예제 #1
0
 /**
  * We only check if the token has not expired.
  * This method should be overridden to verify the client or the resource owner are enabled for example.
  *
  * {@inheritdoc}
  */
 public function isAccessTokenValid(AccessTokenInterface $token)
 {
     return !$token->hasExpired();
 }
예제 #2
0
 /**
  * @param \OAuth2\Token\AccessTokenInterface|\OAuth2\Token\RefreshTokenInterface $token
  * @param \OAuth2\Client\ClientInterface|null                                    $client
  *
  * @return bool
  */
 private function isClientVerified($token, ClientInterface $client = null)
 {
     if (null !== $client) {
         // The client ID of the token is the same as client authenticated
         return $token->getClientPublicId() === $client->getPublicId();
     } else {
         // We try to get the client
         $client = $this->getClientManagerSupervisor()->getClient($token->getClientPublicId());
         // Return false if the client is a confidential client (confidential client must be authenticated)
         return !$client instanceof ConfidentialClientInterface;
     }
 }
예제 #3
0
 /**
  * @param \OAuth2\Token\AccessTokenInterface $access_token
  *
  * @throws \OAuth2\Exception\BaseExceptionInterface
  *
  * @return \OAuth2\Client\ClientInterface|\OAuth2\UserAccount\UserAccountInterface
  */
 private function getResourceOwner(AccessTokenInterface $access_token)
 {
     if (null !== $access_token->getUserAccountPublicId()) {
         $resource_owner = $this->getUserAccountManager()->getUserAccountByPublicId($access_token->getUserAccountPublicId());
     } else {
         $resource_owner = $this->getClientManager()->getClient($access_token->getResourceOwnerPublicId());
     }
     if (null !== $resource_owner) {
         return $resource_owner;
     }
     throw new BadCredentialsException('Unknown resource owner');
 }
예제 #4
0
 /**
  * @param \OAuth2\Token\AccessTokenInterface $access_token
  *
  * @throws \OAuth2\Exception\BaseExceptionInterface
  *
  * @return \OAuth2\Client\ClientInterface|\OAuth2\EndUser\EndUserInterface
  */
 private function getResourceOwner(AccessTokenInterface $access_token)
 {
     $resource_owner = $this->getClientManagerSupervisor()->getClient($access_token->getResourceOwnerPublicId());
     if ($resource_owner instanceof ClientInterface) {
         return $resource_owner;
     }
     $resource_owner = $this->getEndUserManager()->getEndUser($access_token->getResourceOwnerPublicId());
     if (!$resource_owner instanceof EndUserInterface) {
         throw new BadCredentialsException('Unknown resource owner');
     }
     return $resource_owner;
 }
예제 #5
0
 /**
  * {@inheritdoc}
  */
 public function createIdToken(ClientInterface $client, UserAccountInterface $user_account, $redirect_uri, $claims_locales, array $request_claims, array $scope, array $id_token_claims = [], AccessTokenInterface $access_token = null, AuthCodeInterface $auth_code = null)
 {
     $id_token = $this->createEmptyIdToken();
     $exp = null !== $access_token ? $access_token->getExpiresAt() : time() + $this->getLifetime($client);
     $claims = array_merge($this->getUserinfo()->getUserinfo($client, $user_account, $redirect_uri, $claims_locales, $request_claims, $scope), ['jti' => Base64Url::encode(random_bytes(25)), 'iss' => $this->getIssuer(), 'aud' => [$client->getPublicId(), $this->getIssuer()], 'iat' => time(), 'nbf' => time(), 'exp' => $exp]);
     foreach (['at_hash' => $access_token, 'c_hash' => $auth_code] as $key => $token) {
         if (null !== $token) {
             $claims[$key] = $this->getHash($token->getToken());
         }
     }
     foreach (['last_login_at' => 'auth_time', 'amr' => 'amr', 'acr' => 'acr'] as $claim => $key) {
         if ($user_account->has($claim)) {
             $claims[$key] = $user_account->get($claim);
         }
     }
     $headers = ['typ' => 'JWT', 'alg' => $this->getSignatureAlgorithm()];
     $signature_key = $this->signature_key_set->selectKey('sig', $this->getSignatureAlgorithm());
     Assertion::notNull($signature_key, 'Unable to find a key to sign the ID Token. Please verify the selected key set contains suitable keys.');
     if ($signature_key->has('kid')) {
         $headers['kid'] = $signature_key->get('kid');
     }
     if (!empty($id_token_claims)) {
         $claims = array_merge($claims, $id_token_claims);
     }
     $jwt = $this->jwt_creator->sign($claims, $headers, $signature_key);
     if ($client->hasPublicKeySet() && $client->has('id_token_encrypted_response_alg') && $client->has('id_token_encrypted_response_enc')) {
         $key_set = $client->getPublicKeySet();
         $key = $key_set->selectKey('enc');
         if (null !== $key) {
             $headers = ['typ' => 'JWT', 'jti' => Base64Url::encode(random_bytes(25)), 'alg' => $client->get('id_token_encrypted_response_alg'), 'enc' => $client->get('id_token_encrypted_response_enc')];
             $jwt = $this->jwt_creator->encrypt($jwt, $headers, $key);
         }
     }
     $id_token->setToken($jwt);
     $id_token->setExpiresAt($exp);
     $id_token->setClientPublicId($client->getPublicId());
     $id_token->setResourceOwnerPublicId($user_account->getUserPublicId());
     return $id_token;
 }
예제 #6
0
 /**
  * {@inheritdoc}
  */
 protected function populateAccessToken(AccessTokenInterface &$access_token, ClientInterface $client, ResourceOwnerInterface $resource_owner, \OAuth2\Token\RefreshTokenInterface $refresh_token = null, ClientInterface $resource_server = null)
 {
     $access_token->setToken($this->generateToken());
 }
예제 #7
0
 /**
  * @param \OAuth2\Client\ClientInterface           $client
  * @param \OAuth2\Grant\GrantTypeResponseInterface $grant_type_response
  * @param array                                    $token_type_information
  * @param \OAuth2\Token\AccessTokenInterface       $access_token
  *
  * @return array
  */
 private function postAccessTokenCreation(ClientInterface $client, GrantTypeResponseInterface $grant_type_response, array $token_type_information, AccessTokenInterface $access_token)
 {
     $data = $access_token->toArray();
     foreach ($this->token_endpoint_extensions as $token_endpoint_extension) {
         $result = $token_endpoint_extension->postAccessTokenCreation($client, $grant_type_response, $token_type_information, $access_token);
         if (!empty($result)) {
             $data = array_merge($data, $result);
         }
     }
     return $data;
 }
예제 #8
0
 /**
  * {@inheritdoc}
  */
 public function prepareAccessToken(AccessTokenInterface $token)
 {
     $data = $token->jsonSerialize();
     return array_merge($data, ['token_type' => 'Bearer']);
 }
예제 #9
0
 /**
  * @param \OAuth2\Token\AccessTokenInterface $access_token
  *
  * @throws \OAuth2\Exception\BadRequestExceptionInterface
  */
 private function checkHasRedirectUri(AccessTokenInterface $access_token)
 {
     if (!$access_token->hasMetadata('redirect_uri')) {
         throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_REQUEST, 'The access token has no "redirect_uri" data and cannot be used.');
     }
 }
예제 #10
0
 /**
  * @param \OAuth2\Token\AccessTokenInterface  $access_token
  * @param \OAuth2\Client\ClientInterface|null $resource_server
  *
  * @return array
  */
 protected function preparePayload(AccessTokenInterface $access_token, ClientInterface $resource_server = null)
 {
     $aud = [$this->getIssuer()];
     if (null !== $resource_server) {
         $access_token[] = $resource_server->getPublicId();
     }
     $payload = ['jti' => Base64Url::encode(random_bytes(25)), 'iss' => $this->getIssuer(), 'aud' => $aud, 'iat' => time(), 'nbf' => time(), 'exp' => $access_token->getExpiresAt(), 'sub' => $access_token->getClientPublicId(), 'token_type' => $access_token->getTokenTypeParameter('token_type'), 'scp' => $access_token->getScope(), 'resource_owner' => $access_token->getResourceOwnerPublicId(), 'user_account' => $access_token->getUserAccountPublicId()];
     $payload['metadatas'] = $access_token->getMetadatas();
     if (0 !== ($expires_at = $access_token->getExpiresAt())) {
         $payload['exp'] = $expires_at;
     }
     if (!empty($access_token->getParameters())) {
         $parameters = $access_token->getParameters();
         //This part should be updated to support 'cnf' (confirmation) claim (see POP).
         $payload['other'] = $parameters;
     }
     if (null !== $access_token->getRefreshToken()) {
         $payload['refresh_token'] = $access_token->getRefreshToken();
     }
     return $payload;
 }