/**
* Grants access token for request
*
* @param IRequest $request
*
* @throws \OAuth2\Exception\InvalidGrantException
* @throws \OAuth2\Exception\InvalidRequestException
* @throws \OAuth2\Exception\InvalidScopeException
* @throws \OAuth2\Exception\UnauthorizedClientException
* @return IAccessToken
*/
public function grant(IRequest $request)
{
$username = $request->request('username');
$password = $request->request('password');
if (empty($username) || empty($password)) {
throw new InvalidRequestException('Username and password are required.');
}
$client = $this->clientAuthenticator->authenticate($request);
if (!$client->isAllowedToUse($this)) {
throw new UnauthorizedClientException('Client can not use this grant type.');
}
$user = $this->userAuthenticator->authenticate($username, $password);
if (!$user) {
throw new InvalidUserCredentialsException('Invalid user credentials.');
}
$requestedScopes = $request->request('scope');
$availableScopes = $user->getScopes();
if (empty($availableScopes)) {
$availableScopes = $this->scopeResolver->getDefaultScopes();
}
if (empty($availableScopes)) {
throw new InvalidScopeException('Scope parameter has to be specified.');
}
// intersection of requested and user scopes
$scopes = $this->scopeResolver->intersect($requestedScopes, $availableScopes);
return $this->accessTokenStorage->generate($user, $client, $scopes);
}
/**
* Grants access token for request
*
* @param IRequest $request
*
* @throws \OAuth2\Exception\InvalidClientException
* @throws \OAuth2\Exception\InvalidScopeException
* @throws \OAuth2\Exception\UnauthorizedClientException
* @return IAccessToken
*/
public function grant(IRequest $request)
{
$client = $this->clientAuthenticator->authenticate($request);
if (!$client->isAllowedToUse($this)) {
throw new UnauthorizedClientException('Client can not use this grant type.');
}
if (!$client->getSecret()) {
throw new InvalidClientException('Only confidential clients can use this method.');
}
$requestedScopes = $request->request('scope');
$availableScopes = $client->getScopes();
if (empty($availableScopes)) {
$availableScopes = $this->scopeResolver->getDefaultScopes();
}
if (empty($availableScopes)) {
throw new InvalidScopeException('Scope parameter has to be specified.');
}
$scopes = $this->scopeResolver->intersect($requestedScopes, $availableScopes);
return $this->accessTokenStorage->generate($client->getOwner(), $client, $scopes);
}
/**
* Parses authorization request
*
* @param IRequest $request
*
* @param IUser $user
*
* @throws \OAuth2\Exception\InvalidClientException
* @throws \OAuth2\Exception\InvalidRequestException
* @throws \OAuth2\Exception\InvalidScopeException
* @throws \OAuth2\Exception\UnauthorizedClientException
* @return array
*
*/
protected function parseAuthorizationRequest(IRequest $request, IUser $user)
{
$clientId = $request->query('client_id');
if (!$clientId) {
throw new InvalidRequestException('Client id is missing.');
}
$client = $this->clientStorage->get($clientId);
if (!$client) {
throw new InvalidClientException('Invalid client.');
}
if (!$client->isAllowedToUse($this)) {
throw new UnauthorizedClientException('Client can not use this grant type.');
}
$redirectUri = $request->query('redirect_uri');
$clientRedirectUri = $client->getRedirectUri();
if ($redirectUri) {
$parsedUrl = parse_url($redirectUri);
if ($parsedUrl === false || isset($parsedUrl['fragment'])) {
throw new InvalidRequestException('Redirect URI is invalid.');
}
if (!$this->compareUris($redirectUri, $clientRedirectUri)) {
throw new InvalidRequestException('Redirect URI does not match.');
}
} else {
// use registered redirect uri or throw exception
if (!$clientRedirectUri) {
throw new InvalidRequestException('Redirect URI was not supplied or registered.');
}
$redirectUri = $clientRedirectUri;
}
$requestedScopes = $request->query('scope');
$availableScopes = $user->getScopes();
if (!$availableScopes) {
$availableScopes = $this->scopeResolver->getDefaultScopes();
}
if (empty($availableScopes)) {
throw new InvalidScopeException('Scope parameter has to be specified.');
}
$scopes = $this->scopeResolver->intersect($requestedScopes, $availableScopes);
return ['client' => $client, 'redirect_uri' => $redirectUri, 'state' => $request->query('state'), 'scopes' => $scopes];
}
function it_issues_an_access_token_using_default_scopes(IRequest $request, IClientAuthenticator $clientAuthenticator, IClient $client, IAccessTokenStorage $accessTokenStorage, IAccessToken $accessToken, IScopeResolver $scopeResolver, IScope $scope, IUser $user)
{
$clientAuthenticator->authenticate($request)->willReturn($client)->shouldBeCalled();
$client->isAllowedToUse($this)->willReturn(true)->shouldBeCalled();
$client->getSecret()->willReturn('secret')->shouldBeCalled();
$request->request('scope')->willReturn(null)->shouldBeCalled();
$client->getScopes()->willReturn([])->shouldBeCalled();
$scopeResolver->getDefaultScopes()->willReturn([$scope])->shouldBeCalled();
$scopeResolver->intersect(null, [$scope])->willReturn([$scope])->shouldBeCalled();
$client->getOwner()->willReturn($user)->shouldBeCalled();
$accessTokenStorage->generate($user, $client, [$scope])->willReturn($accessToken)->shouldBeCalled();
$this->grant($request)->shouldReturn($accessToken);
}
function it_should_issue_access_token_and_return_implicit_authorization_session(IAccessTokenStorage $accessTokenStorage, IScopeResolver $scopeResolver, IClientStorage $clientStorage, IClient $client, IRequest $request, ITokenType $tokenType, IUser $user, IAccessToken $accessToken, IScope $scope)
{
$request->query('client_id')->willReturn('test')->shouldBeCalled();
$clientStorage->get('test')->willReturn($client)->shouldBeCalled();
$client->isAllowedToUse($this)->willReturn(true)->shouldBeCalled();
$request->query('redirect_uri')->willReturn('http://google.com')->shouldBeCalled();
$client->getRedirectUri()->willReturn('http://google.com')->shouldBeCalled();
$request->query('scope')->willReturn('scope1')->shouldBeCalled();
$user->getScopes()->willReturn([])->shouldBeCalled();
$scopeResolver->getDefaultScopes()->willReturn([$scope])->shouldBeCalled();
$scopeResolver->intersect('scope1', [$scope])->willReturn([$scope])->shouldBeCalled();
$request->query('state')->willReturn(null)->shouldBeCalled();
$accessTokenStorage->generate($user, $client, [$scope])->willReturn($accessToken)->shouldBeCalled();
$tokenType->getName()->willReturn('Bearer')->shouldBeCalled();
$this->authorize($request, $user)->shouldReturnAnInstanceOf('OAuth2\\Security\\ImplicitSession');
}
function it_throws_exception_if_authorization_request_does_not_contain_scope_and_client_too(IRequest $request, IClientStorage $clientStorage, IClient $client, IScopeResolver $scopeResolver, IUser $user)
{
$request->query('client_id')->willReturn('a')->shouldBeCalled();
$request->query('redirect_uri')->willReturn(null)->shouldBeCalled();
$clientStorage->get('a')->willReturn($client)->shouldBeCalled();
$client->isAllowedToUse($this)->willReturn(true)->shouldBeCalled();
$client->getRedirectUri()->willReturn('http://google.sk')->shouldBeCalled();
$request->query('scope')->willReturn(null)->shouldBeCalled();
$user->getScopes()->willReturn([])->shouldBeCalled();
$scopeResolver->getDefaultScopes()->willReturn([])->shouldBeCalled();
$this->shouldThrow(new InvalidScopeException('Scope parameter has to be specified.'))->during('authorize', [$request, $user]);
}
