public function handleRefreshToken(TokenRequest $tokenRequest, ClientData $clientData) { $refreshToken = $tokenRequest->getRefreshToken(); $scope = $tokenRequest->getScope(); $result = $this->db->getApprovalByRefreshToken($clientData->getId(), $refreshToken); if (false === $result) { throw new BadRequestException('invalid_grant', 'the refresh_token was not found'); } $token = array(); $token['access_token'] = $this->io->getRandomHex(); $token['expires_in'] = $this->accessTokenExpiry; if (null !== $scope) { // the client wants to obtain a specific scope $requestedScope = new Scope($scope); $authorizedScope = new Scope($result['scope']); if ($requestedScope->hasOnlyScope($authorizedScope)) { // if it is a subset of the authorized scope we honor that $token['scope'] = $requestedScope->toString(); } else { // if not the client gets the authorized scope $token['scope'] = $result['scope']; } } else { $token['scope'] = $result['scope']; } $token['token_type'] = 'bearer'; $this->db->storeAccessToken($token['access_token'], $this->io->getTime(), $clientData->getId(), $result['resource_owner_id'], $token['scope'], $token['expires_in']); return $token; }
private function addApproval(ClientData $clientData, $userId, $scope) { $approval = $this->storage->getApprovalByResourceOwnerId($clientData->getId(), $userId); if (false === $approval) { // no approval exists, generate a refresh_token and add it $refreshToken = 'code' === $clientData->getType() ? $this->io->getRandomHex() : null; $this->storage->addApproval($clientData->getId(), $userId, $scope, $refreshToken); } else { // an approval exists, we don't care about the scope, we just // update it if needed keeping the same refresh_token $this->storage->updateApproval($clientData->getId(), $userId, $scope); } }
public function getTokenIntrospection(Request $request, $tokenValue) { if (null === $tokenValue) { throw new BadRequestException('invalid_token', 'the token parameter is missing'); } // FIXME: validate token format $accessToken = $this->db->getAccessToken($tokenValue); if (false === $accessToken) { // token does not exist $tokenInfo = array('active' => false); } elseif ($this->io->getTime() > $accessToken['issue_time'] + $accessToken['expires_in']) { // token expired $tokenInfo = array('active' => false); } else { // token exists and did not expire $tokenInfo = array('active' => true, 'exp' => intval($accessToken['issue_time'] + $accessToken['expires_in']), 'iat' => intval($accessToken['issue_time']), 'scope' => $accessToken['scope'], 'iss' => $request->getUrl()->getHost(), 'client_id' => $accessToken['client_id'], 'sub' => $accessToken['resource_owner_id'], 'user_id' => $accessToken['resource_owner_id'], 'token_type' => 'bearer'); // as long as we have no RS registration we cannot set the audience... // $tokenInfo['aud'] => 'foo'; } $response = new JsonResponse(); $response->setHeaders(array('Cache-Control' => 'no-store', 'Pragma' => 'no-cache')); $response->setBody($tokenInfo); return $response; }