/**
  * {@inheritdoc}
  */
 public function prepareAuthorization(AuthorizationInterface $authorization)
 {
     $token_type = $this->getTokenTypeFromRequest($authorization->getQueryParams());
     $token = $this->getAccessTokenManager()->createAccessToken($authorization->getClient(), $authorization->getUserAccount(), $token_type->getTokenTypeInformation(), $authorization->getQueryParams(), $authorization->getScopes(), null, null, ['redirect_uri' => $authorization->getRedirectUri()]);
     $authorization->setData('access_token', $token);
     return $token->toArray();
 }
 /**
  * {@inheritdoc}
  */
 public function processUserAccountIsAvailable(UserAccountInterface $user_account, $is_fully_authenticated, ServerRequestInterface $request, ResponseInterface $response, AuthorizationInterface $authorization)
 {
     // Whatever the prompt is, if the max_age constraint is not satisfied, the user is redirected to the login page
     if ($authorization->hasQueryParam('max_age') && time() - $user_account->getLastLoginAt() > $authorization->getQueryParam('max_age')) {
         throw new RedirectToLoginPageException($authorization);
     }
 }
 /**
  * {@inheritdoc}
  */
 protected function calculateSessionState(ServerRequestInterface $request, AuthorizationInterface $authorization, $browser_state)
 {
     $origin = $this->getOriginUri($authorization->getRedirectUri());
     $salt = Base64Url::encode(random_bytes(16));
     $hash = hash('sha256', sprintf('%s%s%s%s', $authorization->getClient()->getPublicId(), $origin, $browser_state, $salt));
     return sprintf('%s.%s', $hash, $salt);
 }
 /**
  * {@inheritdoc}
  */
 public function process(array &$response_parameters, ServerRequestInterface $request, ResponseInterface &$response, AuthorizationInterface $authorization)
 {
     if (!$authorization->hasScope('openid')) {
         return;
     }
     $browser_state = $this->getBrowserState($request);
     if (null === $browser_state) {
         $browser_state = $this->generateBrowserState();
         $this->saveBrowserState($response, $browser_state);
     }
     $session_state = $this->calculateSessionState($request, $authorization, $browser_state);
     $response_parameters['session_state'] = $session_state;
 }
 /**
  * {@inheritdoc}
  */
 public function processUserAccount(ServerRequestInterface $request, ResponseInterface &$response, AuthorizationInterface $authorization, UserAccountInterface &$user_account = null)
 {
     // The query parameter 'id_token_hint' and the Id Token Manager are set
     if ($authorization->hasQueryParam('id_token_hint') && null !== $this->getIdTokenManager()) {
         try {
             $id_token_hint = $this->getIdTokenManager()->loadIdToken($authorization->getQueryParam('id_token_hint'));
             Assertion::true($id_token_hint->hasClaim('sub'), 'Invalid "id_token_hint" parameter.');
             $public_id = $this->getIdTokenManager()->getPublicIdFromSubjectIdentifier($id_token_hint->getClaim('sub'));
             Assertion::notNull($public_id, 'Invalid "id_token_hint" parameter.');
             if (null === $user_account) {
                 $user_account = $this->getUserAccountManager()->getUserAccountByPublicId($public_id);
             } else {
                 if ($user_account->getPublicId() !== $public_id) {
                     throw new RedirectToLoginPageException($authorization);
                 }
             }
         } catch (\InvalidArgumentException $e) {
             throw new CreateRedirectionException($authorization, ExceptionManagerInterface::BAD_REQUEST, $e->getMessage());
         }
     }
 }
 /**
  * @param \Symfony\Component\Form\FormInterface                                                                $form
  * @param \Psr\Http\Message\ServerRequestInterface                                                             $request
  * @param \OAuth2\Endpoint\Authorization\AuthorizationInterface                                                $authorization
  * @param \SpomkyLabs\OAuth2ServerBundle\Plugin\AuthorizationEndpointPlugin\Form\Model\AuthorizationModel      $authorization_model
  *
  * @return bool
  */
 public function handle(FormInterface $form, ServerRequestInterface $request, AuthorizationInterface $authorization, AuthorizationModel $authorization_model)
 {
     if ('POST' !== $request->getMethod()) {
         return false;
     }
     $httpFoundationFactory = new HttpFoundationFactory();
     $symfony_request = $httpFoundationFactory->createRequest($request);
     $form->submit($symfony_request->get($form->getName()));
     if (!$form->isValid()) {
         return false;
     }
     $button = $form->get('accept');
     if (!$button instanceof ClickableInterface) {
         throw new InvalidArgumentException('Unable to find the button named "accept".');
     }
     $authorization->setAuthorized($button->isClicked());
     $refused_scopes = array_diff($authorization->getScopes(), $authorization_model->getScopes());
     foreach ($refused_scopes as $refused_scope) {
         $authorization->removeScope($refused_scope);
     }
     return true;
 }
 /**
  * {@inheritdoc}
  */
 public function processUserAccountIsAvailable(UserAccountInterface $user_account, $is_fully_authenticated, ServerRequestInterface $request, ResponseInterface $response, AuthorizationInterface $authorization)
 {
     if ($authorization->hasPrompt('login') && !$is_fully_authenticated) {
         throw new RedirectToLoginPageException($authorization);
     }
 }
 /**
  * {@inheritdoc}
  */
 public function prepareAuthorization(AuthorizationInterface $authorization)
 {
     $token_type = $this->getTokenTypeFromRequest($authorization->getQueryParams());
     $token = $this->getAccessTokenManager()->createAccessToken($authorization->getClient(), $authorization->getUserAccount(), $token_type->getTokenTypeInformation(), $authorization->getQueryParams(), $authorization->getScopes(), null, null, ['redirect_uri' => $authorization->getQueryParam('redirect_uri')]);
     $authorization->setData('access_token', $token);
     foreach ($this->listeners as $listener) {
         $listener->call($token);
     }
     return [];
 }
 /**
  * {@inheritdoc}
  */
 public function process(array &$response_parameters, ServerRequestInterface $request, ResponseInterface &$response, AuthorizationInterface $authorization)
 {
     if ($authorization->hasQueryParam('state')) {
         $response_parameters['state'] = $authorization->getQueryParam('state');
     }
 }
 /**
  * @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization
  * @param \Psr\Http\Message\ResponseInterface                   $response
  * @param string                                                $error
  * @param string|null                                           $error_description
  */
 private function createRedirectionException(AuthorizationInterface $authorization, ResponseInterface &$response, $error, $error_description = null)
 {
     $params = ['response_mode' => $authorization->getResponseMode(), 'redirect_uri' => $authorization->getRedirectUri()];
     if (true === $authorization->hasQueryParam('state')) {
         $params['state'] = $authorization->getQueryParam('state');
     }
     $exception = $this->getExceptionManager()->getRedirectException($error, $error_description, $params);
     $exception->getHttpResponse($response);
 }
 /**
  * @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization
  *
  * @return null|\OAuth2\Endpoint\Authorization\PreConfiguredAuthorization\PreConfiguredAuthorizationInterface
  */
 private function findPreConfiguredAuthorization(AuthorizationInterface $authorization)
 {
     if (null !== $this->getPreConfiguredAuthorizationManager()) {
         return $this->getPreConfiguredAuthorizationManager()->findOnePreConfiguredAuthorization($authorization->getUserAccount()->getUserPublicId(), $authorization->getClient()->getPublicId(), $authorization->getScopes());
     }
 }
 /**
  * @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization
  *
  * @return null|string
  */
 private function getUiLocale(AuthorizationInterface $authorization)
 {
     if (!method_exists($this->translator, 'getCatalogue') || !$authorization->hasQueryParam('ui_locales')) {
         return;
     }
     $ui_locales = explode(' ', $authorization->getQueryParam('ui_locales'));
     foreach ($ui_locales as $ui_locale) {
         $catalogue = $this->translator->getCatalogue($ui_locale);
         if (in_array('SpomkyLabsOAuth2Server', $catalogue->getDomains())) {
             return $ui_locale;
         }
     }
 }
 /**
  * @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization
  *
  * @return array
  */
 private function getIdTokenClaims(AuthorizationInterface $authorization)
 {
     if (!$authorization->hasQueryParam('claims')) {
         return [];
     }
     $requested_claims = $authorization->getQueryParam('claims');
     if (true === array_key_exists('id_token', $requested_claims)) {
         return $requested_claims['id_token'];
     }
     return [];
 }
 /**
  * @param \OAuth2\Endpoint\Authorization\AuthorizationInterface $authorization
  *
  * @return bool
  */
 private function isOfflineAccess(AuthorizationInterface $authorization)
 {
     // The scope offline_access is not requested
     if (!in_array('offline_access', $authorization->getScopes())) {
         return false;
     }
     // The scope offline_access is requested but prompt is not consent
     // The scope offline_access is ignored
     if (!$authorization->hasQueryParam('prompt') || !in_array('consent', $authorization->getQueryParam('prompt'))) {
         $authorization->removeScope('offline_access');
         return false;
     }
     return true;
 }