/**
  * @param \OAuth2\Client\ClientInterface $client Client
  *
  * @return int
  */
 protected function getLifetime(ClientInterface $client)
 {
     if ($client instanceof TokenLifetimeExtensionInterface && ($lifetime = $client->getTokenLifetime('refresh_token')) !== null) {
         return $lifetime;
     }
     return $this->getConfiguration()->get('refresh_token_lifetime', 1209600);
 }
 /**
  * {@inheritdoc}
  */
 protected function getLifetime(ClientInterface $client)
 {
     $lifetime = $this->getConfiguration()->get('auth_code_lifetime', 30);
     if ($client instanceof TokenLifetimeExtensionInterface && ($_lifetime = $client->getTokenLifetime('authcode')) !== null) {
         return $_lifetime;
     }
     return $lifetime;
 }
 /**
  * {@inheritdoc}
  */
 public function check(ClientInterface $client, array $registration_parameters)
 {
     foreach (['software_id', 'software_version', 'software_statement'] as $key) {
         if (array_key_exists($key, $registration_parameters)) {
             $client->set($key, $registration_parameters[$key]);
         }
     }
 }
 /**
  * @param \OAuth2\Client\ClientInterface $client Client
  *
  * @return int
  */
 protected function getLifetime(ClientInterface $client)
 {
     $lifetime = $this->getAccessTokenLifetime();
     if (is_int($_lifetime = $client->getTokenLifetime('access_token'))) {
         return $_lifetime;
     }
     return $lifetime;
 }
 /**
  * @param \OAuth2\Client\ClientInterface $client Client
  *
  * @return int
  */
 protected function getLifetime(ClientInterface $client)
 {
     $lifetime = $this->getConfiguration()->get('access_token_lifetime', 3600);
     if ($client instanceof TokenLifetimeExtensionInterface && is_int($_lifetime = $client->getTokenLifetime('access_token'))) {
         return $_lifetime;
     }
     return $lifetime;
 }
 /**
  * {@inheritdoc}
  */
 public function check(ClientInterface $client, array $registration_parameters)
 {
     if (!array_key_exists('request_uris', $registration_parameters)) {
         return;
     }
     Assertion::isArray($registration_parameters['request_uris'], 'The parameter "request_uris" must be a list of URI.');
     Assertion::allUrl($registration_parameters['request_uris'], 'The parameter "request_uris" must be a list of URI.');
     $client->set('request_uris', $registration_parameters['request_uris']);
 }
 /**
  * {@inheritdoc}
  */
 public function check(ClientInterface $client, array $registration_parameters)
 {
     if (!array_key_exists('sector_identifier_uri', $registration_parameters)) {
         return;
     }
     Assertion::url($registration_parameters['sector_identifier_uri'], sprintf('The sector identifier URI "%s" is not valid.', $registration_parameters['sector_identifier_uri']));
     $this->checkSectorIdentifierUri($registration_parameters['sector_identifier_uri']);
     $client->set('sector_identifier_uri', $registration_parameters['sector_identifier_uri']);
 }
 /**
  * {@inheritdoc}
  */
 public function checkRefreshToken(RefreshTokenInterface $token, ClientInterface $client)
 {
     if ($client->getPublicId() !== $token->getClientPublicId()) {
         throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_GRANT, 'Invalid refresh token');
     }
     if ($token->hasExpired()) {
         throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_GRANT, 'Refresh token has expired');
     }
 }
 /**
  * {@inheritdoc}
  */
 public function check(ClientInterface $client, array $registration_parameters)
 {
     $metadatas = [];
     foreach ($this->getSupportedParameters() as $parameter => $closure) {
         $metadatas = array_merge($metadatas, $this->getInternationalizedParameters($registration_parameters, $parameter, $closure));
     }
     foreach ($metadatas as $k => $v) {
         $client->set($k, $v);
     }
 }
 /**
  * {@inheritdoc}
  */
 public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
 {
     if ($client->isPublic()) {
         throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_CLIENT, 'The client is not a confidential client');
     }
     $issue_refresh_token = $this->isRefreshTokenIssuedWithAccessToken();
     $grant_type_response->setResourceOwnerPublicId($client->getPublicId());
     $grant_type_response->setUserAccountPublicId(null);
     $grant_type_response->setRefreshTokenIssued($issue_refresh_token);
     $grant_type_response->setRefreshTokenScope($grant_type_response->getRequestedScope());
 }
 /**
  * {@inheritdoc}
  */
 public function check(ClientInterface $client, array $registration_parameters)
 {
     if (!array_key_exists('id_token_encrypted_response_alg', $registration_parameters) || !array_key_exists('id_token_encrypted_response_enc', $registration_parameters)) {
         return;
     }
     Assertion::string($registration_parameters['id_token_encrypted_response_alg'], 'Invalid parameter "id_token_encrypted_response_alg". The value must be a string.');
     Assertion::string($registration_parameters['id_token_encrypted_response_enc'], 'Invalid parameter "id_token_encrypted_response_enc". The value must be a string.');
     Assertion::inArray($registration_parameters['id_token_encrypted_response_alg'], $this->getIdTokenManager()->getSupportedKeyEncryptionAlgorithms(), sprintf('The ID Token content encryption algorithm "%s" is not supported. Please choose one of the following algorithm: %s', $registration_parameters['id_token_encrypted_response_alg'], json_encode($this->getIdTokenManager()->getSupportedContentEncryptionAlgorithms())));
     Assertion::inArray($registration_parameters['id_token_encrypted_response_enc'], $this->getIdTokenManager()->getSupportedContentEncryptionAlgorithms(), sprintf('The ID Token key encryption algorithm "%s" is not supported. Please choose one of the following algorithm: %s', $registration_parameters['id_token_encrypted_response_enc'], json_encode($this->getIdTokenManager()->getSupportedKeyEncryptionAlgorithms())));
     $client->set('id_token_encrypted_response_alg', $registration_parameters['id_token_encrypted_response_alg']);
     $client->set('id_token_encrypted_response_enc', $registration_parameters['id_token_encrypted_response_enc']);
 }
 protected function addAuthCode($code, $expiresAt, ClientInterface $client, EndUserInterface $end_user, array $query_params, $redirectUri, array $scope = [], $issueRefreshToken = false)
 {
     $class = $this->getClass();
     /*
      * @var \SpomkyLabs\OAuth2ServerBundle\Plugin\AuthCodeGrantTypePlugin\Model\AuthCodeInterface
      */
     $authcode = new $class();
     $authcode->setRedirectUri($redirectUri)->setQueryParams($query_params)->setIssueRefreshToken($issueRefreshToken)->setToken($code)->setResourceOwnerPublicId($end_user->getPublicId())->setExpiresAt($expiresAt)->setClientPublicId($client->getPublicId())->setScope($scope);
     $this->getEntityManager()->persist($authcode);
     $this->getEntityManager()->flush();
     return $authcode;
 }
 public function createUsedRefreshToken(ClientInterface $client, ResourceOwnerInterface $resource_owner, $refresh_token)
 {
     $class = $this->getClass();
     $expired_date = (new \Datetime('now +1 year'))->format('U');
     $token = new $class();
     /*
      * @var $token \OAuth2\Token\RefreshTokenInterface
      */
     $token->setToken($refresh_token)->setExpiresAt($expired_date)->setResourceOwnerPublicId($resource_owner->getPublicId())->setClientPublicId($client->getPublicId())->setUsed(true);
     $this->getEntityManager()->persist($token);
     $this->getEntityManager()->flush();
     return $token;
 }
 /**
  * {@inheritdoc}
  */
 public function check(ClientInterface $client, array $registration_parameters)
 {
     if (!array_key_exists('subject_type', $registration_parameters)) {
         return;
     }
     Assertion::string($registration_parameters['subject_type'], 'Invalid parameter "subject_type". The value must be a string.');
     $supported_types = ['public'];
     if ($this->getUserinfo()->isPairwiseSubjectIdentifierSupported()) {
         $supported_types[] = 'pairwise';
     }
     Assertion::inArray($registration_parameters['subject_type'], $supported_types, sprintf('The subject type "%s" is not supported. Please use one of the following value: %s', $registration_parameters['subject_type'], json_encode($supported_types)));
     $client->set('subject_type', $registration_parameters['subject_type']);
 }
 /**
  * {@inheritdoc}
  */
 public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
 {
     if (!$client instanceof ConfidentialClientInterface) {
         throw $this->getExceptionManager()->getException(ExceptionManagerInterface::BAD_REQUEST, ExceptionManagerInterface::INVALID_CLIENT, 'The client is not a confidential client');
     }
     $issue_refresh_token = $this->getConfiguration()->get('issue_refresh_token_with_client_credentials_grant_type', false);
     $scope = RequestBody::getParameter($request, 'scope');
     $grant_type_response->setRequestedScope($scope);
     $grant_type_response->setAvailableScope(null);
     $grant_type_response->setResourceOwnerPublicId($client->getPublicId());
     $grant_type_response->setRefreshTokenIssued($issue_refresh_token);
     $grant_type_response->setRefreshTokenScope($scope);
     $grant_type_response->setRefreshTokenRevoked(null);
 }
 /**
  * {@inheritdoc}
  */
 public function introspectToken(TokenInterface $token, ClientInterface $client)
 {
     if (!$token instanceof AccessTokenInterface) {
         return [];
     }
     $result = ['active' => !$token->hasExpired(), 'client_id' => $token->getClientPublicId(), 'token_type' => $token->getTokenTypeParameter('token_type'), 'exp' => $token->getExpiresAt()];
     // If the client is the subject, we add this information.
     //
     // The subject is not added if the client is not a resource owner.
     // The reason is that if the client received an ID Token, the subject may have been computed (pairwise) and
     // the subject returned here may be different. As per the OpenID Connect specification, the client must reject the token
     // if subject are different and we want to avoid this case.
     if ($client->getPublicId() === $token->getResourceOwnerPublicId()) {
         $result['sub'] = $token->getResourceOwnerPublicId();
     }
     // If the client is a resource server, we return all the information stored in the access token including the metadata
     if ($client->has('is_resource_server') && true === $client->get('is_resource_server')) {
         $result['sub'] = $token->getResourceOwnerPublicId();
     }
     if (!empty($token->getScope())) {
         $result['scp'] = $token->getScope();
     }
     if ($token instanceof JWTAccessTokenInterface) {
         $result = array_merge($result, $this->getJWTInformation($token->getJWS()));
     }
     return $result;
 }
 /**
  * {@inheritdoc}
  */
 private function getLifetime(ClientInterface $client)
 {
     $lifetime = $this->getAuthorizationCodeLifetime();
     if (is_int($_lifetime = $client->getTokenLifetime('authcode'))) {
         return $_lifetime;
     }
     return $lifetime;
 }
 /**
  * {@inheritdoc}
  */
 public function check(ClientInterface $client, array $registration_parameters)
 {
     if (!$this->hasScopeManager()) {
         return;
     }
     if (array_key_exists('scope', $registration_parameters)) {
         Assertion::regex($registration_parameters['scope'], '/^[\\x20\\x23-\\x5B\\x5D-\\x7E]+$/', 'Invalid characters found in the "scope" parameter.');
         $client->set('scope', $registration_parameters['scope']);
     }
     if (array_key_exists('scope_policy', $registration_parameters)) {
         Assertion::inArray($registration_parameters['scope_policy'], $this->getScopeManager()->getSupportedScopePolicies(), sprintf('The scope policy "%s" is not supported. Please choose one of the following policy: "%s".', $registration_parameters['scope_policy'], json_encode($this->getScopeManager()->getSupportedScopePolicies())));
         $client->set('scope_policy', $registration_parameters['scope_policy']);
     }
     /*
      * Should be handled by the scope policy itself
      */
     if (array_key_exists('default_scope', $registration_parameters)) {
         Assertion::regex($registration_parameters['default_scope'], '/^[\\x20\\x23-\\x5B\\x5D-\\x7E]+$/', 'Invalid characters found in the "default_scope" parameter.');
         $client->set('default_scope', $registration_parameters['default_scope']);
     }
 }
 protected function addAccessToken($token, $expiresAt, ClientInterface $client, ResourceOwnerInterface $resourceOwner, array $scope = [], BaseRefreshTokenInterface $refresh_token = null)
 {
     if (null !== $this->event_dispatcher) {
         $this->event_dispatcher->dispatch(Events::OAUTH2_PRE_ACCESS_TOKEN_CREATION, new PreAccessTokenCreationEvent($client, $scope, $resourceOwner, $refresh_token));
     }
     $class = $this->getClass();
     /*
      * @var \SpomkyLabs\OAuth2ServerBundle\Plugin\SimpleStringAccessTokenPlugin\Model\SimpleStringAccessTokenInterface
      */
     $access_token = new $class();
     $access_token->setToken($token)->setExpiresAt($expiresAt)->setClientPublicId($client->getPublicId())->setScope($scope);
     if (null !== $resourceOwner) {
         $access_token->setResourceOwnerPublicId($resourceOwner->getPublicId());
     }
     if (null !== $refresh_token) {
         $access_token->setRefreshToken($refresh_token->getToken());
     }
     $this->getEntityManager()->persist($access_token);
     $this->getEntityManager()->flush();
     if (null !== $this->event_dispatcher) {
         $this->event_dispatcher->dispatch(Events::OAUTH2_POST_ACCESS_TOKEN_CREATION, new PostAccessTokenCreationEvent($access_token));
     }
     return $access_token;
 }
 /**
  * @param \OAuth2\Client\ClientInterface $client
  * @param array                          $registration_parameters
  */
 private function checkResponseTypes(ClientInterface $client, array $registration_parameters)
 {
     Assertion::isArray($registration_parameters['response_types'], 'The parameter "response_types" must be an array of strings.');
     Assertion::allString($registration_parameters['response_types'], 'The parameter "grant_types" must be an array of strings.');
     foreach ($registration_parameters['response_types'] as $response_type) {
         $types = $this->getResponseTypeManager()->getResponseTypes($response_type);
         if (!in_array($response_type, $client->get('response_types'))) {
             $response_types = $client->get('response_types');
             $response_types[] = $response_type;
             $client->set('response_types', $response_types);
         }
         foreach ($types as $type) {
             $associated_grant_types = $type->getAssociatedGrantTypes();
             $diff = array_diff($associated_grant_types, $registration_parameters['grant_types']);
             Assertion::true(empty($diff), sprintf('The response type "%s" is associated with the grant types "%s" but this response type is missing.', $type->getResponseType(), json_encode($diff)));
             $client->set('grant_types', array_unique(array_merge($client->get('grant_types'), $associated_grant_types)));
         }
     }
 }
 /**
  * @param \OAuth2\Client\ClientInterface $client
  * @param array                          $params
  *
  * @throws \OAuth2\Exception\BadRequestExceptionInterface
  */
 private function checkResponseTypeAllowedForTheClient(ClientInterface $client, array $params)
 {
     if (!$client->isResponseTypeAllowed($params['response_type'])) {
         throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_UNAUTHORIZED_CLIENT, 'The response type "' . $params['response_type'] . '" is unauthorized for this client.');
     }
 }
 /**
  * {@inheritdoc}
  */
 private function getDefaultScopesForClient(ClientInterface $client)
 {
     return $client->has('default_scope') && null !== $client->get('default_scope') ? $client->get('default_scope') : $this->getDefaultScopes();
 }
 /**
  * {@inheritdoc}
  */
 public function grantAccessToken(ServerRequestInterface $request, ClientInterface $client, GrantTypeResponseInterface &$grant_type_response)
 {
     if (false === $client->hasPublicKeySet()) {
         throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_CLIENT, 'The client is not a client with signature capabilities.');
     }
     $jwt = $grant_type_response->getAdditionalData('jwt');
     try {
         $this->getJWTLoader()->verify($jwt, $client->getPublicKeySet());
     } catch (\Exception $e) {
         throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_REQUEST, $e->getMessage());
     }
     $issue_refresh_token = $this->isRefreshTokenIssuedWithAccessToken();
     $grant_type_response->setResourceOwnerPublicId($client->getPublicId());
     $grant_type_response->setUserAccountPublicId(null);
     $grant_type_response->setRefreshTokenIssued($issue_refresh_token);
     $grant_type_response->setRefreshTokenScope($grant_type_response->getRequestedScope());
 }
 /**
  * @param \Psr\Http\Message\ServerRequestInterface $request
  * @param \Psr\Http\Message\ResponseInterface      $response
  * @param \OAuth2\Client\ClientInterface           $client
  */
 private function handlePut(ServerRequestInterface $request, ResponseInterface &$response, ClientInterface $client)
 {
     $request_parameters = RequestBody::getParameters($request);
     $this->checkPreservedParameters($request_parameters);
     $this->checkSoftwareStatement($request_parameters);
     $client_data = $client->all();
     foreach (['registration_access_token', 'registration_client_uri', 'client_secret_expires_at', 'client_id_issued_at'] as $k) {
         if (array_key_exists($k, $client_data)) {
             unset($client_data[$k]);
         }
     }
     $diff_data = array_diff_key($client_data, $request_parameters);
     Assertion::true(empty($diff_data), 'The request must include all client metadata fields.');
     Assertion::eq($request_parameters['client_id'], $client->getPublicId(), 'Inconsistent "client_id" parameter.');
     unset($request_parameters['client_id']);
     $request_parameters = array_merge($request_parameters, ['registration_access_token' => null, 'registration_client_uri' => null, 'client_secret_expires_at' => null]);
     foreach ($request_parameters as $k => $v) {
         if (empty($v)) {
             $client->remove($k);
             unset($request_parameters[$k]);
         }
     }
     $this->getClientRuleManager()->processParametersForClient($client, $request_parameters);
     $this->getClientManager()->saveClient($client);
     $this->processResponseWithClient($response, $client);
 }
 /**
  * @param \OAuth2\Token\AccessTokenInterface|\OAuth2\Token\RefreshTokenInterface $token
  * @param \OAuth2\Client\ClientInterface|null                                    $client
  *
  * @return bool
  */
 private function isClientVerified($token, ClientInterface $client = null)
 {
     if (null !== $client) {
         // The client ID of the token is the same as client authenticated
         return $token->getClientPublicId() === $client->getPublicId();
     } else {
         // We try to get the client
         $client = $this->getClientManagerSupervisor()->getClient($token->getClientPublicId());
         // Return false if the client is a confidential client (confidential client must be authenticated)
         return !$client instanceof ConfidentialClientInterface;
     }
 }
 /**
  * @param \OAuth2\Client\ClientInterface $client
  *
  * @return bool
  */
 private function issueRefreshToken(ClientInterface $client)
 {
     if (!$this->isRefreshTokenIssuanceAllowed()) {
         return false;
     }
     if (true === $client->isPublic()) {
         return $this->isRefreshTokenIssuanceForPublicClientsAllowed();
     }
     return true;
 }
 /**
  * @param \OAuth2\Client\ClientInterface $client
  *
  * @throws \OAuth2\Exception\BadRequestExceptionInterface
  *
  * @return string[]
  */
 private function getClientRequestUris(ClientInterface $client)
 {
     if (false === $client->has('request_uris') || empty($request_uris = $client->get('request_uris'))) {
         throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_INVALID_CLIENT, 'The client must register at least one request Uri.');
     }
     return $request_uris;
 }
 /**
  * @param \OAuth2\Client\ClientInterface $client Client
  *
  * @return int
  */
 private function getLifetime(ClientInterface $client)
 {
     $lifetime = $this->getIdTokenLifetime();
     if (is_int($_lifetime = $client->getTokenLifetime('id_token'))) {
         return $_lifetime;
     }
     return $lifetime;
 }
 /**
  * @param \OAuth2\Client\ClientInterface $client
  * @param string                         $grant_type
  *
  * @throws \OAuth2\Exception\BaseExceptionInterface
  */
 private function checkGrantType(ClientInterface $client, $grant_type)
 {
     if (!$client->isGrantTypeAllowed($grant_type)) {
         throw $this->getExceptionManager()->getBadRequestException(ExceptionManagerInterface::ERROR_UNAUTHORIZED_CLIENT, sprintf('The grant type "%s" is unauthorized for this client.', $grant_type));
     }
 }
 /**
  * @param \OAuth2\Client\ClientInterface $client Client
  *
  * @return int
  */
 private function getLifetime(ClientInterface $client)
 {
     if (is_int($lifetime = $client->getTokenLifetime('refresh_token'))) {
         return $lifetime;
     }
     return $this->getRefreshTokenLifetime();
 }