$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_scope', 'invalid scope: ' . $firstOffendingScope, 'INVALID_SCOPE', array('SCOPE' => $firstOffendingScope));
}
//something went wrong, but we do have a valid uri to redirect to.
$errorParameters['error_uri'] = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/authorization/error.php'), $errorParameters);
if (isset($_REQUEST['state'])) {
$errorParameters['state'] = $_REQUEST['state'];
}
unset($errorParameters['error_code_internal']);
unset($errorParameters['error_parameters_internal']);
sspmod_oauth2server_Utility_Uri::redirectUri(sspmod_oauth2server_Utility_Uri::addQueryParametersToUrl($returnUri, $errorParameters));
} else {
if (is_string(parse_url($returnUri, PHP_URL_FRAGMENT))) {
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_redirect_uri', 'fragments are not allowed in redirect_uri: ' . $returnUri, 'FRAGMENT_REDIRECT_URI', array('REDIRECT_URI' => $returnUri, 'FRAGMENT' => parse_url($returnUri, PHP_URL_FRAGMENT)));
} else {
// this is not a proper error code used only internally
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_redirect_uri', 'illegal redirect_uri: ' . $returnUri, 'INVALID_REDIRECT_URI', array('REDIRECT_URI' => $returnUri));
}
}
} else {
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('server_error', 'no redirection uri associated with client id', 'NO_REDIRECT_URI', array());
}
} else {
if (isset($_REQUEST['client_id'])) {
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('unauthorized_client', 'unauthorized_client: ' . $_REQUEST['client_id'], 'UNAUTHORIZED_CLIENT', array('CLIENT_ID' => $_REQUEST['client_id']));
} else {
$errorParameters = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('missing_client', 'missing client id', 'MISSING_CLIENT_ID', array());
}
}
//something went wrong, and we do not have a valid uri to redirect to.
$error_uri = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/authorization/error.php'), $errorParameters);
SimpleSAML\Utils\HTTP::redirectTrustedURL($error_uri);
}
} else {
$response = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_request', 'missing client id', 'MISSING_CLIENT_ID', array());
$errorCode = 400;
}
} else {
$response = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('unsupported_grant_type', 'unsupported grant type: ' . $_POST['grant_type'], 'UNSUPPORTED_GRANT_TYPE', array('GRANT_TYPE' => $_POST['grant_type']));
$errorCode = 400;
}
} else {
$response = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_request', 'missing grant type', 'MISSING_GRANT_TYPE', array());
$errorCode = 400;
}
} elseif ($_SERVER['REQUEST_METHOD'] != 'OPTIONS') {
//dont freak over the damn ajax options pre-flight requests
$response = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('invalid_request', 'http(s) POST required', 'MUST_POST', array());
$errorCode = 400;
}
header('X-PHP-Response-Code: ' . $errorCode, true, $errorCode);
if ($errorCode === 401) {
header("WWW-Authenticate: Basic realm=\"OAuth 2.0\"", true, $errorCode);
}
if (!is_null($response)) {
if (array_key_exists('error', $response)) {
$error_uri = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/authorization/error.php'), $response);
$response['error_uri'] = $error_uri;
unset($response['error_code_internal']);
unset($response['error_parameters_internal']);
}
echo json_encode($response);
}
/**
* @group unit
* @group utility
*/
public function testBuildErrorResponse()
{
$this->assertEquals(array('error' => 'ERROR', 'error_description' => 'ERROR_DESCRIPTION', 'error_code_internal' => 'ERROR_CODE_INTERNAL', 'error_parameters_internal' => array('A' => '1', 'B' => '2')), \sspmod_oauth2server_Utility_Uri::buildErrorResponse('ERROR', 'ERROR_DESCRIPTION', 'ERROR_CODE_INTERNAL', array('A' => '1', 'B' => '2')));
}
}
if (array_key_exists('state', $state)) {
$fragment .= '&state=' . $state['state'];
}
sspmod_oauth2server_Utility_Uri::redirectUri($state['returnUri'] . $fragment);
}
} else {
if (array_key_exists('deny', $_REQUEST)) {
$response = \sspmod_oauth2server_Utility_Uri::buildErrorResponse('access_denied', 'request denied by resource owner', 'CONSENT_NOT_GRANTED', array());
$response['error_uri'] = SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('oauth2server/authorization/error.php'), $response);
if (array_key_exists('state', $state)) {
$response['state'] = $state['state'];
}
unset($response['error_code_internal']);
unset($response['error_parameters_internal']);
sspmod_oauth2server_Utility_Uri::redirectUri(sspmod_oauth2server_Utility_Uri::addQueryParametersToUrl($state['returnUri'], $response));
}
}
$t = new SimpleSAML_XHTML_Template($globalConfig, 'oauth2server:authorization/consent.php');
foreach ($config->getValue('scopes', array()) as $scope => $translations) {
$t->includeInlineTranslation('{oauth2server:oauth2server:' . $scope . '}', $translations);
}
$t->includeInlineTranslation('{oauth2server:oauth2server:client_description}', array_key_exists('description', $client) ? $client['description'] : array('' => ''));
$t->data['clientId'] = $state['clientId'];
$t->data['stateId'] = $_REQUEST['stateId'];
$t->data['scopes'] = array();
$scopes = isset($client['scope']) ? $client['scope'] : array();
foreach ($state['requestedScopes'] as $scope) {
$t->data['scopes'][$scope] = isset($scopes[$scope]) && $scopes[$scope];
}
$t->data['form'] = SimpleSAML_Module::getModuleURL('oauth2server/authorization/consent.php');