/** * Execute operations before OAuth2 Server sends a token response. * * @param \OAuth2Server|NULL $server * @param \OAuth2\Request $request * @param \OAuth2\Response $response */ function hook_oauth2_server_token($server, \OAuth2\Request $request, \OAuth2\Response $response) { // Example: if the response is not successful, log a message. if ($response->getStatusCode() != 200) { watchdog('mymodule', 'Failed token response from server @server: @code @body', array('@server' => $server ? $server->name : NULL, '@code' => $response->getStatusCode(), '@body' => $response->getResponseBody())); } }
public function __construct(\OAuth2\Response $response) { $this->response = $response; $this->code = $response->getStatusCode(); $this->description = $response->getStatusText(); $this->message = $response->getResponseBody(); }
protected function getErrorMessage(\OAuth2\Response $response) { $message = Module::t('common', $response->getParameter('error_description')); if ($message === null) { $message = Module::t('common', 'An internal server error occurred.'); } return $message; }
public function testValidCredentialsInvalidScope() { $server = $this->getTestServer(); $request = TestRequest::createPost(array('grant_type' => 'password', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'username' => 'test-username', 'password' => 'testpass', 'scope' => 'invalid-scope')); $token = $server->grantAccessToken($request, $response = new Response()); $this->assertEquals($response->getStatusCode(), 400); $this->assertEquals($response->getParameter('error'), 'invalid_scope'); $this->assertEquals($response->getParameter('error_description'), 'An unsupported scope was requested'); }
/** * Convert the OAuth2 response to a \Zend\Http\Response * * @param $response OAuth2Response * @return \Zend\Http\Response */ private function setHttpResponse(OAuth2Response $response) { $httpResponse = $this->getResponse(); $httpResponse->setStatusCode($response->getStatusCode()); $headers = $httpResponse->getHeaders(); $headers->addHeaders($response->getHttpHeaders()); $headers->addHeaderLine('Content-type', 'application/json'); $httpResponse->setContent($response->getResponseBody()); return $httpResponse; }
public function testInvalidContentType() { $bearer = new Bearer(); $request = TestRequest::createPost(array('access_token' => 'ThisIsMyAccessToken')); $request->server['CONTENT_TYPE'] = 'application/json; charset=UTF-8'; $param = $bearer->getAccessTokenParameter($request, $response = new Response()); $this->assertNull($param); $this->assertEquals($response->getStatusCode(), 400); $this->assertEquals($response->getParameter('error'), 'invalid_request'); $this->assertEquals($response->getParameter('error_description'), 'The content type for POST requests must be "application/x-www-form-urlencoded"'); }
/** * Takes an OAuth2 response and converts it to JSON output via Tonis\Http\Response. * * @param Response $oauthResponse * @param ResponseInterface $psrResponse * @return ResponseInterface */ public static function convertResponseToPsr7(Response $oauthResponse, ResponseInterface $psrResponse) { $psrResponse = $psrResponse->withStatus($oauthResponse->getStatusCode()); foreach ($oauthResponse->getHttpHeaders() as $header => $value) { $psrResponse = $psrResponse->withHeader($header, $value); } if (!empty($oauthResponse->getParameters())) { $psrResponse = $psrResponse->withHeader('Content-Type', 'application/json'); $psrResponse->getBody()->write(json_encode($oauthResponse->getParameters())); } return $psrResponse; }
/** * Copies values from the given Oauth2\Response to a PSR-7 Http Response. * * @param OAuth2\Response $oauth2Response The OAuth2 server response. * * @return \Psr\Http\Message\ResponseInterface */ public static final function fromOauth2(OAuth2\Response $oauth2Response) { $headers = []; foreach ($oauth2Response->getHttpHeaders() as $key => $value) { $headers[$key] = explode(', ', $value); } $stream = fopen('php://temp', 'r+'); if (!empty($oauth2Response->getParameters())) { fwrite($stream, $oauth2Response->getResponseBody()); rewind($stream); } return new Response(new Stream($stream), $oauth2Response->getStatusCode(), $headers); }
public function testAccessResourceWithCryptoTokenUsingSecondaryStorage() { // add the test parameters in memory $server = $this->getTestServer(); $request = TestRequest::createPost(array('grant_type' => 'client_credentials', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret')); $server->handleTokenRequest($request, $response = new Response()); $this->assertNotNull($cryptoToken = $response->getParameter('access_token')); // make a call to the resource server using the crypto token $request = TestRequest::createPost(array('access_token' => $cryptoToken)); // create a resource server with the "memory" storage from the grant server $resourceServer = new Server($server->getStorage('client_credentials')); $this->assertTrue($resourceServer->verifyResourceRequest($request)); }
/** * Constructor. * @param Response $response * @param \Exception $previous The previous exception used for the exception chaining. */ public function __construct(Response $response, \Exception $previous = null) { if ((int) $response->getStatusCode() == 401) { $errorCode = $response->getParameter('error', 'required_token'); $message = $response->getParameter('error_description', 'An Access Token is required.'); } else { $errorCode = $response->getParameter('error', 'unknown'); $message = $response->getParameter('error_description', $response->getStatusText()); } $this->errorCode = $errorCode; $this->errorUri = $response->getParameter('error_uri'); return parent::__construct($response->getStatusCode(), $message, 0, $previous); }
public function testSuccessfulRequestStripsExtraParameters() { $server = $this->getTestServer(array('allow_implicit' => true)); $request = new Request(array('client_id' => 'Test Client ID', 'redirect_uri' => 'http://adobe.com?fake=something', 'response_type' => 'token', 'state' => 'test', 'fake' => 'something')); $server->handleAuthorizeRequest($request, $response = new Response(), true); $this->assertEquals($response->getStatusCode(), 302); $this->assertNull($response->getParameter('error')); $this->assertNull($response->getParameter('error_description')); $location = $response->getHttpHeader('Location'); $parts = parse_url($location); $this->assertFalse(isset($parts['fake'])); $this->assertArrayHasKey('fragment', $parts); parse_str($parts['fragment'], $params); $this->assertFalse(isset($parmas['fake'])); $this->assertArrayHasKey('state', $params); $this->assertEquals($params['state'], 'test'); }
public function testNoSecretWithConfidentialClient() { $server = $this->getTestServer(); $request = TestRequest::createPost(array('grant_type' => 'password', 'client_id' => 'Test Client ID', 'username' => 'test-username', 'password' => 'testpass')); $token = $server->grantAccessToken($request, $response = new Response()); $this->assertEquals($response->getStatusCode(), 400); $this->assertEquals($response->getParameter('error'), 'invalid_client'); $this->assertEquals($response->getParameter('error_description'), 'This client is invalid or must authenticate using a client secret'); }
private function extractTokenDataFromResponse(Response $response) { $this->assertEquals($response->getStatusCode(), 302); $location = $response->getHttpHeader('Location'); $this->assertNotContains('error', $location); $parts = parse_url($location); $this->assertArrayHasKey('fragment', $parts); $this->assertFalse(isset($parts['query'])); parse_str($parts['fragment'], $params); $this->assertNotNull($params); $this->assertArrayHasKey('id_token', $params); $this->assertArrayNotHasKey('access_token', $params); list($headb64, $payloadb64, $signature) = explode('.', $params['id_token']); $jwt = new Jwt(); $header = json_decode($jwt->urlSafeB64Decode($headb64), true); $payload = json_decode($jwt->urlSafeB64Decode($payloadb64), true); return array($header, $payload, $signature); }
public function testRequestOverride() { $request = new TestRequest(); $server = $this->getTestServer(); // Smoke test for override request class // $server->handleTokenRequest($request, $response = new Response()); // $this->assertInstanceOf('Response', $response); // $server->handleAuthorizeRequest($request, $response = new Response(), true); // $this->assertInstanceOf('Response', $response); // $response = $server->verifyResourceRequest($request, $response = new Response()); // $this->assertTrue(is_bool($response)); /*** make some valid requests ***/ // Valid Token Request $request->setPost(array('grant_type' => 'authorization_code', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'code' => 'testcode')); $server->handleTokenRequest($request, $response = new Response()); $this->assertEquals($response->getStatusCode(), 200); $this->assertNull($response->getParameter('error')); $this->assertNotNUll($response->getParameter('access_token')); }
public function testHandleAuthorizeRequest() { // add the test parameters in memory $server = $this->getTestServer(array('allow_implicit' => true)); $request = new Request(array('response_type' => 'token id_token', 'redirect_uri' => 'http://adobe.com', 'client_id' => 'Test Client ID', 'scope' => 'openid', 'state' => 'test', 'nonce' => 'test')); $server->handleAuthorizeRequest($request, $response = new Response(), true); $this->assertEquals($response->getStatusCode(), 302); $location = $response->getHttpHeader('Location'); $this->assertNotContains('error', $location); $parts = parse_url($location); $this->assertArrayHasKey('fragment', $parts); $this->assertFalse(isset($parts['query'])); // assert fragment is in "application/x-www-form-urlencoded" format parse_str($parts['fragment'], $params); $this->assertNotNull($params); $this->assertArrayHasKey('id_token', $params); $this->assertArrayHasKey('access_token', $params); $this->validateIdToken($params['id_token']); }
public function testHandleAuthorizeRequest() { // add the test parameters in memory $server = $this->getTestServer(); $request = new Request(array('response_type' => 'code id_token', 'redirect_uri' => 'http://adobe.com', 'client_id' => 'Test Client ID', 'scope' => 'openid', 'state' => 'test', 'nonce' => 'test')); $server->handleAuthorizeRequest($request, $response = new Response(), true); $this->assertEquals($response->getStatusCode(), 302); $location = $response->getHttpHeader('Location'); $this->assertNotContains('error', $location); $parts = parse_url($location); $this->assertArrayHasKey('query', $parts); // assert fragment is in "application/x-www-form-urlencoded" format parse_str($parts['query'], $params); $this->assertNotNull($params); $this->assertArrayHasKey('id_token', $params); $this->assertArrayHasKey('code', $params); // validate ID Token $parts = explode('.', $params['id_token']); foreach ($parts as &$part) { // Each part is a base64url encoded json string. $part = str_replace(array('-', '_'), array('+', '/'), $part); $part = base64_decode($part); $part = json_decode($part, true); } list($header, $claims, $signature) = $parts; $this->assertArrayHasKey('iss', $claims); $this->assertArrayHasKey('sub', $claims); $this->assertArrayHasKey('aud', $claims); $this->assertArrayHasKey('iat', $claims); $this->assertArrayHasKey('exp', $claims); $this->assertArrayHasKey('auth_time', $claims); $this->assertArrayHasKey('nonce', $claims); // only exists if an access token was granted along with the id_token $this->assertArrayNotHasKey('at_hash', $claims); $this->assertEquals($claims['iss'], 'test'); $this->assertEquals($claims['aud'], 'Test Client ID'); $this->assertEquals($claims['nonce'], 'test'); $duration = $claims['exp'] - $claims['iat']; $this->assertEquals($duration, 3600); }
public function testCryptoTokenWithRefreshToken() { $server = $this->getTestServer(); // add "UserCredentials" grant type and "CryptoToken" response type // and ensure "CryptoToken" response type has "RefreshToken" storage $memoryStorage = Bootstrap::getInstance()->getMemoryStorage(); $server->addGrantType(new UserCredentials($memoryStorage)); $server->addGrantType(new RefreshToken($memoryStorage)); $server->addResponseType(new CryptoToken($memoryStorage, $memoryStorage, $memoryStorage), 'token'); $request = TestRequest::createPost(array('grant_type' => 'password', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'username' => 'test-username', 'password' => 'testpass')); // make the call to grant a crypto token $server->handleTokenRequest($request, $response = new Response()); $this->assertNotNull($cryptoToken = $response->getParameter('access_token')); $this->assertNotNull($refreshToken = $response->getParameter('refresh_token')); // decode token and make sure refresh_token isn't set list($header, $payload, $signature) = explode('.', $cryptoToken); $decodedToken = json_decode(base64_decode($payload), true); $this->assertFalse(array_key_exists('refresh_token', $decodedToken)); // use the refresh token to get another access token $request = TestRequest::createPost(array('grant_type' => 'refresh_token', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'refresh_token' => $refreshToken)); $server->handleTokenRequest($request, $response = new Response()); $this->assertNotNull($response->getParameter('access_token')); }
public function testGrantCodeAccessTokenOnNewCode() { $request = TestRequest::createPost(array('grant_type' => 'device_code', 'client_id' => 'test_client_id')); $this->server->handleDeviceRequest($request, $response = new Response()); $this->assertNotNull($response->getParameter('code')); $deviceCodeResponse = $response; // Get access token when user_id is null $request = TestRequest::createPost(array('grant_type' => 'device_token', 'client_id' => 'test_client_id', 'code' => $deviceCodeResponse->getParameter('code'))); $this->server->handleDeviceRequest($request, $response = new Response()); $this->assertEquals($response->getStatusCode(), 400); $this->assertArrayHasKey('error', $response->getParameters()); $this->assertEquals('authorization_pending', $response->getParameter('error')); // Update user_id and verify response $deviceStorage = $this->server->getStorage('device_code'); $code = $deviceStorage->getDeviceCode($deviceCodeResponse->getParameter('code'), 'test_client_id'); $deviceStorage->setDeviceCode($code['device_code'], $code['user_code'], $code['client_id'], 1, $code['expires'], $code['scope']); $request = TestRequest::createPost(array('grant_type' => 'device_token', 'client_id' => 'test_client_id', 'code' => $deviceCodeResponse->getParameter('code'))); $this->server->handleDeviceRequest($request, $response = new Response()); $this->assertEquals($response->getStatusCode(), 200); $this->assertArrayHasKey('access_token', $response->getParameters()); //ensure device code was deleted $code = $deviceStorage->getDeviceCode($deviceCodeResponse->getParameter('code'), 'test_client_id'); $this->assertFalse($code); }
/** * Merge the OAuth2\Response instance's status and headers into the current Zend\Http\Response. * * @param int $status * @param Response $response * @param OAuth2Response $oauth2Response * @return Response */ private function mergeOAuth2Response($status, Response $response, OAuth2Response $oauth2Response) { $response->setStatusCode($status); return $this->mergeOAuth2ResponseHeaders($response, $oauth2Response->getHttpHeaders()); }
public function testMalformedToken() { $server = $this->getTestServer(); $request = Request::createFromGlobals(); $request->headers['AUTHORIZATION'] = 'Bearer accesstoken-malformed'; $allow = $server->verifyResourceRequest($request, $response = new Response()); $this->assertFalse($allow); $this->assertEquals($response->getStatusCode(), 401); $this->assertEquals($response->getParameter('error'), 'invalid_token'); $this->assertEquals($response->getParameter('error_description'), 'Malformed token (missing "expires")'); }
public function testValidClientDifferentCode() { $server = $this->getTestServer(); $request = TestRequest::createPost(array('grant_type' => 'authorization_code', 'client_id' => 'Test Some Other Client', 'client_secret' => 'TestSecret3', 'code' => 'testcode')); $token = $server->grantAccessToken($request, $response = new Response()); $this->assertEquals($response->getStatusCode(), 400); $this->assertEquals($response->getParameter('error'), 'invalid_grant'); $this->assertEquals($response->getParameter('error_description'), 'authorization_code doesn\'t exist or is invalid for the client'); }
public function testInvalidRequestMethodForRevoke() { $server = $this->getTestServer(); $request = new TestRequest(); $request->setQuery(array('token_type_hint' => 'access_token')); $server->handleRevokeRequest($request, $response = new Response()); $this->assertTrue($response instanceof Response); $this->assertEquals(405, $response->getStatusCode(), var_export($response, 1)); $this->assertEquals($response->getParameter('error'), 'invalid_request'); $this->assertEquals($response->getParameter('error_description'), 'The request method must be POST when revoking an access token'); }
public function testAddingResponseType() { $storage = $this->getMock('OAuth2\\Storage\\Memory'); $storage->expects($this->any())->method('getClientDetails')->will($this->returnValue(array('client_id' => 'some_client'))); $storage->expects($this->any())->method('checkRestrictedGrantType')->will($this->returnValue(true)); // add with the "code" key explicitly set $codeType = new AuthorizationCode($storage); $server = new Server(); $server->addStorage($storage); $server->addResponseType($codeType); $request = new Request(array('response_type' => 'code', 'client_id' => 'some_client', 'redirect_uri' => 'http://example.com', 'state' => 'xyx')); $server->handleAuthorizeRequest($request, $response = new Response(), true); // the response is successful $this->assertEquals($response->getStatusCode(), 302); $parts = parse_url($response->getHttpHeader('Location')); parse_str($parts['query'], $query); $this->assertTrue(isset($query['code'])); $this->assertFalse(isset($query['error'])); // add with the "code" key not set $codeType = new AuthorizationCode($storage); $server = new Server(array($storage), array(), array(), array($codeType)); $request = new Request(array('response_type' => 'code', 'client_id' => 'some_client', 'redirect_uri' => 'http://example.com', 'state' => 'xyx')); $server->handleAuthorizeRequest($request, $response = new Response(), true); // the response is successful $this->assertEquals($response->getStatusCode(), 302); $parts = parse_url($response->getHttpHeader('Location')); parse_str($parts['query'], $query); $this->assertTrue(isset($query['code'])); $this->assertFalse(isset($query['error'])); }
public function testValidJwtInvalidScope() { $server = $this->getTestServer(); $request = TestRequest::createPost(array('grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'assertion' => $this->getJWT(null, null, null, 'Test Client ID', 'invalid-scope'))); $token = $server->grantAccessToken($request, $response = new Response()); $this->assertEquals($response->getStatusCode(), 400); $this->assertEquals($response->getParameter('error'), 'invalid_scope'); $this->assertEquals($response->getParameter('error_description'), 'An unsupported scope was requested'); }
public function testSuccessfulOpenidConnectRequest() { $server = $this->getTestServer(array('use_openid_connect' => true, 'issuer' => 'bojanz')); $request = new Request(array('client_id' => 'Test Client ID', 'redirect_uri' => 'http://adobe.com', 'response_type' => 'code', 'state' => 'xyz', 'scope' => 'openid')); $server->handleAuthorizeRequest($request, $response = new Response(), true); $this->assertEquals($response->getStatusCode(), 302); $location = $response->getHttpHeader('Location'); $parts = parse_url($location); parse_str($parts['query'], $query); $location = $response->getHttpHeader('Location'); $parts = parse_url($location); $this->assertArrayHasKey('query', $parts); $this->assertFalse(isset($parts['fragment'])); // assert fragment is in "application/x-www-form-urlencoded" format parse_str($parts['query'], $query); $this->assertNotNull($query); $this->assertArrayHasKey('code', $query); // ensure no error was returned $this->assertFalse(isset($query['error'])); $this->assertFalse(isset($query['error_description'])); // confirm that the id_token has been created. $storage = $server->getStorage('authorization_code'); $code = $storage->getAuthorizationCode($query['code']); $this->assertTrue(!empty($code['id_token'])); }
function output($a) { $oReponse = new Response(); $oReponse->setParameters($a); $oReponse->send(); }
public function testInvalidClientIdScope() { // add the test parameters in memory $server = $this->getTestServer(); $request = TestRequest::createPost(array('grant_type' => 'authorization_code', 'code' => 'testcode', 'client_id' => 'Test Client ID', 'client_secret' => 'TestSecret', 'scope' => 'clientscope3 scope1')); $server->handleTokenRequest($request, $response = new Response()); $this->assertEquals($response->getStatusCode(), 400); $this->assertEquals($response->getParameter('error'), 'invalid_scope'); $this->assertEquals($response->getParameter('error_description'), 'An unsupported scope was requested'); }
public function testCanReceiveAccessTokenUsingPasswordGrantTypeWithoutClientSecret() { // add the test parameters in memory $storage = Bootstrap::getInstance()->getMemoryStorage(); $server = new Server($storage); $server->addGrantType(new UserCredentials($storage)); $request = TestRequest::createPost(array('grant_type' => 'password', 'client_id' => 'Test Client ID For Password Grant', 'username' => 'johndoe', 'password' => 'password')); $server->handleTokenRequest($request, $response = new Response()); $this->assertTrue($response instanceof Response); $this->assertEquals(200, $response->getStatusCode(), var_export($response, 1)); $this->assertNull($response->getParameter('error')); $this->assertNull($response->getParameter('error_description')); $this->assertNotNull($response->getParameter('access_token')); $this->assertNotNull($response->getParameter('expires_in')); $this->assertNotNull($response->getParameter('token_type')); }
public function testJtiReplayAttack() { $server = $this->getTestServer(); $request = TestRequest::createPost(array('grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'assertion' => $this->getJWT(99999999900, null, '*****@*****.**', 'Test Client ID', 'totally_new_jti'))); $token = $server->grantAccessToken($request, $response = new Response()); $this->assertNotNull($token); $this->assertArrayHasKey('access_token', $token); //Replay the same request $token = $server->grantAccessToken($request, $response = new Response()); $this->assertEquals($response->getStatusCode(), 400); $this->assertEquals($response->getParameter('error'), 'invalid_grant'); $this->assertEquals($response->getParameter('error_description'), 'JSON Token Identifier (jti) has already been used'); }
/** * @param Response $response */ public function __construct(Response $response) { $this->setStatusCode($response->getStatusCode()); $this->getHeaders()->addHeader(new GenericHeader('Content-type', 'application/json'))->addHeaders($response->getHttpHeaders()); $this->setContent($response->getResponseBody('json')); }