The token is returned (as an associative array) if valid.
The scope parameter defines any required scope that the token must have.
If a scope param is provided and the token does not have the required
scope, we bounce the request.
Some implementations may choose to return a subset of the protected
resource (i.e. "public" data) if the user has not provided an access
token or if the access token is invalid or expired.
The IETF spec says that we should send a 401 Unauthorized header and
bail immediately so that's what the defaults are set to. You can catch
the exception thrown and behave differently if you like (log errors, allow
public access for missing tokens, etc)
| public verifyAccessToken ( string $tokenParam, string $scope = null ) : OAuth2\Model\IOAuth2AccessToken | ||
| $tokenParam | string | |
| $scope | string | A space-separated string of required scope(s), if you want to check for scope. |
| return | OAuth2\Model\IOAuth2AccessToken | Token |
/**
* {@inheritdoc}
*/
public function authenticate(TokenInterface $token)
{
if (!$this->supports($token)) {
return null;
}
try {
$tokenString = $token->getToken();
if ($accessToken = $this->serverService->verifyAccessToken($tokenString)) {
$scope = $accessToken->getScope();
$user = $accessToken->getUser();
$roles = null !== $user ? $user->getRoles() : array();
if (!empty($scope)) {
foreach (explode(' ', $scope) as $role) {
$roles[] = 'ROLE_' . strtoupper($role);
}
}
$token = new OAuthToken($roles);
$token->setAuthenticated(true);
$token->setToken($tokenString);
if (null !== $user) {
$token->setUser($user);
}
return $token;
}
} catch (OAuth2ServerException $e) {
throw new AuthenticationException('OAuth2 authentication failed', null, 0, $e);
}
throw new AuthenticationException('OAuth2 authentication failed');
}
/**
* {@inheritdoc}
*/
public function authenticate(TokenInterface $token)
{
if (!$this->supports($token)) {
return;
}
try {
$tokenString = $token->getToken();
if ($accessToken = $this->serverService->verifyAccessToken($tokenString)) {
$scope = $accessToken->getScope();
$user = $accessToken->getUser();
if (null !== $user) {
try {
$this->userChecker->checkPreAuth($user);
} catch (AccountStatusException $e) {
throw new OAuth2AuthenticateException(OAuth2::HTTP_UNAUTHORIZED, OAuth2::TOKEN_TYPE_BEARER, $this->serverService->getVariable(OAuth2::CONFIG_WWW_REALM), 'access_denied', $e->getMessage());
}
$token->setUser($user);
}
$roles = null !== $user ? $user->getRoles() : array();
/*
* This is the only modification from the base class.
* We only add scopes if we're not connected as user.
* Otherwise, if we support the scope admin, everyone will be admin if no scope are requested because fos-oauth2-lib
* doesn't support different scope by clients (https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/issues/201)
* This way, we can bypass this by creating 2 clients: 1 wich grant the password (and refresh) types
* (and will require a user authentication)
* One that grant pretty much all the rest.
*/
if (!$user) {
if (!empty($scope)) {
foreach (explode(' ', $scope) as $role) {
$roles[] = 'ROLE_' . strtoupper($role);
}
}
}
$roles = array_unique($roles, SORT_REGULAR);
$token = new OAuthToken($roles);
$token->setAuthenticated(true);
$token->setToken($tokenString);
if (null !== $user) {
try {
$this->userChecker->checkPostAuth($user);
} catch (AccountStatusException $e) {
throw new OAuth2AuthenticateException(OAuth2::HTTP_UNAUTHORIZED, OAuth2::TOKEN_TYPE_BEARER, $this->serverService->getVariable(OAuth2::CONFIG_WWW_REALM), 'access_denied', $e->getMessage());
}
$token->setUser($user);
}
return $token;
}
} catch (OAuth2ServerException $e) {
if (!method_exists('Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException', 'setToken')) {
// Symfony 2.1
throw new AuthenticationException('OAuth2 authentication failed', null, 0, $e);
}
throw new AuthenticationException('OAuth2 authentication failed', 0, $e);
}
throw new AuthenticationException('OAuth2 authentication failed');
}
/**
* {@inheritdoc}
*/
public function authenticate(TokenInterface $token)
{
if (!$this->supports($token)) {
return;
}
try {
$tokenString = $token->getToken();
if ($accessToken = $this->serverService->verifyAccessToken($tokenString)) {
$scope = $accessToken->getScope();
$user = $accessToken->getUser();
if (null !== $user) {
try {
$this->userChecker->checkPreAuth($user);
} catch (AccountStatusException $e) {
throw new OAuth2AuthenticateException(OAuth2::HTTP_UNAUTHORIZED, OAuth2::TOKEN_TYPE_BEARER, $this->serverService->getVariable(OAuth2::CONFIG_WWW_REALM), 'access_denied', $e->getMessage());
}
$token->setUser($user);
}
$roles = null !== $user ? $user->getRoles() : array();
if (!empty($scope)) {
foreach (explode(' ', $scope) as $role) {
$roles[] = 'ROLE_' . strtoupper($role);
}
}
$roles = array_unique($roles);
$token = new OAuthToken($roles);
$token->setAuthenticated(true);
$token->setToken($tokenString);
if (null !== $user) {
try {
$this->userChecker->checkPostAuth($user);
} catch (AccountStatusException $e) {
throw new OAuth2AuthenticateException(OAuth2::HTTP_UNAUTHORIZED, OAuth2::TOKEN_TYPE_BEARER, $this->serverService->getVariable(OAuth2::CONFIG_WWW_REALM), 'access_denied', $e->getMessage());
}
$token->setUser($user);
}
return $token;
}
} catch (OAuth2ServerException $e) {
if (!method_exists('Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException', 'setToken')) {
// Symfony 2.1
throw new AuthenticationException('OAuth2 authentication failed', null, 0, $e);
}
throw new AuthenticationException('OAuth2 authentication failed', 0, $e);
}
throw new AuthenticationException('OAuth2 authentication failed');
}
/**
* Tests OAuth2->verifyAccessToken() with different scopes
*
* @dataProvider generateScopes
*/
public function testVerifyAccessTokenCheckScope($scopeRequired, IOAuth2AccessToken $token, $expectedToPass)
{
// Set up the mock storage to say this token does not exist
$mockStorage = $this->getMock('OAuth2\\IOAuth2Storage');
$mockStorage->expects($this->once())->method('getAccessToken')->will($this->returnValue($token));
$this->fixture = new OAuth2($mockStorage);
// When valid, we just want any sort of token
if ($expectedToPass) {
$actual = $this->fixture->verifyAccessToken($this->tokenId, $scopeRequired);
$this->assertNotEmpty($actual, "verifyAccessToken() was expected to PASS, but it failed");
$this->assertInstanceOf('OAuth2\\Model\\IOAuth2AccessToken', $actual);
} else {
$this->setExpectedException('OAuth2\\OAuth2AuthenticateException');
$this->fixture->verifyAccessToken($this->tokenId, $scopeRequired);
}
}
/**
* @file
* Sample protected resource.
*
* Obviously not production-ready code, just simple and to the point.
*
* In reality, you'd probably use a nifty framework to handle most of the crud for you.
*/
use OAuth2\OAuth2;
use OAuth2\OAuth2ServerException;
require 'lib/bootstrap.php';
$oauth = new OAuth2(new OAuth2StoragePDO(newPDO()));
try {
$token = $oauth->getBearerToken();
$oauth->verifyAccessToken($token);
} catch (OAuth2ServerException $oauthError) {
$oauthError->sendHttpResponse();
}
// With a particular scope, you'd do:
// $oauth->verifyAccessToken("scope_name");
?>
<html>
<head>
<title>Hello!</title>
</head>
<body>
<p>This is a secret.</p>
</body>
</html>
public function testUse()
{
$client = $this->storage->getClient(1);
$access_token = $this->oauth2->createAccessToken($client, array());
$a = $this->oauth2->verifyAccessToken($access_token['access_token']);
$this->assertInstanceOf('\\ebussola\\oauth\\AccessToken', $a);
}
