public function handleRefreshToken(TokenRequest $tokenRequest, ClientData $clientData)
{
$refreshToken = $tokenRequest->getRefreshToken();
$scope = $tokenRequest->getScope();
$result = $this->db->getApprovalByRefreshToken($clientData->getId(), $refreshToken);
if (false === $result) {
throw new BadRequestException('invalid_grant', 'the refresh_token was not found');
}
$token = array();
$token['access_token'] = $this->io->getRandomHex();
$token['expires_in'] = $this->accessTokenExpiry;
if (null !== $scope) {
// the client wants to obtain a specific scope
$requestedScope = new Scope($scope);
$authorizedScope = new Scope($result['scope']);
if ($requestedScope->hasOnlyScope($authorizedScope)) {
// if it is a subset of the authorized scope we honor that
$token['scope'] = $requestedScope->toString();
} else {
// if not the client gets the authorized scope
$token['scope'] = $result['scope'];
}
} else {
$token['scope'] = $result['scope'];
}
$token['token_type'] = 'bearer';
$this->db->storeAccessToken($token['access_token'], $this->io->getTime(), $clientData->getId(), $result['resource_owner_id'], $token['scope'], $token['expires_in']);
return $token;
}
private function addApproval(ClientData $clientData, $userId, $scope)
{
$approval = $this->storage->getApprovalByResourceOwnerId($clientData->getId(), $userId);
if (false === $approval) {
// no approval exists, generate a refresh_token and add it
$refreshToken = 'code' === $clientData->getType() ? $this->io->getRandomHex() : null;
$this->storage->addApproval($clientData->getId(), $userId, $scope, $refreshToken);
} else {
// an approval exists, we don't care about the scope, we just
// update it if needed keeping the same refresh_token
$this->storage->updateApproval($clientData->getId(), $userId, $scope);
}
}
public function getTokenIntrospection(Request $request, $tokenValue)
{
if (null === $tokenValue) {
throw new BadRequestException('invalid_token', 'the token parameter is missing');
}
// FIXME: validate token format
$accessToken = $this->db->getAccessToken($tokenValue);
if (false === $accessToken) {
// token does not exist
$tokenInfo = array('active' => false);
} elseif ($this->io->getTime() > $accessToken['issue_time'] + $accessToken['expires_in']) {
// token expired
$tokenInfo = array('active' => false);
} else {
// token exists and did not expire
$tokenInfo = array('active' => true, 'exp' => intval($accessToken['issue_time'] + $accessToken['expires_in']), 'iat' => intval($accessToken['issue_time']), 'scope' => $accessToken['scope'], 'iss' => $request->getUrl()->getHost(), 'client_id' => $accessToken['client_id'], 'sub' => $accessToken['resource_owner_id'], 'user_id' => $accessToken['resource_owner_id'], 'token_type' => 'bearer');
// as long as we have no RS registration we cannot set the audience...
// $tokenInfo['aud'] => 'foo';
}
$response = new JsonResponse();
$response->setHeaders(array('Cache-Control' => 'no-store', 'Pragma' => 'no-cache'));
$response->setBody($tokenInfo);
return $response;
}
public function deleteApproval(Request $request, UserInfoInterface $userInfo)
{
$id = $request->getUrl()->getQueryParameter('id');
$this->db->deleteApproval($id, $userInfo->getUserId());
return new RedirectResponse($request->getUrl()->getRootUrl() . 'approvals.php', 302);
}
public function deleteClient($id, $redirectTo)
{
$this->db->deleteClient($id);
return new RedirectResponse($redirectTo, 302);
}
