function it_matches_against_request(IRequest $request1, IRequest $request2) { $request1->request('grant_type')->willReturn('client_credentials')->shouldBeCalled(); $this->match($request1)->shouldReturn(true); $request2->request('grant_type')->willReturn('pom')->shouldBeCalled(); $this->match($request2)->shouldReturn(false); }
/** * Does grant type match given request? * * @param IRequest $request * * @return bool */ public function match(IRequest $request) { if ($request->isMethod('GET')) { return $request->query('response_type') === 'token'; } return false; }
function it_issues_access_token_using_grant_type_of_given_request(IRequest $request, IGrantTypeResolver $grantTypeResolver, IGrantType $grantType, IAccessToken $accessToken) { $request->isMethod('post')->willReturn(true)->shouldBeCalled(); $grantTypeResolver->resolve($request)->willReturn($grantType)->shouldBeCalled(); $grantType->grant($request)->willReturn($accessToken)->shouldBeCalled(); $this->issueToken($request)->shouldReturnAnInstanceOf('OAuth2\\Storage\\IAccessToken'); }
/** * Grants access token for request * * @param IRequest $request * * @throws \OAuth2\Exception\InvalidGrantException * @throws \OAuth2\Exception\MissingParameterException * @throws \OAuth2\Exception\UnauthorizedClientException * @return IAccessToken */ public function grant(IRequest $request) { if (!($refreshTokenIdentifier = $request->request('refresh_token'))) { throw new MissingParameterException("Parameter 'refresh_token' is missing."); } if (!($refreshToken = $this->refreshTokenStorage->get($refreshTokenIdentifier))) { throw new InvalidGrantException('Invalid refresh token.'); } $client = $this->clientAuthenticator->authenticate($request); // are clients same? if ($client->getId() !== $refreshToken->getClient()->getId()) { throw new InvalidGrantException('Invalid refresh token.'); } // is client allowed to use this grant type? if (!$client->isAllowedToUse($this)) { throw new UnauthorizedClientException('Client can not use this grant type.'); } $expiresAt = $refreshToken->getExpiresAt(); if ($expiresAt instanceof \DateTime) { $expiresAt = $expiresAt->getTimestamp(); } // is refresh token expired? if ($expiresAt < time()) { throw new InvalidGrantException('Refresh token has expired.'); } // intersection of refresh token and requested scopes $scopes = $this->scopeResolver->intersect($request->request('scope'), $refreshToken->getScopes()); return $this->accessTokenStorage->generate($refreshToken->getUser(), $refreshToken->getClient(), $scopes); }
/** * Grants access token for request * * @param IRequest $request * * @throws \OAuth2\Exception\InvalidGrantException * @throws \OAuth2\Exception\InvalidRequestException * @throws \OAuth2\Exception\InvalidScopeException * @throws \OAuth2\Exception\UnauthorizedClientException * @return IAccessToken */ public function grant(IRequest $request) { $username = $request->request('username'); $password = $request->request('password'); if (empty($username) || empty($password)) { throw new InvalidRequestException('Username and password are required.'); } $client = $this->clientAuthenticator->authenticate($request); if (!$client->isAllowedToUse($this)) { throw new UnauthorizedClientException('Client can not use this grant type.'); } $user = $this->userAuthenticator->authenticate($username, $password); if (!$user) { throw new InvalidUserCredentialsException('Invalid user credentials.'); } $requestedScopes = $request->request('scope'); $availableScopes = $user->getScopes(); if (empty($availableScopes)) { $availableScopes = $this->scopeResolver->getDefaultScopes(); } if (empty($availableScopes)) { throw new InvalidScopeException('Scope parameter has to be specified.'); } // intersection of requested and user scopes $scopes = $this->scopeResolver->intersect($requestedScopes, $availableScopes); return $this->accessTokenStorage->generate($user, $client, $scopes); }
/** * Issues access token using grant type from current request * * @param IRequest $request * * @return \OAuth2\Storage\IAccessToken * @throws \OAuth2\Exception\InvalidHttpMethodException */ public function issueToken(IRequest $request) { if (!$request->isMethod('post')) { throw new InvalidHttpMethodException(); } $grantType = $this->grantTypeResolver->resolve($request); return $grantType->grant($request); }
function it_should_return_access_token_from_token_in_uri_query_parameter(IRequest $request) { $request->headers('authorization')->willReturn(null); $request->request('access_token')->willReturn(null); $request->query('access_token')->willReturn('pom'); $this->match($request)->shouldReturn(true); $this->getAccessToken()->shouldReturn('pom'); }
function it_throws_exception_if_client_secret_is_provided_for_public_client(IRequest $request, IClientStorage $clientStorage, IClient $client) { $request->request('client_id')->willReturn('public')->shouldBeCalled(); $request->request('client_secret')->willReturn('secret')->shouldBeCalled(); $clientStorage->get('public')->willReturn($client)->shouldBeCalled(); $client->getSecret()->willReturn(null)->shouldBeCalled(); $this->shouldThrow(new InvalidClientException('Invalid client credentials.'))->during('authenticate', [$request]); }
/** * Authenticates client and returns it * * @param IRequest $request * * @return IClient * @throws InvalidClientException */ public function authenticate(IRequest $request) { $id = $request->request('client_id'); $secret = $request->request('client_secret'); if (!$id) { throw new InvalidClientException('Client id is missing.'); } if (!($client = $this->clientStorage->get($id))) { throw new InvalidClientException('Invalid client credentials.'); } if ((string) $secret !== (string) $client->getSecret()) { throw new InvalidClientException('Invalid client credentials.'); } return $client; }
/** * Grants access token for request * * @param IRequest $request * * @throws \OAuth2\Exception\InvalidGrantException * @throws \OAuth2\Exception\InvalidRequestException * @throws \OAuth2\Exception\UnauthorizedClientException * @return IAccessToken */ public function grant(IRequest $request) { $code = $request->request('code'); if (empty($code)) { throw new InvalidRequestException("Parameter 'code' is missing."); } $client = $this->clientAuthenticator->authenticate($request); if (!$client->isAllowedToUse($this)) { throw new UnauthorizedClientException('Client can not use this grant type.'); } $authorizationCode = $this->authorizationCodeStorage->get($code); if (!$authorizationCode) { throw new InvalidGrantException('Authorization code is invalid.'); } if ($authorizationCode->getExpiresAt() < time()) { throw new InvalidGrantException('Authorization code has expired.'); } if ($client->getId() !== $authorizationCode->getClient()->getId()) { throw new InvalidGrantException('Authorization code is invalid.'); } $redirectUri = $request->request('redirect_uri'); $codeRedirectUri = $authorizationCode->getRedirectUri(); if (!empty($redirectUri)) { if (empty($codeRedirectUri) || $redirectUri !== $codeRedirectUri) { throw new InvalidRequestException('Redirect URI is missing, was not used in authorization or is invalid.'); } } else { if (!empty($codeRedirectUri)) { throw new InvalidRequestException('Redirect URI is missing, was not used in authorization or is invalid.'); } } return $this->accessTokenStorage->generate($authorizationCode->getUser(), $authorizationCode->getClient(), $authorizationCode->getScopes()); }
function it_issues_an_access_token(IRequest $request, IRefreshToken $refreshToken, IRefreshTokenStorage $refreshTokenStorage, IAccessTokenStorage $accessTokenStorage, IAccessToken $accessToken, IUser $user, IClient $client, IScope $scope1, IScope $scope2, IScopeResolver $scopeResolver, IClientAuthenticator $clientAuthenticator) { $scopes = [$scope1, $scope2]; $request->request('refresh_token')->willReturn('pom')->shouldBeCalled(); $refreshTokenStorage->get('pom')->willReturn($refreshToken)->shouldBeCalled(); $refreshToken->getClient()->willReturn($client)->shouldBeCalled(); $clientAuthenticator->authenticate($request)->willReturn($client)->shouldBeCalled(); $client->getId()->willReturn('test')->shouldBeCalled(); $client->isAllowedToUse($this)->willReturn(true)->shouldBeCalled(); $refreshToken->getExpiresAt()->willReturn(time() + 100)->shouldBeCalled(); $refreshToken->getScopes()->willReturn($scopes)->shouldBeCalled(); $request->request('scope')->willReturn(null)->shouldBeCalled(); $scopeResolver->intersect(null, $scopes)->willReturn($scopes)->shouldBeCalled(); $refreshToken->getUser()->willReturn($user)->shouldBeCalled(); $accessTokenStorage->generate($user, $client, $scopes)->willReturn($accessToken)->shouldBeCalled(); $this->grant($request)->shouldReturnAnInstanceOf('OAuth2\\Storage\\IAccessToken'); }
/** * Matches token type against request and returns if it matches * * @param IRequest $request * * @throws \OAuth2\Exception\InvalidContentTypeException * @throws \OAuth2\Exception\InvalidHttpMethodException * @throws \OAuth2\Exception\MalformedTokenException * @return boolean */ public function match(IRequest $request) { // first check request for authorization header $header = $request->headers('authorization'); if ($header) { if (!preg_match('~Bearer\\s(\\S+)~', $header, $matches)) { throw new MalformedTokenException(); } $this->identifier = $matches[1]; return true; } // if is POST check for request (POST BODY) parameters if ($accessToken = $request->request('access_token')) { if (!($request->isMethod('post') || $request->isMethod('put'))) { throw new InvalidHttpMethodException(); } $contentType = $request->headers('content_type'); if (!$contentType || strpos($contentType, 'application/x-www-form-urlencoded') !== 0) { throw new InvalidContentTypeException(); } $this->identifier = $accessToken; return true; } // check query for access token if ($accessToken = $request->query('access_token')) { $this->identifier = $accessToken; return true; } return false; }
/** * Authenticates client and returns it * * @param IRequest $request * * @return IClient * @throws InvalidClientException */ public function authenticate(IRequest $request) { $id = $request->headers('PHP_AUTH_USER'); $secret = $request->headers('PHP_AUTH_PW'); if (!$id) { throw new InvalidClientException('Client id is missing.'); } // find client or throw exception if does not exist if (!($client = $this->clientStorage->get($id))) { throw new InvalidClientException('Invalid client credentials.'); } // if client is confidential and secrets does not match // or if client is public (does not have secret key) and credentials contains secret // throw exception if ((string) $secret !== (string) $client->getSecret()) { throw new InvalidClientException('Invalid client credentials.'); } return $client; }
/** * Parses authorization request * * @param IRequest $request * * @param IUser $user * * @throws \OAuth2\Exception\InvalidClientException * @throws \OAuth2\Exception\InvalidRequestException * @throws \OAuth2\Exception\InvalidScopeException * @throws \OAuth2\Exception\UnauthorizedClientException * @return array * */ protected function parseAuthorizationRequest(IRequest $request, IUser $user) { $clientId = $request->query('client_id'); if (!$clientId) { throw new InvalidRequestException('Client id is missing.'); } $client = $this->clientStorage->get($clientId); if (!$client) { throw new InvalidClientException('Invalid client.'); } if (!$client->isAllowedToUse($this)) { throw new UnauthorizedClientException('Client can not use this grant type.'); } $redirectUri = $request->query('redirect_uri'); $clientRedirectUri = $client->getRedirectUri(); if ($redirectUri) { $parsedUrl = parse_url($redirectUri); if ($parsedUrl === false || isset($parsedUrl['fragment'])) { throw new InvalidRequestException('Redirect URI is invalid.'); } if (!$this->compareUris($redirectUri, $clientRedirectUri)) { throw new InvalidRequestException('Redirect URI does not match.'); } } else { // use registered redirect uri or throw exception if (!$clientRedirectUri) { throw new InvalidRequestException('Redirect URI was not supplied or registered.'); } $redirectUri = $clientRedirectUri; } $requestedScopes = $request->query('scope'); $availableScopes = $user->getScopes(); if (!$availableScopes) { $availableScopes = $this->scopeResolver->getDefaultScopes(); } if (empty($availableScopes)) { throw new InvalidScopeException('Scope parameter has to be specified.'); } $scopes = $this->scopeResolver->intersect($requestedScopes, $availableScopes); return ['client' => $client, 'redirect_uri' => $redirectUri, 'state' => $request->query('state'), 'scopes' => $scopes]; }
function it_issues_an_access_token_using_default_scopes(IRequest $request, IClientAuthenticator $clientAuthenticator, IUserAuthenticator $userAuthenticator, IScopeResolver $scopeResolver, IUser $user, IClient $client, IScope $scope, IAccessTokenStorage $accessTokenStorage, IAccessToken $accessToken) { $request->request('username')->willReturn('root')->shouldBeCalled(); $request->request('password')->willReturn('p')->shouldBeCalled(); $clientAuthenticator->authenticate($request)->willReturn($client)->shouldBeCalled(); $client->isAllowedToUse($this)->willReturn(true)->shouldBeCalled(); $userAuthenticator->authenticate('root', 'p')->willReturn($user)->shouldBeCalled(); $request->request('scope')->willReturn(null)->shouldBeCalled(); $user->getScopes()->willReturn([])->shouldBeCalled(); $scopeResolver->getDefaultScopes()->willReturn([$scope])->shouldBeCalled(); $scopeResolver->intersect(null, [$scope])->willReturn([$scope])->shouldBeCalled(); $accessTokenStorage->generate($user, $client, [$scope])->willReturn($accessToken)->shouldBeCalled(); $this->grant($request)->shouldReturn($accessToken); }
function it_should_issue_access_token_and_return_implicit_authorization_session(IAccessTokenStorage $accessTokenStorage, IScopeResolver $scopeResolver, IClientStorage $clientStorage, IClient $client, IRequest $request, ITokenType $tokenType, IUser $user, IAccessToken $accessToken, IScope $scope) { $request->query('client_id')->willReturn('test')->shouldBeCalled(); $clientStorage->get('test')->willReturn($client)->shouldBeCalled(); $client->isAllowedToUse($this)->willReturn(true)->shouldBeCalled(); $request->query('redirect_uri')->willReturn('http://google.com')->shouldBeCalled(); $client->getRedirectUri()->willReturn('http://google.com')->shouldBeCalled(); $request->query('scope')->willReturn('scope1')->shouldBeCalled(); $user->getScopes()->willReturn([])->shouldBeCalled(); $scopeResolver->getDefaultScopes()->willReturn([$scope])->shouldBeCalled(); $scopeResolver->intersect('scope1', [$scope])->willReturn([$scope])->shouldBeCalled(); $request->query('state')->willReturn(null)->shouldBeCalled(); $accessTokenStorage->generate($user, $client, [$scope])->willReturn($accessToken)->shouldBeCalled(); $tokenType->getName()->willReturn('Bearer')->shouldBeCalled(); $this->authorize($request, $user)->shouldReturnAnInstanceOf('OAuth2\\Security\\ImplicitSession'); }
function it_issues_an_access_token(IRequest $request, IClientAuthenticator $clientAuthenticator, IAuthorizationCodeStorage $authorizationCodeStorage, IAuthorizationCode $authorizationCode, IAccessTokenStorage $accessTokenStorage, IAccessToken $accessToken, IUser $user, IClient $client, IScope $scope) { $request->request('code')->willReturn('a')->shouldBeCalled(); $clientAuthenticator->authenticate($request)->willReturn($client)->shouldBeCalled(); $client->isAllowedToUse($this)->willReturn(true)->shouldBeCalled(); $authorizationCodeStorage->get('a')->willReturn($authorizationCode)->shouldBeCalled(); $authorizationCode->getExpiresAt()->willReturn(time() + 100)->shouldBeCalled(); $client->getId()->willReturn('id')->shouldBeCalled(); $authorizationCode->getClient()->willReturn($client)->shouldBeCalled(); $request->request('redirect_uri')->willReturn(null)->shouldBeCalled(); $authorizationCode->getRedirectUri()->willReturn(null)->shouldBeCalled(); $authorizationCode->getScopes()->willReturn([$scope])->shouldBeCalled(); $authorizationCode->getUser()->willReturn($user)->shouldBeCalled(); $authorizationCode->getClient()->willReturn($client)->shouldBeCalled(); $accessTokenStorage->generate($user, $client, [$scope])->willReturn($accessToken)->shouldBeCalled(); $this->grant($request)->shouldReturn($accessToken); }
/** * Does grant type match given request? * * @param IRequest $request * * @return bool */ public function match(IRequest $request) { return $request->request('grant_type') === 'client_credentials'; }