/** * Internal function used to get the client credentials from HTTP basic * auth or POST data. * * According to the spec (draft 20), the client_id can be provided in * the Basic Authorization header (recommended) or via GET/POST. * * @return * A list containing the client identifier and password, for example * @code * return array( * CLIENT_ID, * CLIENT_SECRET * ); * @endcode * * @see http://tools.ietf.org/html/rfc6749#section-2.4.1 * * @ingroup oauth2_section_2 */ public function getClientCredentials(OAuth2_RequestInterface $request) { if (!is_null($request->headers('PHP_AUTH_USER')) && !is_null($request->headers('PHP_AUTH_PW'))) { return array('client_id' => $request->headers('PHP_AUTH_USER'), 'client_secret' => $request->headers('PHP_AUTH_PW')); } // This method is not recommended, but is supported by specification if (!is_null($request->request('client_id')) && !is_null($request->request('client_secret'))) { return array('client_id' => $request->request('client_id'), 'client_secret' => $request->request('client_secret')); } if (!is_null($request->query('client_id')) && !is_null($request->query('client_secret'))) { return array('client_id' => $request->query('client_id'), 'client_secret' => $request->query('client_secret')); } $this->response = new OAuth2_Response_Error(400, 'invalid_client', 'Client credentials were not found in the headers or body'); return null; }
/** * This is a convenience function that can be used to get the token, which can then * be passed to getAccessTokenData(). The constraints specified by the draft are * attempted to be adheared to in this method. * * As per the Bearer spec (draft 8, section 2) - there are three ways for a client * to specify the bearer token, in order of preference: Authorization Header, * POST and GET. * * NB: Resource servers MUST accept tokens via the Authorization scheme * (http://tools.ietf.org/html/rfc6750#section-2). * * @todo Should we enforce TLS/SSL in this function? * * @see http://tools.ietf.org/html/rfc6750#section-2.1 * @see http://tools.ietf.org/html/rfc6750#section-2.2 * @see http://tools.ietf.org/html/rfc6750#section-2.3 * * Old Android version bug (at least with version 2.2) * @see http://code.google.com/p/android/issues/detail?id=6684 * */ public function getAccessTokenParameter(OAuth2_RequestInterface $request, OAuth2_ResponseInterface $response) { $headers = $request->headers('AUTHORIZATION'); // Check that exactly one method was used $methodsUsed = !empty($headers) + !is_null($request->query($this->config['token_param_name'])) + !is_null($request->request($this->config['token_param_name'])); if ($methodsUsed > 1) { $response->setError(400, 'invalid_request', 'Only one method may be used to authenticate at a time (Auth header, GET or POST)'); return null; } if ($methodsUsed == 0) { $response->setStatusCode(401); return null; } // HEADER: Get the access token from the header if (!empty($headers)) { if (!preg_match('/' . $this->config['token_bearer_header_name'] . '\\s(\\S+)/', $headers, $matches)) { $response->setError(400, 'invalid_request', 'Malformed auth header'); return null; } return $matches[1]; } if ($request->request($this->config['token_param_name'])) { // POST: Get the token from POST data if (strtolower($request->server('REQUEST_METHOD')) != 'post') { $response->setError(400, 'invalid_request', 'When putting the token in the body, the method must be POST'); return null; } $contentType = $request->server('CONTENT_TYPE'); if (false !== ($pos = strpos($contentType, ';'))) { $contentType = substr($contentType, 0, $pos); } if ($contentType !== null && $contentType != 'application/x-www-form-urlencoded') { // IETF specifies content-type. NB: Not all webservers populate this _SERVER variable // @see http://tools.ietf.org/html/rfc6750#section-2.2 $response->setError(400, 'invalid_request', 'The content type for POST requests must be "application/x-www-form-urlencoded"'); return null; } return $request->request($this->config['token_param_name']); } // GET method return $request->query($this->config['token_param_name']); }
public function validateAuthorizeRequest(OAuth2_RequestInterface $request) { // Make sure a valid client id was supplied (we can not redirect because we were unable to verify the URI) if (!($client_id = $request->query("client_id"))) { // We don't have a good URI to use $this->response = new OAuth2_Response_Error(400, 'invalid_client', "No client id supplied"); return false; } // Get client details if (!($clientData = $this->clientStorage->getClientDetails($client_id))) { $this->response = new OAuth2_Response_Error(400, 'invalid_client', 'The client id supplied is invalid'); return false; } $clientData += array('redirect_uri' => null); // this should be set. We should create ClientData interface if ($clientData === false) { $this->response = new OAuth2_Response_Error(400, 'invalid_client', "Client id does not exist"); return false; } // Make sure a valid redirect_uri was supplied. If specified, it must match the clientData URI. // @see http://tools.ietf.org/html/rfc6749#section-3.1.2 // @see http://tools.ietf.org/html/rfc6749#section-4.1.2.1 // @see http://tools.ietf.org/html/rfc6749#section-4.2.2.1 if (!($redirect_uri = $request->query('redirect_uri')) && !($redirect_uri = $clientData['redirect_uri'])) { $this->response = new OAuth2_Response_Error(400, 'invalid_uri', 'No redirect URI was supplied or stored'); return false; } $parts = parse_url($redirect_uri); if (isset($parts['fragment']) && $parts['fragment']) { $this->response = new OAuth2_Response_Error(400, 'invalid_uri', 'The redirect URI must not contain a fragment'); return false; } // Only need to validate if redirect_uri provided on input and clientData. if ($clientData["redirect_uri"] && $redirect_uri && !$this->validateRedirectUri($redirect_uri, $clientData["redirect_uri"])) { $this->response = new OAuth2_Response_Error(400, 'redirect_uri_mismatch', 'The redirect URI provided is missing or does not match'); return false; } // Select the redirect URI $redirect_uri = $redirect_uri ? $redirect_uri : $clientData["redirect_uri"]; $response_type = $request->query('response_type'); $state = $request->query('state'); if (!($scope = $this->scopeUtil->getScopeFromRequest($request))) { $scope = $this->scopeUtil->getDefaultScope(); } // type and client_id are required if (!$response_type || !in_array($response_type, array(self::RESPONSE_TYPE_AUTHORIZATION_CODE, self::RESPONSE_TYPE_ACCESS_TOKEN))) { $this->response = new OAuth2_Response_Redirect($redirect_uri, 302, 'invalid_request', 'Invalid or missing response type', $state); return false; } if ($response_type == self::RESPONSE_TYPE_AUTHORIZATION_CODE) { if (!isset($this->responseTypes['code'])) { $this->response = new OAuth2_Response_Redirect($redirect_uri, 302, 'unsupported_response_type', 'authorization code grant type not supported', $state); return false; } if ($this->responseTypes['code']->enforceRedirect() && !$redirect_uri) { $this->response = new OAuth2_Response_Error(400, 'redirect_uri_mismatch', 'The redirect URI is mandatory and was not supplied.'); return false; } } if ($response_type == self::RESPONSE_TYPE_ACCESS_TOKEN && !$this->config['allow_implicit']) { $this->response = new OAuth2_Response_Redirect($redirect_uri, 302, 'unsupported_response_type', 'implicit grant type not supported', $state); return false; } // Validate that the requested scope is supported if (false === $scope) { $this->response = new OAuth2_Response_Redirect($redirect_uri, 302, 'invalid_client', 'This application requires you specify a scope parameter', $state); return false; } if (!is_null($scope) && !$this->scopeUtil->checkScope($scope, $this->scopeUtil->getSupportedScopes($client_id))) { $this->response = new OAuth2_Response_Redirect($redirect_uri, 302, 'invalid_scope', 'An unsupported scope was requested', $state); return false; } // Validate state parameter exists (if configured to enforce this) if ($this->config['enforce_state'] && !$state) { $this->response = new OAuth2_Response_Redirect($redirect_uri, 302, 'invalid_request', 'The state parameter is required'); return false; } // Return retrieved client details together with input return (array) $request->getAllQueryParameters() + $clientData + array('scope' => $scope, 'state' => null); }
public function validateAuthorizeRequest(OAuth2_RequestInterface $request, OAuth2_ResponseInterface $response) { // Make sure a valid client id was supplied (we can not redirect because we were unable to verify the URI) if (!($client_id = $request->query("client_id"))) { // We don't have a good URI to use $response->setError(400, 'invalid_client', "No client id supplied"); return false; } // Get client details if (!($clientData = $this->clientStorage->getClientDetails($client_id))) { $response->setError(400, 'invalid_client', 'The client id supplied is invalid'); return false; } $registered_redirect_uri = isset($clientData['redirect_uri']) ? $clientData['redirect_uri'] : ''; // Make sure a valid redirect_uri was supplied. If specified, it must match the clientData URI. // @see http://tools.ietf.org/html/rfc6749#section-3.1.2 // @see http://tools.ietf.org/html/rfc6749#section-4.1.2.1 // @see http://tools.ietf.org/html/rfc6749#section-4.2.2.1 if ($redirect_uri = $request->query('redirect_uri')) { // validate there is no fragment supplied $parts = parse_url($redirect_uri); if (isset($parts['fragment']) && $parts['fragment']) { $response->setError(400, 'invalid_uri', 'The redirect URI must not contain a fragment'); return false; } // validate against the registered redirect uri(s) if available if ($registered_redirect_uri && !$this->validateRedirectUri($redirect_uri, $registered_redirect_uri)) { $response->setError(400, 'redirect_uri_mismatch', 'The redirect URI provided is missing or does not match', '#section-3.1.2'); return false; } } else { // use the registered redirect_uri if none has been supplied, if possible if (!$registered_redirect_uri) { $response->setError(400, 'invalid_uri', 'No redirect URI was supplied or stored'); return false; } if (count(explode(' ', $registered_redirect_uri)) > 1) { $response->setError(400, 'invalid_uri', 'A redirect URI must be supplied when multiple redirect URIs are registered', '#section-3.1.2.3'); return false; } $redirect_uri = $registered_redirect_uri; } // Select the redirect URI $response_type = $request->query('response_type'); $state = $request->query('state'); if (!($scope = $this->scopeUtil->getScopeFromRequest($request))) { $scope = $this->scopeUtil->getDefaultScope(); } // type and client_id are required if (!$response_type || !in_array($response_type, array(self::RESPONSE_TYPE_AUTHORIZATION_CODE, self::RESPONSE_TYPE_ACCESS_TOKEN))) { $response->setRedirect(302, $redirect_uri, $state, 'invalid_request', 'Invalid or missing response type', null); return false; } if ($response_type == self::RESPONSE_TYPE_AUTHORIZATION_CODE) { if (!isset($this->responseTypes['code'])) { $response->setRedirect(302, $redirect_uri, $state, 'unsupported_response_type', 'authorization code grant type not supported', null); return false; } if (!$this->clientStorage->checkRestrictedGrantType($client_id, 'authorization_code')) { $response->setRedirect(302, $redirect_uri, $state, 'unauthorized_client', 'The grant type is unauthorized for this client_id', null); return false; } if ($this->responseTypes['code']->enforceRedirect() && !$redirect_uri) { $response->setError(400, 'redirect_uri_mismatch', 'The redirect URI is mandatory and was not supplied'); return false; } } if ($response_type == self::RESPONSE_TYPE_ACCESS_TOKEN) { if (!$this->config['allow_implicit']) { $response->setRedirect(302, $redirect_uri, $state, 'unsupported_response_type', 'implicit grant type not supported', null); return false; } if (!$this->clientStorage->checkRestrictedGrantType($client_id, 'implicit')) { $response->setRedirect(302, $redirect_uri, $state, 'unauthorized_client', 'The grant type is unauthorized for this client_id', null); return false; } } // Validate that the requested scope is supported if (false === $scope) { $response->setRedirect(302, $redirect_uri, $state, 'invalid_client', 'This application requires you specify a scope parameter', null); return false; } if (!is_null($scope) && !$this->scopeUtil->scopeExists($scope, $client_id)) { $response->setRedirect(302, $redirect_uri, $state, 'invalid_scope', 'An unsupported scope was requested', null); return false; } // Validate state parameter exists (if configured to enforce this) if ($this->config['enforce_state'] && !$state) { $response->setRedirect(302, $redirect_uri, null, 'invalid_request', 'The state parameter is required'); return false; } // Return retrieved client details together with input return array_merge(array('scope' => $scope, 'state' => $state), $clientData, $request->getAllQueryParameters(), array('redirect_uri' => $redirect_uri)); }
public function getScopeFromRequest(OAuth2_RequestInterface $request) { // "scope" is valid if passed in either POST or QUERY return $request->request('scope', $request->query('scope')); }