checkAuthCode($authCode, $client);
$redirect_uri = RequestBody::getParameter($request, 'redirect_uri');
// Validate the redirect URI.
$this->checkRedirectUri($authCode, $redirect_uri);
$this->getAuthorizationCodeManager()->markAuthCodeAsUsed($authCode);
if ($this->hasScopeManager()) {
$grant_type_response->setRequestedScope(RequestBody::getParameter($request, 'scope') ? $this->getScopeManager()->convertToArray(RequestBody::getParameter($request, 'scope')) : $authCode->getScope());
$grant_type_response->setAvailableScope($authCode->getScope());
$grant_type_response->setRefreshTokenScope($authCode->getScope());
}
$grant_type_response->setResourceOwnerPublicId($authCode->getResourceOwnerPublicId());
$grant_type_response->setUserAccountPublicId($authCode->getUserAccountPublicId());
$grant_type_response->setRedirectUri($authCode->getMetadata('redirect_uri'));
// Refresh Token
$grant_type_response->setRefreshTokenIssued($authCode->getIssueRefreshToken());
$grant_type_response->setAdditionalData('auth_code', $authCode);
}
