/** * {@inheritDoc} */ public function createTokenResponse(Request $request, Client $client = null, TokenOwnerInterface $owner = null) { $token = $request->getPost('access_token'); $scope = $request->getPost('scope'); if (null === $token) { throw OAuth2Exception::invalidRequest('Missing parameter access_token'); } $owner = $this->getOwner($token); if (!$owner instanceof TokenOwnerInterface) { throw OAuth2Exception::accessDenied('Unable to load user from this token'); } /** * @var AccessToken $accessToken * @var null|RefreshToken $refreshToken * */ $accessToken = new AccessToken(); $refreshToken = null; // Generate token $this->populateToken($accessToken, $client, $owner, $scope); $accessToken = $this->accessTokenService->createToken($accessToken); // Before generating a refresh token, we must make sure the authorization server supports this grant if ($this->authorizationServer->hasGrant(RefreshTokenGrant::GRANT_TYPE)) { $refreshToken = new RefreshToken(); $this->populateToken($refreshToken, $client, $owner, $scope); $refreshToken = $this->refreshTokenService->createToken($refreshToken); } return $this->prepareTokenResponse($accessToken, $refreshToken); }
/** * {@inheritDoc} */ public function createTokenResponse(ServerRequestInterface $request, Client $client = null, TokenOwnerInterface $owner = null) : ResponseInterface { $postParams = $request->getParsedBody(); $refreshToken = $postParams['refresh_token'] ?? null; if (null === $refreshToken) { throw OAuth2Exception::invalidRequest('Refresh token is missing'); } // We can fetch the actual token, and validate it /** @var RefreshToken $refreshToken */ $refreshToken = $this->refreshTokenService->getToken((string) $refreshToken); if (null === $refreshToken || $refreshToken->isExpired()) { throw OAuth2Exception::invalidGrant('Refresh token is expired'); } // We can now create a new access token! First, we need to make some checks on the asked scopes, // because according to the spec, a refresh token can create an access token with an equal or lesser // scope, but not more $scopes = $postParams['scope'] ?? $refreshToken->getScopes(); if (!$refreshToken->matchScopes($scopes)) { throw OAuth2Exception::invalidScope('The scope of the new access token exceeds the scope(s) of the refresh token'); } $owner = $refreshToken->getOwner(); $accessToken = $this->accessTokenService->createToken($owner, $client, $scopes); // We may want to revoke the old refresh token if ($this->serverOptions->getRotateRefreshTokens()) { if ($this->serverOptions->getRevokeRotatedRefreshTokens()) { $this->refreshTokenService->deleteToken($refreshToken); } $refreshToken = $this->refreshTokenService->createToken($owner, $client, $scopes); } // We can generate the response! return $this->prepareTokenResponse($accessToken, $refreshToken, true); }
/** * Constructor. * * @param array $options */ public function __construct($options) { $this->createUserCallable = function () { // By default if a new user tries to sign in, he is not allowed to sign in throw OAuth2Exception::accessDenied('You are not authorized to log in to the system.'); }; $this->setFromArray($options); }
/** * {@inheritdoc} */ protected function findProviderUserFromRequest(ServerRequestInterface $request, ProviderInterface $provider) { $postParams = $request->getParsedBody(); $tokenIdentifier = isset($postParams['token_identifier']) ? $postParams['token_identifier'] : null; $tokenSecret = isset($postParams['token_secret']) ? $postParams['token_secret'] : null; $tokenCredentials = new TokenCredentials(); $tokenCredentials->setIdentifier($tokenIdentifier); $tokenCredentials->setSecret($tokenSecret); /** @var \League\OAuth1\Client\Server\Server $providerClient */ $providerClient = $this->providerClients->get($provider->getName()); try { $user = $providerClient->getUserDetails($tokenCredentials); } catch (\Exception $e) { throw OAuth2Exception::invalidRequest('Token identifier and token secret are invalid'); } return new Oauth1User($user); }
/** * {@inheritdoc} */ protected function findProviderUserFromRequest(ServerRequestInterface $request, ProviderInterface $provider) { $postParams = $request->getParsedBody(); $providerAuthorizationCode = isset($postParams['provider_authorization_code']) ? $postParams['provider_authorization_code'] : null; $providerAccessToken = isset($postParams['provider_access_token']) ? $postParams['provider_access_token'] : null; /* @var \League\OAuth2\Client\Provider\ProviderInterface */ $providerClient = $this->providerClients->get($provider->getName()); if ($providerAuthorizationCode) { // Try to get an access token (using the authorization code grant) try { /** @var ProviderAccessToken $providerAccessToken*/ $providerAccessToken = $providerClient->getAccessToken('authorization_code', ['code' => $providerAuthorizationCode]); } catch (IDPException $e) { // @todo decide what is the best thing to do here??? throw OAuth2Exception::invalidRequest('Provider authorization code is invalid'); } } else { $providerAccessToken = new ProviderAccessToken(['access_token' => $providerAccessToken]); } /* @var \League\OAuth2\Client\Entity\User */ $userDetails = $providerClient->getUserDetails($providerAccessToken); return new Oauth2User($userDetails); }
public function createTokenResponse(Request $request, Client $client = null, TokenOwnerInterface $owner = null) { // TODO: Complete rewrite. This is just a temp method to allow token generation $owner = $this->userService->get($request->getPost('id')); $scope = 'foobar'; if (!$owner instanceof TokenOwnerInterface) { throw OAuth2Exception::accessDenied('access_denied'); } /** * @var AccessToken $accessToken * @var null|RefreshToken $refreshToken * */ $accessToken = new AccessToken(); $refreshToken = null; $this->populateToken($accessToken, $client, $owner, $scope); $accessToken = $this->accessTokenService->createToken($accessToken); // Before generating a refresh token, we must make sure the authorization server supports this grant if ($this->authorizationServer->hasGrant(RefreshTokenGrant::GRANT_TYPE)) { $refreshToken = new RefreshToken(); $this->populateToken($refreshToken, $client, $owner, $scope); $refreshToken = $this->refreshTokenService->createToken($refreshToken); } return $this->prepareTokenResponse($accessToken, $refreshToken); }
/** * {@inheritDoc} */ public function createTokenResponse(ServerRequestInterface $request, Client $client = null, TokenOwnerInterface $owner = null) { $postParams = $request->getParsedBody(); $providerName = isset($postParams['provider']) ? $postParams['provider'] : null; $scope = isset($postParams['scope']) ? $postParams['scope'] : null; if ($providerName === null) { throw OAuth2Exception::invalidRequest('Provider name is missing.'); } $provider = $this->providerManager->findByName($providerName); if (!$provider || !$this->providerClients->has($providerName)) { throw OAuth2Exception::invalidRequest(sprintf('Provider %s is not supported', $providerName)); } $providerUser = $this->findProviderUserFromRequest($request, $provider); // access token is valid $userProvider = $this->userProviderManager->findByProviderUid($providerUser->getId(), $provider); if (!$userProvider) { // access token is valid but the user does not exists $createUserCallable = $this->options->getCreateUserCallable(); // by default, we expect the callable to return instance of "Hrevert\OauthClient\Model\UserProviderInterface" // because the developer may have extended the default implementation // Alternatively the callable may return user entity directly $userProvider = $createUserCallable($providerUser); if ($userProvider instanceof UserInterface) { $user = $userProvider; $userProvider = new UserProvider(); $userProvider->setUser($user); } $userProvider->setProviderUid($providerUser->getId()); $userProvider->setProvider($provider); $this->objectManager->persist($userProvider); $this->objectManager->flush(); } /** @var TokenOwnerInterface $owner */ $owner = $userProvider->getUser(); // Everything is okay, we can start tokens generation! $accessToken = new AccessToken(); $this->populateToken($accessToken, $client, $owner, $scope); /** @var AccessToken $accessToken */ $accessToken = $this->accessTokenService->createToken($accessToken); // Before generating a refresh token, we must make sure the authorization server supports this grant $refreshToken = null; if ($this->authorizationServer->hasGrant(RefreshTokenGrant::GRANT_TYPE)) { $refreshToken = new RefreshToken(); $this->populateToken($refreshToken, $client, $owner, $scope); /** @var RefreshToken $refreshToken */ $refreshToken = $this->refreshTokenService->createToken($refreshToken); } return $this->prepareTokenResponse($accessToken, $refreshToken); }
/** * Validate the token scopes against the registered scope * * @param array $scopes * @return void * @throws OAuth2Exception */ protected function validateTokenScopes(array $scopes) { $registeredScopes = $this->scopeService->getAll(); foreach ($registeredScopes as &$registeredScope) { $registeredScope = is_string($registeredScope) ? $registeredScope : $registeredScope->getName(); } $diff = array_diff($scopes, $registeredScopes); if (count($diff) > 0) { throw OAuth2Exception::invalidScope(sprintf('Some scope(s) do not exist: %s', implode(', ', $diff))); } }
/** * @throws OAuth2Exception (invalid_request) */ public function createAuthorizationResponse(ServerRequestInterface $request, Client $client, TokenOwnerInterface $owner = null) : ResponseInterface { throw OAuth2Exception::invalidRequest('Client credentials grant does not support authorization'); }
/** * Create a response from the exception, using the format of the spec * * @link http://tools.ietf.org/html/rfc6749#section-5.2 */ private function createResponseFromOAuthException(OAuth2Exception $exception) : ResponseInterface { $payload = ['error' => $exception->getCode(), 'error_description' => $exception->getMessage()]; return new Response\JsonResponse($payload, 400); }
/** * {@inheritDoc} * @throws OAuth2Exception */ public function createTokenResponse(ServerRequestInterface $request, Client $client = null, TokenOwnerInterface $owner = null) : ResponseInterface { $postParams = $request->getParsedBody(); $code = $postParams['code'] ?? null; if (null === $code) { throw OAuth2Exception::invalidRequest('Could not find the authorization code in the request'); } /* @var \ZfrOAuth2\Server\Entity\AuthorizationCode $authorizationCode */ $authorizationCode = $this->authorizationCodeService->getToken($code); if (null === $authorizationCode || $authorizationCode->isExpired()) { throw OAuth2Exception::invalidGrant('Authorization code cannot be found or is expired'); } $clientId = $postParams['client_id'] ?? null; if ($authorizationCode->getClient()->getId() !== $clientId) { throw OAuth2Exception::invalidRequest('Authorization code\'s client does not match with the one that created the authorization code'); } // If owner is null, we reuse the same as the authorization code $owner = $owner ?: $authorizationCode->getOwner(); // Everything is okey, let's start the token generation! $scopes = $authorizationCode->getScopes(); // reuse the scopes from the authorization code $accessToken = new AccessToken(); $this->populateToken($accessToken, $client, $owner, $scopes); $accessToken = $this->accessTokenService->createToken($accessToken); // Before generating a refresh token, we must make sure the authorization server supports this grant $refreshToken = null; if ($this->authorizationServer->hasGrant(RefreshTokenGrant::GRANT_TYPE)) { $refreshToken = new RefreshToken(); $this->populateToken($refreshToken, $client, $owner, $scopes); $refreshToken = $this->refreshTokenService->createToken($refreshToken); } return $this->prepareTokenResponse($accessToken, $refreshToken); }
/** * @throws OAuth2Exception */ public function createTokenResponse(ServerRequestInterface $request, Client $client = null, TokenOwnerInterface $owner = null) : ResponseInterface { $postParams = $request->getParsedBody(); // Validate the user using its username and password $username = $postParams['username'] ?? null; $password = $postParams['password'] ?? null; $scope = $postParams['scope'] ?? null; if (null === $username || null == $password) { throw OAuth2Exception::invalidRequest('Username and/or password is missing'); } $callback = $this->callback; $owner = $callback($username, $password); if (!$owner instanceof TokenOwnerInterface) { throw OAuth2Exception::accessDenied('Either username or password are incorrect'); } // Everything is okay, we can start tokens generation! $accessToken = $this->accessTokenService->createToken($owner, $client, $scope); // Before generating a refresh token, we must make sure the authorization server supports this grant $refreshToken = null; if ($this->authorizationServer->hasGrant(RefreshTokenGrant::GRANT_TYPE)) { $refreshToken = $this->refreshTokenService->createToken($owner, $client, $scope); } return $this->prepareTokenResponse($accessToken, $refreshToken); }