/** * @param \OAuth2\Client\ClientInterface $client * * @throws \OAuth2\Exception\BadRequestExceptionInterface * * @return string[] */ private function getClientRequestUris(ClientInterface $client) { if (false === $client->has('request_uris') || empty($request_uris = $client->get('request_uris'))) { throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_CLIENT, 'The client must register at least one request Uri.'); } return $request_uris; }
/** * {@inheritdoc} */ private function getDefaultScopesForClient(ClientInterface $client) { return $client->has('default_scope') && null !== $client->get('default_scope') ? $client->get('default_scope') : $this->getDefaultScopes(); }
/** * @param array $claims * @param \OAuth2\Client\ClientInterface $client * * @return string */ private function signAndEncrypt($claims, ClientInterface $client) { $signature_key = $this->signature_key_set->getKey(0); Assertion::notNull($signature_key, 'Unable to find a key to sign the userinfo response. Please verify the selected key set contains suitable keys.'); $jwt = $this->getJWTCreator()->sign($claims, ['typ' => 'JWT', 'alg' => $this->signature_algorithm], $signature_key); if ($client->hasPublicKeySet() && $client->has('id_token_encrypted_response_alg') && $client->has('id_token_encrypted_response_enc')) { $key_set = $client->getPublicKeySet(); $key = $key_set->selectKey('enc'); if (null !== $key) { $jwt = $this->getJWTCreator()->encrypt($jwt, ['alg' => $client->get('id_token_encrypted_response_alg'), 'enc' => $client->get('id_token_encrypted_response_enc')], $key); } } return $jwt; }
private function checkRequestAndClient(ServerRequestInterface $request, ClientInterface $client) { Assertion::true($this->isRequestSecured($request), 'The request must be secured.'); Assertion::true($client->has('registration_access_token'), 'Invalid client.'); $values = []; $token = $this->bearer_token->findToken($request, $values); Assertion::notNull($token, 'Initial Access Token is missing or invalid.'); Assertion::eq($token, $client->get('registration_access_token'), 'Initial Access Token is missing or invalid.'); }
/** * {@inheritdoc} */ public function getScopePolicyForClient(ClientInterface $client) { if ($client->has('scope_policy') && null !== ($policy_name = $client->get('scope_policy'))) { return $this->getScopePolicy($policy_name); } return $this->getDefaultScopePolicy(); }
/** * Check if the redirect URIs stored by the client. * * @param \OAuth2\Client\ClientInterface $client * @param array $parameters * * @throws \InvalidArgumentException * * @return array * * @see http://tools.ietf.org/html/rfc6749#section-3.1.2.2 */ private function getClientRedirectUris(ClientInterface $client, array $parameters) { if (!$client->has('redirect_uris') || empty($redirect_uris = $client->get('redirect_uris'))) { $this->checkRedirectUriForAllClient(); $this->checkRedirectUriForNonConfidentialClient($client); $this->checkRedirectUriForConfidentialClient($client, $parameters); return []; } return $redirect_uris; }
/** * @param \OAuth2\Client\ClientInterface $client * * @return bool */ private function isClientAResourceServer(ClientInterface $client) { return $client->has('is_resource_server') && true === $client->get('is_resource_server'); }
/** * {@inheritdoc} */ public function introspectToken(TokenInterface $token, ClientInterface $client) { if (!$token instanceof AccessTokenInterface) { return []; } $result = ['active' => !$token->hasExpired(), 'client_id' => $token->getClientPublicId(), 'token_type' => $token->getTokenTypeParameter('token_type'), 'exp' => $token->getExpiresAt()]; // If the client is the subject, we add this information. // // The subject is not added if the client is not a resource owner. // The reason is that if the client received an ID Token, the subject may have been computed (pairwise) and // the subject returned here may be different. As per the OpenID Connect specification, the client must reject the token // if subject are different and we want to avoid this case. if ($client->getPublicId() === $token->getResourceOwnerPublicId()) { $result['sub'] = $token->getResourceOwnerPublicId(); } // If the client is a resource server, we return all the information stored in the access token including the metadata if ($client->has('is_resource_server') && true === $client->get('is_resource_server')) { $result['sub'] = $token->getResourceOwnerPublicId(); } if (!empty($token->getScope())) { $result['scp'] = $token->getScope(); } if ($token instanceof JWTAccessTokenInterface) { $result = array_merge($result, $this->getJWTInformation($token->getJWS())); } return $result; }
/** * @param \OAuth2\Client\ClientInterface $client * @param string $redirect_uri * * @return string */ private function getSectorIdentifierHost(ClientInterface $client, $redirect_uri) { $uri = $redirect_uri; if (true === $client->has('sector_identifier_uri')) { $uri = $client->get('sector_identifier_uri'); } $data = parse_url($uri); Assertion::true(is_array($data) && array_key_exists('host', $data), sprintf('Invalid Sector Identifier Uri "%s".', $uri)); return $data['host']; }