/** * {@inheritDoc} */ public function createTokenResponse(ServerRequestInterface $request, Client $client = null, TokenOwnerInterface $owner = null) : ResponseInterface { $postParams = $request->getParsedBody(); $refreshToken = $postParams['refresh_token'] ?? null; if (null === $refreshToken) { throw OAuth2Exception::invalidRequest('Refresh token is missing'); } // We can fetch the actual token, and validate it /** @var RefreshToken $refreshToken */ $refreshToken = $this->refreshTokenService->getToken((string) $refreshToken); if (null === $refreshToken || $refreshToken->isExpired()) { throw OAuth2Exception::invalidGrant('Refresh token is expired'); } // We can now create a new access token! First, we need to make some checks on the asked scopes, // because according to the spec, a refresh token can create an access token with an equal or lesser // scope, but not more $scopes = $postParams['scope'] ?? $refreshToken->getScopes(); if (!$refreshToken->matchScopes($scopes)) { throw OAuth2Exception::invalidScope('The scope of the new access token exceeds the scope(s) of the refresh token'); } $owner = $refreshToken->getOwner(); $accessToken = $this->accessTokenService->createToken($owner, $client, $scopes); // We may want to revoke the old refresh token if ($this->serverOptions->getRotateRefreshTokens()) { if ($this->serverOptions->getRevokeRotatedRefreshTokens()) { $this->refreshTokenService->deleteToken($refreshToken); } $refreshToken = $this->refreshTokenService->createToken($owner, $client, $scopes); } // We can generate the response! return $this->prepareTokenResponse($accessToken, $refreshToken, true); }
/** * Validate the token scopes against the registered scope * * @param array $scopes * @return void * @throws OAuth2Exception */ protected function validateTokenScopes(array $scopes) { $registeredScopes = $this->scopeService->getAll(); foreach ($registeredScopes as &$registeredScope) { $registeredScope = is_string($registeredScope) ? $registeredScope : $registeredScope->getName(); } $diff = array_diff($scopes, $registeredScopes); if (count($diff) > 0) { throw OAuth2Exception::invalidScope(sprintf('Some scope(s) do not exist: %s', implode(', ', $diff))); } }