/**
* @param OAuth2Request $request
* @param $error
* @param $return_url
* @return null|OAuth2IndirectErrorResponse|OAuth2IndirectFragmentErrorResponse
* @throws Exception
*/
public static function buildResponse(OAuth2Request $request = null, $error, $return_url)
{
$response = null;
$reflector = new ReflectionClass($request);
$class_name = $reflector->getName();
if ($class_name == 'oauth2\\requests\\OAuth2AuthorizationRequest') {
$response_type = $request->getResponseType();
switch ($response_type) {
case OAuth2Protocol::OAuth2Protocol_ResponseType_Token:
return new OAuth2IndirectFragmentErrorResponse($error, $return_url);
break;
case OAuth2Protocol::OAuth2Protocol_ResponseType_Code:
return new OAuth2IndirectErrorResponse($error, $return_url);
break;
default:
throw new Exception(sprintf("invalid response type %s", $response_type));
break;
}
}
return $response;
}
public function __construct(OAuth2Message $msg)
{
parent::__construct($msg);
}
public function canHandle(OAuth2Request $request)
{
$reflector = new ReflectionClass($request);
$class_name = $reflector->getName();
return $class_name == 'oauth2\\requests\\OAuth2AccessTokenValidationRequest' && $request->isValid();
}
public function buildTokenRequest(OAuth2Request $request)
{
$reflector = new ReflectionClass($request);
$class_name = $reflector->getName();
if ($class_name == 'oauth2\\requests\\OAuth2TokenRequest') {
if ($request->getGrantType() !== $this->getType()) {
return null;
}
return new OAuth2RefreshAccessTokenRequest($request->getMessage());
}
return null;
}
/**
* @param OAuth2Request $request
* @return mixed|OAuth2AccessTokenFragmentResponse
* @throws \oauth2\exceptions\UnsupportedResponseTypeException
* @throws \oauth2\exceptions\LockedClientException
* @throws \oauth2\exceptions\InvalidClientException
* @throws \oauth2\exceptions\ScopeNotAllowedException
* @throws \oauth2\exceptions\OAuth2GenericException
* @throws \oauth2\exceptions\InvalidApplicationType
* @throws \oauth2\exceptions\AccessDeniedException
* @throws \oauth2\exceptions\UriNotAllowedException
* @throws \oauth2\exceptions\InvalidOAuth2Request
*/
public function handle(OAuth2Request $request)
{
$reflector = new ReflectionClass($request);
$class_name = $reflector->getName();
if ($class_name == 'oauth2\\requests\\OAuth2AuthorizationRequest') {
$client_id = $request->getClientId();
$response_type = $request->getResponseType();
if ($response_type !== $this->getResponseType()) {
throw new UnsupportedResponseTypeException(sprintf("response_type %s", $response_type));
}
$client = $this->client_service->getClientById($client_id);
if (is_null($client)) {
throw new InvalidClientException($client_id, sprintf("client_id %s", $client_id));
}
if (!$client->isActive() || $client->isLocked()) {
throw new LockedClientException($client, sprintf('client id %s', $client));
}
//check client type
// only public clients could use this grant type
if ($client->getApplicationType() != IClient::ApplicationType_JS_Client) {
throw new InvalidApplicationType($client_id, sprintf('client id %s client type must be JS CLIENT', $client_id));
}
//check redirect uri
$redirect_uri = $request->getRedirectUri();
if (!$client->isUriAllowed($redirect_uri)) {
throw new UriNotAllowedException(sprintf("redirect_to %s", $redirect_uri));
}
//check requested scope
$scope = $request->getScope();
if (is_null($scope) || empty($scope) || !$client->isScopeAllowed($scope)) {
throw new ScopeNotAllowedException(sprintf("scope %s", $scope));
}
$state = $request->getState();
//check user logged
$authentication_response = $this->auth_service->getUserAuthenticationResponse();
if ($authentication_response == IAuthService::AuthenticationResponse_Cancel) {
//clear saved data ...
$this->memento_service->clearCurrentRequest();
$this->auth_service->clearUserAuthenticationResponse();
$this->auth_service->clearUserAuthorizationResponse();
throw new AccessDeniedException();
}
if (!$this->auth_service->isUserLogged()) {
$this->memento_service->saveCurrentAuthorizationRequest();
return $this->auth_strategy->doLogin($this->memento_service->getCurrentAuthorizationRequest());
}
$approval_prompt = $request->getApprovalPrompt();
$user = $this->auth_service->getCurrentUser();
if (is_null($user)) {
throw new OAuth2GenericException("Invalid Current User");
}
//validate authorization
//check for former user consents
$authorization_response = $this->auth_service->getUserAuthorizationResponse();
$former_user_consent = $this->user_consent_service->get($user->getId(), $client->getId(), $scope);
if (!(!is_null($former_user_consent) && $approval_prompt == OAuth2Protocol::OAuth2Protocol_Approval_Prompt_Auto)) {
if ($authorization_response == IAuthService::AuthorizationResponse_None) {
$this->memento_service->saveCurrentAuthorizationRequest();
return $this->auth_strategy->doConsent($this->memento_service->getCurrentAuthorizationRequest());
} else {
if ($authorization_response == IAuthService::AuthorizationResponse_DenyOnce) {
//clear saved data ...
$this->memento_service->clearCurrentRequest();
$this->auth_service->clearUserAuthorizationResponse();
throw new AccessDeniedException();
}
}
//save possitive consent
if (is_null($former_user_consent)) {
$this->user_consent_service->add($user->getId(), $client->getId(), $scope);
}
}
// build current audience ...
$audience = $this->scope_service->getStrAudienceByScopeNames(explode(' ', $scope));
//build access token
$access_token = $this->token_service->createAccessTokenFromParams($client_id, $scope, $audience, $user->getId());
//clear saved data ...
$this->memento_service->clearCurrentRequest();
$this->auth_service->clearUserAuthorizationResponse();
return new OAuth2AccessTokenFragmentResponse($redirect_uri, $access_token->getValue(), $access_token->getLifetime(), $scope, $state);
}
throw new InvalidOAuth2Request();
}