/**
* {@inheritDoc}
*/
public function createTokenResponse(ServerRequestInterface $request, Client $client = null, TokenOwnerInterface $owner = null) : ResponseInterface
{
$postParams = $request->getParsedBody();
$refreshToken = $postParams['refresh_token'] ?? null;
if (null === $refreshToken) {
throw OAuth2Exception::invalidRequest('Refresh token is missing');
}
// We can fetch the actual token, and validate it
/** @var RefreshToken $refreshToken */
$refreshToken = $this->refreshTokenService->getToken((string) $refreshToken);
if (null === $refreshToken || $refreshToken->isExpired()) {
throw OAuth2Exception::invalidGrant('Refresh token is expired');
}
// We can now create a new access token! First, we need to make some checks on the asked scopes,
// because according to the spec, a refresh token can create an access token with an equal or lesser
// scope, but not more
$scopes = $postParams['scope'] ?? $refreshToken->getScopes();
if (!$refreshToken->matchScopes($scopes)) {
throw OAuth2Exception::invalidScope('The scope of the new access token exceeds the scope(s) of the refresh token');
}
$owner = $refreshToken->getOwner();
$accessToken = $this->accessTokenService->createToken($owner, $client, $scopes);
// We may want to revoke the old refresh token
if ($this->serverOptions->getRotateRefreshTokens()) {
if ($this->serverOptions->getRevokeRotatedRefreshTokens()) {
$this->refreshTokenService->deleteToken($refreshToken);
}
$refreshToken = $this->refreshTokenService->createToken($owner, $client, $scopes);
}
// We can generate the response!
return $this->prepareTokenResponse($accessToken, $refreshToken, true);
}
/**
* {@inheritDoc}
* @throws OAuth2Exception
*/
public function createTokenResponse(ServerRequestInterface $request, Client $client = null, TokenOwnerInterface $owner = null) : ResponseInterface
{
$postParams = $request->getParsedBody();
$code = $postParams['code'] ?? null;
if (null === $code) {
throw OAuth2Exception::invalidRequest('Could not find the authorization code in the request');
}
/* @var \ZfrOAuth2\Server\Entity\AuthorizationCode $authorizationCode */
$authorizationCode = $this->authorizationCodeService->getToken($code);
if (null === $authorizationCode || $authorizationCode->isExpired()) {
throw OAuth2Exception::invalidGrant('Authorization code cannot be found or is expired');
}
$clientId = $postParams['client_id'] ?? null;
if ($authorizationCode->getClient()->getId() !== $clientId) {
throw OAuth2Exception::invalidRequest('Authorization code\'s client does not match with the one that created the authorization code');
}
// If owner is null, we reuse the same as the authorization code
$owner = $owner ?: $authorizationCode->getOwner();
// Everything is okey, let's start the token generation!
$scopes = $authorizationCode->getScopes();
// reuse the scopes from the authorization code
$accessToken = new AccessToken();
$this->populateToken($accessToken, $client, $owner, $scopes);
$accessToken = $this->accessTokenService->createToken($accessToken);
// Before generating a refresh token, we must make sure the authorization server supports this grant
$refreshToken = null;
if ($this->authorizationServer->hasGrant(RefreshTokenGrant::GRANT_TYPE)) {
$refreshToken = new RefreshToken();
$this->populateToken($refreshToken, $client, $owner, $scopes);
$refreshToken = $this->refreshTokenService->createToken($refreshToken);
}
return $this->prepareTokenResponse($accessToken, $refreshToken);
}
