/**
* @param \OAuth2\Client\ClientInterface $client Client
*
* @return int
*/
protected function getLifetime(ClientInterface $client)
{
if ($client instanceof TokenLifetimeExtensionInterface && ($lifetime = $client->getTokenLifetime('refresh_token')) !== null) {
return $lifetime;
}
return $this->getConfiguration()->get('refresh_token_lifetime', 1209600);
}
/**
* {@inheritdoc}
*/
protected function getLifetime(ClientInterface $client)
{
$lifetime = $this->getConfiguration()->get('auth_code_lifetime', 30);
if ($client instanceof TokenLifetimeExtensionInterface && ($_lifetime = $client->getTokenLifetime('authcode')) !== null) {
return $_lifetime;
}
return $lifetime;
}
/**
* {@inheritdoc}
*/
public function check(ClientInterface $client, array $registration_parameters)
{
foreach (['software_id', 'software_version', 'software_statement'] as $key) {
if (array_key_exists($key, $registration_parameters)) {
$client->set($key, $registration_parameters[$key]);
}
}
}
/**
* @param \OAuth2\Client\ClientInterface $client Client
*
* @return int
*/
protected function getLifetime(ClientInterface $client)
{
$lifetime = $this->getAccessTokenLifetime();
if (is_int($_lifetime = $client->getTokenLifetime('access_token'))) {
return $_lifetime;
}
return $lifetime;
}
/**
* @param \OAuth2\Client\ClientInterface $client Client
*
* @return int
*/
protected function getLifetime(ClientInterface $client)
{
$lifetime = $this->getConfiguration()->get('access_token_lifetime', 3600);
if ($client instanceof TokenLifetimeExtensionInterface && is_int($_lifetime = $client->getTokenLifetime('access_token'))) {
return $_lifetime;
}
return $lifetime;
}
/**
* {@inheritdoc}
*/
public function check(ClientInterface $client, array $registration_parameters)
{
if (!array_key_exists('request_uris', $registration_parameters)) {
return;
}
Assertion::isArray($registration_parameters['request_uris'], 'The parameter "request_uris" must be a list of URI.');
Assertion::allUrl($registration_parameters['request_uris'], 'The parameter "request_uris" must be a list of URI.');
$client->set('request_uris', $registration_parameters['request_uris']);
}
/**
* {@inheritdoc}
*/
public function check(ClientInterface $client, array $registration_parameters)
{
if (!array_key_exists('sector_identifier_uri', $registration_parameters)) {
return;
}
Assertion::url($registration_parameters['sector_identifier_uri'], sprintf('The sector identifier URI "%s" is not valid.', $registration_parameters['sector_identifier_uri']));
$this->checkSectorIdentifierUri($registration_parameters['sector_identifier_uri']);
$client->set('sector_identifier_uri', $registration_parameters['sector_identifier_uri']);
}
/**
* {@inheritdoc}
*/
public function checkRefreshToken(RefreshTokenInterface $token, ClientInterface $client)
{
if ($client->getPublicId() !== $token->getClientPublicId()) {
throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_GRANT, 'Invalid refresh token');
}
if ($token->hasExpired()) {
throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_GRANT, 'Refresh token has expired');
}
}
/**
* {@inheritdoc}
*/
public function check(ClientInterface $client, array $registration_parameters)
{
$metadatas = [];
foreach ($this->getSupportedParameters() as $parameter => $closure) {
$metadatas = array_merge($metadatas, $this->getInternationalizedParameters($registration_parameters, $parameter, $closure));
}
foreach ($metadatas as $k => $v) {
$client->set($k, $v);
}
}
/**
* {@inheritdoc}
*/
public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
{
if ($client->isPublic()) {
throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_CLIENT, 'The client is not a confidential client');
}
$issue_refresh_token = $this->isRefreshTokenIssuedWithAccessToken();
$grant_type_response->setResourceOwnerPublicId($client->getPublicId());
$grant_type_response->setUserAccountPublicId(null);
$grant_type_response->setRefreshTokenIssued($issue_refresh_token);
$grant_type_response->setRefreshTokenScope($grant_type_response->getRequestedScope());
}
/**
* {@inheritdoc}
*/
public function check(ClientInterface $client, array $registration_parameters)
{
if (!array_key_exists('id_token_encrypted_response_alg', $registration_parameters) || !array_key_exists('id_token_encrypted_response_enc', $registration_parameters)) {
return;
}
Assertion::string($registration_parameters['id_token_encrypted_response_alg'], 'Invalid parameter "id_token_encrypted_response_alg". The value must be a string.');
Assertion::string($registration_parameters['id_token_encrypted_response_enc'], 'Invalid parameter "id_token_encrypted_response_enc". The value must be a string.');
Assertion::inArray($registration_parameters['id_token_encrypted_response_alg'], $this->getIdTokenManager()->getSupportedKeyEncryptionAlgorithms(), sprintf('The ID Token content encryption algorithm "%s" is not supported. Please choose one of the following algorithm: %s', $registration_parameters['id_token_encrypted_response_alg'], json_encode($this->getIdTokenManager()->getSupportedContentEncryptionAlgorithms())));
Assertion::inArray($registration_parameters['id_token_encrypted_response_enc'], $this->getIdTokenManager()->getSupportedContentEncryptionAlgorithms(), sprintf('The ID Token key encryption algorithm "%s" is not supported. Please choose one of the following algorithm: %s', $registration_parameters['id_token_encrypted_response_enc'], json_encode($this->getIdTokenManager()->getSupportedKeyEncryptionAlgorithms())));
$client->set('id_token_encrypted_response_alg', $registration_parameters['id_token_encrypted_response_alg']);
$client->set('id_token_encrypted_response_enc', $registration_parameters['id_token_encrypted_response_enc']);
}
protected function addAuthCode($code, $expiresAt, ClientInterface $client, EndUserInterface $end_user, array $query_params, $redirectUri, array $scope = [], $issueRefreshToken = false)
{
$class = $this->getClass();
/*
* @var \SpomkyLabs\OAuth2ServerBundle\Plugin\AuthCodeGrantTypePlugin\Model\AuthCodeInterface
*/
$authcode = new $class();
$authcode->setRedirectUri($redirectUri)->setQueryParams($query_params)->setIssueRefreshToken($issueRefreshToken)->setToken($code)->setResourceOwnerPublicId($end_user->getPublicId())->setExpiresAt($expiresAt)->setClientPublicId($client->getPublicId())->setScope($scope);
$this->getEntityManager()->persist($authcode);
$this->getEntityManager()->flush();
return $authcode;
}
public function createUsedRefreshToken(ClientInterface $client, ResourceOwnerInterface $resource_owner, $refresh_token)
{
$class = $this->getClass();
$expired_date = (new \Datetime('now +1 year'))->format('U');
$token = new $class();
/*
* @var $token \OAuth2\Token\RefreshTokenInterface
*/
$token->setToken($refresh_token)->setExpiresAt($expired_date)->setResourceOwnerPublicId($resource_owner->getPublicId())->setClientPublicId($client->getPublicId())->setUsed(true);
$this->getEntityManager()->persist($token);
$this->getEntityManager()->flush();
return $token;
}
/**
* {@inheritdoc}
*/
public function check(ClientInterface $client, array $registration_parameters)
{
if (!array_key_exists('subject_type', $registration_parameters)) {
return;
}
Assertion::string($registration_parameters['subject_type'], 'Invalid parameter "subject_type". The value must be a string.');
$supported_types = ['public'];
if ($this->getUserinfo()->isPairwiseSubjectIdentifierSupported()) {
$supported_types[] = 'pairwise';
}
Assertion::inArray($registration_parameters['subject_type'], $supported_types, sprintf('The subject type "%s" is not supported. Please use one of the following value: %s', $registration_parameters['subject_type'], json_encode($supported_types)));
$client->set('subject_type', $registration_parameters['subject_type']);
}
/**
* {@inheritdoc}
*/
public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
{
if (!$client instanceof ConfidentialClientInterface) {
throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_CLIENT, 'The client is not a confidential client');
}
$issue_refresh_token = $this->getConfiguration()->get('issue_refresh_token_with_client_credentials_grant_type', false);
$scope = RequestBody::getParameter($request, 'scope');
$grant_type_response->setRequestedScope($scope);
$grant_type_response->setAvailableScope(null);
$grant_type_response->setResourceOwnerPublicId($client->getPublicId());
$grant_type_response->setRefreshTokenIssued($issue_refresh_token);
$grant_type_response->setRefreshTokenScope($scope);
$grant_type_response->setRefreshTokenRevoked(null);
}
/**
* {@inheritdoc}
*/
public function introspectToken(TokenInterface $token, ClientInterface $client)
{
if (!$token instanceof AccessTokenInterface) {
return [];
}
$result = ['active' => !$token->hasExpired(), 'client_id' => $token->getClientPublicId(), 'token_type' => $token->getTokenTypeParameter('token_type'), 'exp' => $token->getExpiresAt()];
// If the client is the subject, we add this information.
//
// The subject is not added if the client is not a resource owner.
// The reason is that if the client received an ID Token, the subject may have been computed (pairwise) and
// the subject returned here may be different. As per the OpenID Connect specification, the client must reject the token
// if subject are different and we want to avoid this case.
if ($client->getPublicId() === $token->getResourceOwnerPublicId()) {
$result['sub'] = $token->getResourceOwnerPublicId();
}
// If the client is a resource server, we return all the information stored in the access token including the metadata
if ($client->has('is_resource_server') && true === $client->get('is_resource_server')) {
$result['sub'] = $token->getResourceOwnerPublicId();
}
if (!empty($token->getScope())) {
$result['scp'] = $token->getScope();
}
if ($token instanceof JWTAccessTokenInterface) {
$result = array_merge($result, $this->getJWTInformation($token->getJWS()));
}
return $result;
}
/**
* {@inheritdoc}
*/
private function getLifetime(ClientInterface $client)
{
$lifetime = $this->getAuthorizationCodeLifetime();
if (is_int($_lifetime = $client->getTokenLifetime('authcode'))) {
return $_lifetime;
}
return $lifetime;
}
/**
* {@inheritdoc}
*/
public function check(ClientInterface $client, array $registration_parameters)
{
if (!$this->hasScopeManager()) {
return;
}
if (array_key_exists('scope', $registration_parameters)) {
Assertion::regex($registration_parameters['scope'], '/^[\\x20\\x23-\\x5B\\x5D-\\x7E]+$/', 'Invalid characters found in the "scope" parameter.');
$client->set('scope', $registration_parameters['scope']);
}
if (array_key_exists('scope_policy', $registration_parameters)) {
Assertion::inArray($registration_parameters['scope_policy'], $this->getScopeManager()->getSupportedScopePolicies(), sprintf('The scope policy "%s" is not supported. Please choose one of the following policy: "%s".', $registration_parameters['scope_policy'], json_encode($this->getScopeManager()->getSupportedScopePolicies())));
$client->set('scope_policy', $registration_parameters['scope_policy']);
}
/*
* Should be handled by the scope policy itself
*/
if (array_key_exists('default_scope', $registration_parameters)) {
Assertion::regex($registration_parameters['default_scope'], '/^[\\x20\\x23-\\x5B\\x5D-\\x7E]+$/', 'Invalid characters found in the "default_scope" parameter.');
$client->set('default_scope', $registration_parameters['default_scope']);
}
}
protected function addAccessToken($token, $expiresAt, ClientInterface $client, ResourceOwnerInterface $resourceOwner, array $scope = [], BaseRefreshTokenInterface $refresh_token = null)
{
if (null !== $this->event_dispatcher) {
$this->event_dispatcher->dispatch(Events::OAUTH2_PRE_ACCESS_TOKEN_CREATION, new PreAccessTokenCreationEvent($client, $scope, $resourceOwner, $refresh_token));
}
$class = $this->getClass();
/*
* @var \SpomkyLabs\OAuth2ServerBundle\Plugin\SimpleStringAccessTokenPlugin\Model\SimpleStringAccessTokenInterface
*/
$access_token = new $class();
$access_token->setToken($token)->setExpiresAt($expiresAt)->setClientPublicId($client->getPublicId())->setScope($scope);
if (null !== $resourceOwner) {
$access_token->setResourceOwnerPublicId($resourceOwner->getPublicId());
}
if (null !== $refresh_token) {
$access_token->setRefreshToken($refresh_token->getToken());
}
$this->getEntityManager()->persist($access_token);
$this->getEntityManager()->flush();
if (null !== $this->event_dispatcher) {
$this->event_dispatcher->dispatch(Events::OAUTH2_POST_ACCESS_TOKEN_CREATION, new PostAccessTokenCreationEvent($access_token));
}
return $access_token;
}
/**
* @param \OAuth2\Client\ClientInterface $client
* @param array $registration_parameters
*/
private function checkResponseTypes(ClientInterface $client, array $registration_parameters)
{
Assertion::isArray($registration_parameters['response_types'], 'The parameter "response_types" must be an array of strings.');
Assertion::allString($registration_parameters['response_types'], 'The parameter "grant_types" must be an array of strings.');
foreach ($registration_parameters['response_types'] as $response_type) {
$types = $this->getResponseTypeManager()->getResponseTypes($response_type);
if (!in_array($response_type, $client->get('response_types'))) {
$response_types = $client->get('response_types');
$response_types[] = $response_type;
$client->set('response_types', $response_types);
}
foreach ($types as $type) {
$associated_grant_types = $type->getAssociatedGrantTypes();
$diff = array_diff($associated_grant_types, $registration_parameters['grant_types']);
Assertion::true(empty($diff), sprintf('The response type "%s" is associated with the grant types "%s" but this response type is missing.', $type->getResponseType(), json_encode($diff)));
$client->set('grant_types', array_unique(array_merge($client->get('grant_types'), $associated_grant_types)));
}
}
}
/**
* @param \OAuth2\Client\ClientInterface $client
* @param array $params
*
* @throws \OAuth2\Exception\BadRequestExceptionInterface
*/
private function checkResponseTypeAllowedForTheClient(ClientInterface $client, array $params)
{
if (!$client->isResponseTypeAllowed($params['response_type'])) {
throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_UNAUTHORIZED_CLIENT, 'The response type "' . $params['response_type'] . '" is unauthorized for this client.');
}
}
/**
* {@inheritdoc}
*/
private function getDefaultScopesForClient(ClientInterface $client)
{
return $client->has('default_scope') && null !== $client->get('default_scope') ? $client->get('default_scope') : $this->getDefaultScopes();
}
/**
* {@inheritdoc}
*/
public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
{
if (false === $client->hasPublicKeySet()) {
throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_CLIENT, 'The client is not a client with signature capabilities.');
}
$jwt = $grant_type_response->getAdditionalData('jwt');
try {
$this->getJWTLoader()->verify($jwt, $client->getPublicKeySet());
} catch (\Exception $e) {
throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_REQUEST, $e->getMessage());
}
$issue_refresh_token = $this->isRefreshTokenIssuedWithAccessToken();
$grant_type_response->setResourceOwnerPublicId($client->getPublicId());
$grant_type_response->setUserAccountPublicId(null);
$grant_type_response->setRefreshTokenIssued($issue_refresh_token);
$grant_type_response->setRefreshTokenScope($grant_type_response->getRequestedScope());
}
/**
* @param \Psr\Http\Message\ServerRequestInterface $request
* @param \Psr\Http\Message\ResponseInterface $response
* @param \OAuth2\Client\ClientInterface $client
*/
private function handlePut(ServerRequestInterface $request, ResponseInterface &$response, ClientInterface $client)
{
$request_parameters = RequestBody::getParameters($request);
$this->checkPreservedParameters($request_parameters);
$this->checkSoftwareStatement($request_parameters);
$client_data = $client->all();
foreach (['registration_access_token', 'registration_client_uri', 'client_secret_expires_at', 'client_id_issued_at'] as $k) {
if (array_key_exists($k, $client_data)) {
unset($client_data[$k]);
}
}
$diff_data = array_diff_key($client_data, $request_parameters);
Assertion::true(empty($diff_data), 'The request must include all client metadata fields.');
Assertion::eq($request_parameters['client_id'], $client->getPublicId(), 'Inconsistent "client_id" parameter.');
unset($request_parameters['client_id']);
$request_parameters = array_merge($request_parameters, ['registration_access_token' => null, 'registration_client_uri' => null, 'client_secret_expires_at' => null]);
foreach ($request_parameters as $k => $v) {
if (empty($v)) {
$client->remove($k);
unset($request_parameters[$k]);
}
}
$this->getClientRuleManager()->processParametersForClient($client, $request_parameters);
$this->getClientManager()->saveClient($client);
$this->processResponseWithClient($response, $client);
}
/**
* @param \OAuth2\Token\AccessTokenInterface|\OAuth2\Token\RefreshTokenInterface $token
* @param \OAuth2\Client\ClientInterface|null $client
*
* @return bool
*/
private function isClientVerified($token, ClientInterface $client = null)
{
if (null !== $client) {
// The client ID of the token is the same as client authenticated
return $token->getClientPublicId() === $client->getPublicId();
} else {
// We try to get the client
$client = $this->getClientManagerSupervisor()->getClient($token->getClientPublicId());
// Return false if the client is a confidential client (confidential client must be authenticated)
return !$client instanceof ConfidentialClientInterface;
}
}
/**
* @param \OAuth2\Client\ClientInterface $client
*
* @return bool
*/
private function issueRefreshToken(ClientInterface $client)
{
if (!$this->isRefreshTokenIssuanceAllowed()) {
return false;
}
if (true === $client->isPublic()) {
return $this->isRefreshTokenIssuanceForPublicClientsAllowed();
}
return true;
}
/**
* @param \OAuth2\Client\ClientInterface $client
*
* @throws \OAuth2\Exception\BadRequestExceptionInterface
*
* @return string[]
*/
private function getClientRequestUris(ClientInterface $client)
{
if (false === $client->has('request_uris') || empty($request_uris = $client->get('request_uris'))) {
throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_CLIENT, 'The client must register at least one request Uri.');
}
return $request_uris;
}
/**
* @param \OAuth2\Client\ClientInterface $client Client
*
* @return int
*/
private function getLifetime(ClientInterface $client)
{
$lifetime = $this->getIdTokenLifetime();
if (is_int($_lifetime = $client->getTokenLifetime('id_token'))) {
return $_lifetime;
}
return $lifetime;
}
/**
* @param \OAuth2\Client\ClientInterface $client
* @param string $grant_type
*
* @throws \OAuth2\Exception\BaseExceptionInterface
*/
private function checkGrantType(ClientInterface $client, $grant_type)
{
if (!$client->isGrantTypeAllowed($grant_type)) {
throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_UNAUTHORIZED_CLIENT, sprintf('The grant type "%s" is unauthorized for this client.', $grant_type));
}
}
/**
* @param \OAuth2\Client\ClientInterface $client Client
*
* @return int
*/
private function getLifetime(ClientInterface $client)
{
if (is_int($lifetime = $client->getTokenLifetime('refresh_token'))) {
return $lifetime;
}
return $this->getRefreshTokenLifetime();
}