コード例 #1
0
ファイル: OAuth2.php プロジェクト: jglaine/sugar761-ent
 /**
  * Pull the authorization request data out of the HTTP request.
  * - The redirect_uri is OPTIONAL as per draft 20. But your implementation can enforce it
  * by setting CONFIG_ENFORCE_INPUT_REDIRECT to true.
  * - The state is OPTIONAL but recommended to enforce CSRF. Draft 21 states, however, that
  * CSRF protection is MANDATORY. You can enforce this by setting the CONFIG_ENFORCE_STATE to true.
  *
  * @param $inputData - The draft specifies that the parameters should be
  * retrieved from GET, but you can override to whatever method you like.
  * @return
  * The authorization parameters so the authorization server can prompt
  * the user for approval if valid.
  *
  * @throws OAuth2ServerException
  * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.1
  * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.12
  *
  * @ingroup oauth2_section_3
  */
 public function getAuthorizeParams(array $inputData = NULL)
 {
     $filters = array("client_id" => array("filter" => FILTER_VALIDATE_REGEXP, "options" => array("regexp" => self::CLIENT_ID_REGEXP), "flags" => FILTER_REQUIRE_SCALAR), "response_type" => array("flags" => FILTER_REQUIRE_SCALAR), "redirect_uri" => array("filter" => FILTER_SANITIZE_URL), "state" => array("flags" => FILTER_REQUIRE_SCALAR), "scope" => array("flags" => FILTER_REQUIRE_SCALAR));
     if (!isset($inputData)) {
         $inputData = $_GET;
     }
     $input = filter_var_array($inputData, $filters);
     // Make sure a valid client id was supplied (we can not redirect because we were unable to verify the URI)
     if (!$input["client_id"]) {
         throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, "No client id supplied");
         // We don't have a good URI to use
     }
     // Get client details
     $stored = $this->storage->getClientDetails($input["client_id"]);
     if ($stored === FALSE) {
         throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_INVALID_CLIENT, "Client id does not exist");
     }
     // Make sure a valid redirect_uri was supplied. If specified, it must match the stored URI.
     // @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-3.1.2
     // @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
     // @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
     if (!$input["redirect_uri"] && !$stored["redirect_uri"]) {
         throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'No redirect URL was supplied or stored.');
     }
     if ($this->getVariable(self::CONFIG_ENFORCE_INPUT_REDIRECT) && !$input["redirect_uri"]) {
         throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'The redirect URI is mandatory and was not supplied.');
     }
     // Only need to validate if redirect_uri provided on input and stored.
     if ($stored["redirect_uri"] && $input["redirect_uri"] && !$this->validateRedirectUri($input["redirect_uri"], $stored["redirect_uri"])) {
         throw new OAuth2ServerException(self::HTTP_BAD_REQUEST, self::ERROR_REDIRECT_URI_MISMATCH, 'The redirect URI provided is missing or does not match');
     }
     // Select the redirect URI
     $input["redirect_uri"] = isset($input["redirect_uri"]) ? $input["redirect_uri"] : $stored["redirect_uri"];
     // type and client_id are required
     if (!$input["response_type"]) {
         throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_REQUEST, 'Invalid or missing response type.', $input["state"]);
     }
     // Check requested auth response type against interfaces of storage engine
     $reflect = new ReflectionClass($this->storage);
     if (!$reflect->hasConstant('RESPONSE_TYPE_' . strtoupper($input['response_type']))) {
         throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_UNSUPPORTED_RESPONSE_TYPE, NULL, $input["state"]);
     }
     // Validate that the requested scope is supported
     if ($input["scope"] && !$this->checkScope($input["scope"], $this->getVariable(self::CONFIG_SUPPORTED_SCOPES))) {
         throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_SCOPE, 'An unsupported scope was requested.', $input["state"]);
     }
     // Validate state parameter exists (if configured to enforce this)
     if ($this->getVariable(self::CONFIG_ENFORCE_STATE) && !$input["state"]) {
         throw new OAuth2RedirectException($input["redirect_uri"], self::ERROR_INVALID_REQUEST, "The state parameter is required.");
     }
     // Return retrieved client details together with input
     return $input + $stored;
 }
コード例 #2
0
 /**
  * Pull the authorization request data out of the HTTP request.
  * - The redirect_uri is OPTIONAL as per draft 20. But your implementation can enforce it
  * by setting CONFIG_ENFORCE_INPUT_REDIRECT to true.
  * - The state is OPTIONAL but recommended to enforce CSRF. Draft 21 states, however, that
  * CSRF protection is MANDATORY. You can enforce this by setting the CONFIG_ENFORCE_STATE to true.
  *
  * @param $inputData - The draft specifies that the parameters should be
  * retrieved from GET, but you can override to whatever method you like.
  * @return
  * The authorization parameters so the authorization server can prompt
  * the user for approval if valid.
  *
  * @throws OAuth2ServerException
  * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.1
  * @see http://tools.ietf.org/html/draft-ietf-oauth-v2-21#section-10.12
  * 
  * @ingroup oauth2_section_3
  */
 public function getAuthorizeParams($inputData)
 {
     if (!isset($inputData)) {
         $inputData = $_GET;
     }
     $input = $inputData;
     // THROW ERROR IF client_id IS MISSING
     if (!$input["client_id"]) {
         header("Content-Type: application/json");
         header("Cache-Control: no-store");
         $error = json_encode(array('Error' => 'Client id required'));
         echo $error;
         exit;
     }
     // GET CLIENT DETAILS
     $stored = $this->storage->getClientDetails($input["client_id"]);
     if ($stored === FALSE) {
         header("Content-Type: application/json");
         header("Cache-Control: no-store");
         $error = json_encode(array('Error' => 'Client not found or not provided'));
         echo $error;
         exit;
     }
     // Make sure a valid redirect_uri was supplied. If specified, it must match the stored URI.
     // @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-3.1.2
     // @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1.2.1
     // @see http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.2.2.1
     if (!$input["redirect_uri"] && !$stored["redirect_uri"]) {
         header("Content-Type: application/json");
         header("Cache-Control: no-store");
         $error = json_encode(array('Error' => 'redirect_uri is require'));
         echo $error;
         exit;
     }
     if ($this->getVariable(self::CONFIG_ENFORCE_INPUT_REDIRECT) && !$input["redirect_uri"]) {
         header("Content-Type: application/json");
         header("Cache-Control: no-store");
         $error = json_encode(array('Error' => 'redirect_uri is require by Mydwellworks OAuth API'));
         echo $error;
         exit;
     }
     // Only need to validate if redirect_uri provided on input and stored.
     if ($stored["redirect_uri"] && $input["redirect_uri"] && !$this->validateRedirectUri($input["redirect_uri"], $stored["redirect_uri"])) {
         header("Content-Type: application/json");
         header("Cache-Control: no-store");
         $error = json_encode(array('Error' => 'The redirect_uri is missing or does not match allowed uri'));
         echo $error;
         exit;
     }
     // Select the redirect URI
     $input["redirect_uri"] = isset($input["redirect_uri"]) ? $input["redirect_uri"] : $stored["redirect_uri"];
     // type and client_id are required
     if (!$input["response_type"]) {
         header("Content-Type: application/json");
         header("Cache-Control: no-store");
         $error = json_encode(array('Error' => 'Invalid or missing response_type'));
         echo $error;
         exit;
     }
     if ($input['response_type'] != self::RESPONSE_TYPE_AUTH_CODE && $input['response_type'] != self::RESPONSE_TYPE_ACCESS_TOKEN) {
         header("Content-Type: application/json");
         header("Cache-Control: no-store");
         $error = json_encode(array('Error' => 'response_type invalid'));
         echo $error;
         exit;
     }
     // Validate that the requested scope is supported
     if ($input["scope"] && !$this->checkScope($input["scope"], $this->getVariable(self::CONFIG_SUPPORTED_SCOPES))) {
         header("Content-Type: application/json");
         header("Cache-Control: no-store");
         $error = json_encode(array('Error' => 'Unsuportted scope'));
         echo $error;
         exit;
     }
     // Validate state parameter exists (if configured to enforce this)
     if ($this->getVariable(self::CONFIG_ENFORCE_STATE) && !$input["state"]) {
         header("Content-Type: application/json");
         header("Cache-Control: no-store");
         $error = json_encode(array('Error' => 'state is required by Mydwellworks'));
         echo $error;
         exit;
     }
     // Return retrieved client details together with input
     return $input + $stored;
 }