/** * Grants access token for request * * @param IRequest $request * * @throws \OAuth2\Exception\InvalidGrantException * @throws \OAuth2\Exception\InvalidRequestException * @throws \OAuth2\Exception\InvalidScopeException * @throws \OAuth2\Exception\UnauthorizedClientException * @return IAccessToken */ public function grant(IRequest $request) { $username = $request->request('username'); $password = $request->request('password'); if (empty($username) || empty($password)) { throw new InvalidRequestException('Username and password are required.'); } $client = $this->clientAuthenticator->authenticate($request); if (!$client->isAllowedToUse($this)) { throw new UnauthorizedClientException('Client can not use this grant type.'); } $user = $this->userAuthenticator->authenticate($username, $password); if (!$user) { throw new InvalidUserCredentialsException('Invalid user credentials.'); } $requestedScopes = $request->request('scope'); $availableScopes = $user->getScopes(); if (empty($availableScopes)) { $availableScopes = $this->scopeResolver->getDefaultScopes(); } if (empty($availableScopes)) { throw new InvalidScopeException('Scope parameter has to be specified.'); } // intersection of requested and user scopes $scopes = $this->scopeResolver->intersect($requestedScopes, $availableScopes); return $this->accessTokenStorage->generate($user, $client, $scopes); }
/** * Grants access token for request * * @param IRequest $request * * @throws \OAuth2\Exception\InvalidClientException * @throws \OAuth2\Exception\InvalidScopeException * @throws \OAuth2\Exception\UnauthorizedClientException * @return IAccessToken */ public function grant(IRequest $request) { $client = $this->clientAuthenticator->authenticate($request); if (!$client->isAllowedToUse($this)) { throw new UnauthorizedClientException('Client can not use this grant type.'); } if (!$client->getSecret()) { throw new InvalidClientException('Only confidential clients can use this method.'); } $requestedScopes = $request->request('scope'); $availableScopes = $client->getScopes(); if (empty($availableScopes)) { $availableScopes = $this->scopeResolver->getDefaultScopes(); } if (empty($availableScopes)) { throw new InvalidScopeException('Scope parameter has to be specified.'); } $scopes = $this->scopeResolver->intersect($requestedScopes, $availableScopes); return $this->accessTokenStorage->generate($client->getOwner(), $client, $scopes); }
/** * Parses authorization request * * @param IRequest $request * * @param IUser $user * * @throws \OAuth2\Exception\InvalidClientException * @throws \OAuth2\Exception\InvalidRequestException * @throws \OAuth2\Exception\InvalidScopeException * @throws \OAuth2\Exception\UnauthorizedClientException * @return array * */ protected function parseAuthorizationRequest(IRequest $request, IUser $user) { $clientId = $request->query('client_id'); if (!$clientId) { throw new InvalidRequestException('Client id is missing.'); } $client = $this->clientStorage->get($clientId); if (!$client) { throw new InvalidClientException('Invalid client.'); } if (!$client->isAllowedToUse($this)) { throw new UnauthorizedClientException('Client can not use this grant type.'); } $redirectUri = $request->query('redirect_uri'); $clientRedirectUri = $client->getRedirectUri(); if ($redirectUri) { $parsedUrl = parse_url($redirectUri); if ($parsedUrl === false || isset($parsedUrl['fragment'])) { throw new InvalidRequestException('Redirect URI is invalid.'); } if (!$this->compareUris($redirectUri, $clientRedirectUri)) { throw new InvalidRequestException('Redirect URI does not match.'); } } else { // use registered redirect uri or throw exception if (!$clientRedirectUri) { throw new InvalidRequestException('Redirect URI was not supplied or registered.'); } $redirectUri = $clientRedirectUri; } $requestedScopes = $request->query('scope'); $availableScopes = $user->getScopes(); if (!$availableScopes) { $availableScopes = $this->scopeResolver->getDefaultScopes(); } if (empty($availableScopes)) { throw new InvalidScopeException('Scope parameter has to be specified.'); } $scopes = $this->scopeResolver->intersect($requestedScopes, $availableScopes); return ['client' => $client, 'redirect_uri' => $redirectUri, 'state' => $request->query('state'), 'scopes' => $scopes]; }
function it_issues_an_access_token_using_default_scopes(IRequest $request, IClientAuthenticator $clientAuthenticator, IClient $client, IAccessTokenStorage $accessTokenStorage, IAccessToken $accessToken, IScopeResolver $scopeResolver, IScope $scope, IUser $user) { $clientAuthenticator->authenticate($request)->willReturn($client)->shouldBeCalled(); $client->isAllowedToUse($this)->willReturn(true)->shouldBeCalled(); $client->getSecret()->willReturn('secret')->shouldBeCalled(); $request->request('scope')->willReturn(null)->shouldBeCalled(); $client->getScopes()->willReturn([])->shouldBeCalled(); $scopeResolver->getDefaultScopes()->willReturn([$scope])->shouldBeCalled(); $scopeResolver->intersect(null, [$scope])->willReturn([$scope])->shouldBeCalled(); $client->getOwner()->willReturn($user)->shouldBeCalled(); $accessTokenStorage->generate($user, $client, [$scope])->willReturn($accessToken)->shouldBeCalled(); $this->grant($request)->shouldReturn($accessToken); }
function it_should_issue_access_token_and_return_implicit_authorization_session(IAccessTokenStorage $accessTokenStorage, IScopeResolver $scopeResolver, IClientStorage $clientStorage, IClient $client, IRequest $request, ITokenType $tokenType, IUser $user, IAccessToken $accessToken, IScope $scope) { $request->query('client_id')->willReturn('test')->shouldBeCalled(); $clientStorage->get('test')->willReturn($client)->shouldBeCalled(); $client->isAllowedToUse($this)->willReturn(true)->shouldBeCalled(); $request->query('redirect_uri')->willReturn('http://google.com')->shouldBeCalled(); $client->getRedirectUri()->willReturn('http://google.com')->shouldBeCalled(); $request->query('scope')->willReturn('scope1')->shouldBeCalled(); $user->getScopes()->willReturn([])->shouldBeCalled(); $scopeResolver->getDefaultScopes()->willReturn([$scope])->shouldBeCalled(); $scopeResolver->intersect('scope1', [$scope])->willReturn([$scope])->shouldBeCalled(); $request->query('state')->willReturn(null)->shouldBeCalled(); $accessTokenStorage->generate($user, $client, [$scope])->willReturn($accessToken)->shouldBeCalled(); $tokenType->getName()->willReturn('Bearer')->shouldBeCalled(); $this->authorize($request, $user)->shouldReturnAnInstanceOf('OAuth2\\Security\\ImplicitSession'); }
function it_throws_exception_if_authorization_request_does_not_contain_scope_and_client_too(IRequest $request, IClientStorage $clientStorage, IClient $client, IScopeResolver $scopeResolver, IUser $user) { $request->query('client_id')->willReturn('a')->shouldBeCalled(); $request->query('redirect_uri')->willReturn(null)->shouldBeCalled(); $clientStorage->get('a')->willReturn($client)->shouldBeCalled(); $client->isAllowedToUse($this)->willReturn(true)->shouldBeCalled(); $client->getRedirectUri()->willReturn('http://google.sk')->shouldBeCalled(); $request->query('scope')->willReturn(null)->shouldBeCalled(); $user->getScopes()->willReturn([])->shouldBeCalled(); $scopeResolver->getDefaultScopes()->willReturn([])->shouldBeCalled(); $this->shouldThrow(new InvalidScopeException('Scope parameter has to be specified.'))->during('authorize', [$request, $user]); }