/** * Pull the authorization request data out of the HTTP $request. * - The redirect_uri is OPTIONAL as per draft 20. But your implementation can enforce it by setting * CONFIG_ENFORCE_INPUT_REDIRECT to true. * - The state is OPTIONAL but recommended to enforce CSRF. Draft 21 states, however, that CSRF protection is * MANDATORY. You can enforce this by setting the CONFIG_ENFORCE_STATE to true. * * @param Request $request * * @return array * * @throws OAuth2ServerException * @throws OAuth2RedirectException * * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.1 * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.12 * * @ingroup oauth2_section_3 */ protected function getAuthorizeParams(Request $request = null) { $filters = array("client_id" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => self::CLIENT_ID_REGEXP), "flags" => FILTER_REQUIRE_SCALAR), "response_type" => array("flags" => FILTER_REQUIRE_SCALAR), "redirect_uri" => array("filter" => FILTER_SANITIZE_URL), "state" => array("flags" => FILTER_REQUIRE_SCALAR), "scope" => array("flags" => FILTER_REQUIRE_SCALAR)); if ($request === null) { $request = Request::createFromGlobals(); } /** * $inputData The draft specifies that the parameters should be retrieved from GET, but you can override to whatever method you like. * * @var array */ $inputData = $request->query->all(); $input = filter_var_array($inputData, $filters); // Make sure a valid client id was supplied (we can not redirect because we were unable to verify the URI) if (!$input["client_id"]) { throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_REQUEST, "No client id supplied"); // We don't have a good URI to use } // Get client details $client = $this->storage->getClient($input["client_id"]); if (!$client) { throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, 'Unknown client'); } $input["redirect_uri"] = $this->getRedirectUri($input["redirect_uri"], $client); // type and client_id are required if (!$input["response_type"]) { throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_REQUEST, 'Invalid response type.', $input["state"]); } // Check requested auth response type against interfaces of storage engine if ($input['response_type'] == self::RESPONSE_TYPE_AUTH_CODE) { if (!$this->storage instanceof IOAuth2GrantCode) { throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_UNSUPPORTED_RESPONSE_TYPE, null, $input["state"]); } } elseif ($input['response_type'] == self::RESPONSE_TYPE_ACCESS_TOKEN) { if (!$this->storage instanceof IOAuth2GrantImplicit) { throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_UNSUPPORTED_RESPONSE_TYPE, null, $input["state"], self::TRANSPORT_FRAGMENT); } } else { throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_UNSUPPORTED_RESPONSE_TYPE, null, $input["state"]); } // Validate that the requested scope is supported if ($input["scope"] && !$this->checkScope($input["scope"], $this->getVariable(self::CONFIG_SUPPORTED_SCOPES))) { throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_SCOPE, 'An unsupported scope was requested.', $input["state"]); } // Validate state parameter exists (if configured to enforce this) if ($this->getVariable(self::CONFIG_ENFORCE_STATE) && !$input["state"]) { throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_REQUEST, "The state parameter is required."); } // Return retrieved client details together with input return array('client' => $client) + $input; }