/**
* @param \OAuth2\Token\AccessTokenInterface $access_token
*
* @throws \OAuth2\Exception\BaseExceptionInterface
*
* @return \OAuth2\Client\ClientInterface|\OAuth2\EndUser\EndUserInterface
*/
private function getResourceOwner(AccessTokenInterface $access_token)
{
$resource_owner = $this->getClientManagerSupervisor()->getClient($access_token->getResourceOwnerPublicId());
if ($resource_owner instanceof ClientInterface) {
return $resource_owner;
}
$resource_owner = $this->getEndUserManager()->getEndUser($access_token->getResourceOwnerPublicId());
if (!$resource_owner instanceof EndUserInterface) {
throw new BadCredentialsException('Unknown resource owner');
}
return $resource_owner;
}
/**
* @param \OAuth2\Token\AccessTokenInterface $access_token
*
* @throws \OAuth2\Exception\BaseExceptionInterface
*
* @return \OAuth2\Client\ClientInterface|\OAuth2\UserAccount\UserAccountInterface
*/
private function getResourceOwner(AccessTokenInterface $access_token)
{
if (null !== $access_token->getUserAccountPublicId()) {
$resource_owner = $this->getUserAccountManager()->getUserAccountByPublicId($access_token->getUserAccountPublicId());
} else {
$resource_owner = $this->getClientManager()->getClient($access_token->getResourceOwnerPublicId());
}
if (null !== $resource_owner) {
return $resource_owner;
}
throw new BadCredentialsException('Unknown resource owner');
}
/**
* @param \OAuth2\Token\AccessTokenInterface $access_token
* @param \OAuth2\Client\ClientInterface|null $resource_server
*
* @return array
*/
protected function preparePayload(AccessTokenInterface $access_token, ClientInterface $resource_server = null)
{
$aud = [$this->getIssuer()];
if (null !== $resource_server) {
$access_token[] = $resource_server->getPublicId();
}
$payload = ['jti' => Base64Url::encode(random_bytes(25)), 'iss' => $this->getIssuer(), 'aud' => $aud, 'iat' => time(), 'nbf' => time(), 'exp' => $access_token->getExpiresAt(), 'sub' => $access_token->getClientPublicId(), 'token_type' => $access_token->getTokenTypeParameter('token_type'), 'scp' => $access_token->getScope(), 'resource_owner' => $access_token->getResourceOwnerPublicId(), 'user_account' => $access_token->getUserAccountPublicId()];
$payload['metadatas'] = $access_token->getMetadatas();
if (0 !== ($expires_at = $access_token->getExpiresAt())) {
$payload['exp'] = $expires_at;
}
if (!empty($access_token->getParameters())) {
$parameters = $access_token->getParameters();
//This part should be updated to support 'cnf' (confirmation) claim (see POP).
$payload['other'] = $parameters;
}
if (null !== $access_token->getRefreshToken()) {
$payload['refresh_token'] = $access_token->getRefreshToken();
}
return $payload;
}
