/** * {@inheritdoc} */ public function prepareAuthorization(AuthorizationInterface $authorization) { $token_type = $this->getTokenTypeFromRequest($authorization->getQueryParams()); $token = $this->getAccessTokenManager()->createAccessToken($authorization->getClient(), $authorization->getUserAccount(), $token_type->getTokenTypeInformation(), $authorization->getQueryParams(), $authorization->getScopes(), null, null, ['redirect_uri' => $authorization->getRedirectUri()]); $authorization->setData('access_token', $token); return $token->toArray(); }
/** * {@inheritdoc} */ public function processUserAccountIsAvailable(UserAccountInterface $user_account, $is_fully_authenticated, ServerRequestInterface $request, ResponseInterface $response, AuthorizationInterface $authorization) { // Whatever the prompt is, if the max_age constraint is not satisfied, the user is redirected to the login page if ($authorization->hasQueryParam('max_age') && time() - $user_account->getLastLoginAt() > $authorization->getQueryParam('max_age')) { throw new RedirectToLoginPageException($authorization); } }
/** * {@inheritdoc} */ protected function calculateSessionState(ServerRequestInterface $request, AuthorizationInterface $authorization, $browser_state) { $origin = $this->getOriginUri($authorization->getRedirectUri()); $salt = Base64Url::encode(random_bytes(16)); $hash = hash('sha256', sprintf('%s%s%s%s', $authorization->getClient()->getPublicId(), $origin, $browser_state, $salt)); return sprintf('%s.%s', $hash, $salt); }
/** * {@inheritdoc} */ public function process(array &$response_parameters, ServerRequestInterface $request, ResponseInterface &$response, AuthorizationInterface $authorization) { if (!$authorization->hasScope('openid')) { return; } $browser_state = $this->getBrowserState($request); if (null === $browser_state) { $browser_state = $this->generateBrowserState(); $this->saveBrowserState($response, $browser_state); } $session_state = $this->calculateSessionState($request, $authorization, $browser_state); $response_parameters['session_state'] = $session_state; }
/** * {@inheritdoc} */ public function processUserAccount(ServerRequestInterface $request, ResponseInterface &$response, AuthorizationInterface $authorization, UserAccountInterface &$user_account = null) { // The query parameter 'id_token_hint' and the Id Token Manager are set if ($authorization->hasQueryParam('id_token_hint') && null !== $this->getIdTokenManager()) { try { $id_token_hint = $this->getIdTokenManager()->loadIdToken($authorization->getQueryParam('id_token_hint')); Assertion::true($id_token_hint->hasClaim('sub'), 'Invalid "id_token_hint" parameter.'); $public_id = $this->getIdTokenManager()->getPublicIdFromSubjectIdentifier($id_token_hint->getClaim('sub')); Assertion::notNull($public_id, 'Invalid "id_token_hint" parameter.'); if (null === $user_account) { $user_account = $this->getUserAccountManager()->getUserAccountByPublicId($public_id); } else { if ($user_account->getPublicId() !== $public_id) { throw new RedirectToLoginPageException($authorization); } } } catch (\InvalidArgumentException $e) { throw new CreateRedirectionException($authorization, ExceptionManagerInterface::BAD_REQUEST, $e->getMessage()); } } }
/** * @param \Symfony\Component\Form\FormInterface $form * @param \Psr\Http\Message\ServerRequestInterface $request * @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization * @param \SpomkyLabs\OAuth2ServerBundle\Plugin\AuthorizationEndpointPlugin\Form\Model\AuthorizationModel $authorization_model * * @return bool */ public function handle(FormInterface $form, ServerRequestInterface $request, AuthorizationInterface $authorization, AuthorizationModel $authorization_model) { if ('POST' !== $request->getMethod()) { return false; } $httpFoundationFactory = new HttpFoundationFactory(); $symfony_request = $httpFoundationFactory->createRequest($request); $form->submit($symfony_request->get($form->getName())); if (!$form->isValid()) { return false; } $button = $form->get('accept'); if (!$button instanceof ClickableInterface) { throw new InvalidArgumentException('Unable to find the button named "accept".'); } $authorization->setAuthorized($button->isClicked()); $refused_scopes = array_diff($authorization->getScopes(), $authorization_model->getScopes()); foreach ($refused_scopes as $refused_scope) { $authorization->removeScope($refused_scope); } return true; }
/** * {@inheritdoc} */ public function processUserAccountIsAvailable(UserAccountInterface $user_account, $is_fully_authenticated, ServerRequestInterface $request, ResponseInterface $response, AuthorizationInterface $authorization) { if ($authorization->hasPrompt('login') && !$is_fully_authenticated) { throw new RedirectToLoginPageException($authorization); } }
/** * {@inheritdoc} */ public function prepareAuthorization(AuthorizationInterface $authorization) { $token_type = $this->getTokenTypeFromRequest($authorization->getQueryParams()); $token = $this->getAccessTokenManager()->createAccessToken($authorization->getClient(), $authorization->getUserAccount(), $token_type->getTokenTypeInformation(), $authorization->getQueryParams(), $authorization->getScopes(), null, null, ['redirect_uri' => $authorization->getQueryParam('redirect_uri')]); $authorization->setData('access_token', $token); foreach ($this->listeners as $listener) { $listener->call($token); } return []; }
/** * {@inheritdoc} */ public function process(array &$response_parameters, ServerRequestInterface $request, ResponseInterface &$response, AuthorizationInterface $authorization) { if ($authorization->hasQueryParam('state')) { $response_parameters['state'] = $authorization->getQueryParam('state'); } }
/** * @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization * @param \Psr\Http\Message\ResponseInterface $response * @param string $error * @param string|null $error_description */ private function createRedirectionException(AuthorizationInterface $authorization, ResponseInterface &$response, $error, $error_description = null) { $params = ['response_mode' => $authorization->getResponseMode(), 'redirect_uri' => $authorization->getRedirectUri()]; if (true === $authorization->hasQueryParam('state')) { $params['state'] = $authorization->getQueryParam('state'); } $exception = $this->getExceptionManager()->getRedirectException($error, $error_description, $params); $exception->getHttpResponse($response); }
/** * @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization * * @return null|\OAuth2\Endpoint\Authorization\PreConfiguredAuthorization\PreConfiguredAuthorizationInterface */ private function findPreConfiguredAuthorization(AuthorizationInterface $authorization) { if (null !== $this->getPreConfiguredAuthorizationManager()) { return $this->getPreConfiguredAuthorizationManager()->findOnePreConfiguredAuthorization($authorization->getUserAccount()->getUserPublicId(), $authorization->getClient()->getPublicId(), $authorization->getScopes()); } }
/** * @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization * * @return null|string */ private function getUiLocale(AuthorizationInterface $authorization) { if (!method_exists($this->translator, 'getCatalogue') || !$authorization->hasQueryParam('ui_locales')) { return; } $ui_locales = explode(' ', $authorization->getQueryParam('ui_locales')); foreach ($ui_locales as $ui_locale) { $catalogue = $this->translator->getCatalogue($ui_locale); if (in_array('SpomkyLabsOAuth2Server', $catalogue->getDomains())) { return $ui_locale; } } }
/** * @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization * * @return array */ private function getIdTokenClaims(AuthorizationInterface $authorization) { if (!$authorization->hasQueryParam('claims')) { return []; } $requested_claims = $authorization->getQueryParam('claims'); if (true === array_key_exists('id_token', $requested_claims)) { return $requested_claims['id_token']; } return []; }
/** * @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization * * @return bool */ private function isOfflineAccess(AuthorizationInterface $authorization) { // The scope offline_access is not requested if (!in_array('offline_access', $authorization->getScopes())) { return false; } // The scope offline_access is requested but prompt is not consent // The scope offline_access is ignored if (!$authorization->hasQueryParam('prompt') || !in_array('consent', $authorization->getQueryParam('prompt'))) { $authorization->removeScope('offline_access'); return false; } return true; }